After installing nodejs 20 from a dnf module, OVAL scan is generating a report indicating failure for ID: oval:org.almalinux.alsa:def:20251613
Showing the following reference IDs: CVE-2025-22150, CVE-2025-23083, CVE-2025-23085, [RHSA-2025:1613], [ALSA-2025:1613]
But the installed nodejs package changelog indicates that these CVEs have been addressed.
I can reproduce with AL9 container image (using 9.5 at time of writing)
docker run --rm --name al9test -it almalinux:9 bash
dnf update -y
dnf module enable -y nodejs:20
dnf install -y openscap scap-security-guide nodejs
curl -s -O https://security.almalinux.org/oval/org.almalinux.alsa-9.xml
oscap oval eval --results oval_results.xml --report oval_report.html --fetch-remote-resources org.almalinux.alsa-9.xml
from another terminal, one may retrieve the HTML report to see the aforementioned vulnerability ID is set to “true” and applies to the reference system:
docker cp al9test:/oval_report.html .
Within the container I can confirm that the installed nodejs package changelog indicates that the CVEs have been fixed
[root@a900dce78a00 /]# rpm -q nodejs
nodejs-20.18.2-1.module_el9.5.0+137+381f3eaf.x86_64
[root@a900dce78a00 /]# rpm -q nodejs --changelog | head
* Wed Jan 29 2025 Andrei Radchenko <aradchen@redhat.com>
- Update to version 20.18.2
Fixes: CVE-2025-23083 CVE-2025-23085 CVE-2025-22150
Resolves: RHEL-76536 RHEL-76364