OVAL scan issue with dnf module

nwxona · March 6, 2025, 7:00pm

After installing nodejs 20 from a dnf module, OVAL scan is generating a report indicating failure for ID: oval:org.almalinux.alsa:def:20251613

Showing the following reference IDs: CVE-2025-22150, CVE-2025-23083, CVE-2025-23085, [RHSA-2025:1613], [ALSA-2025:1613]

But the installed nodejs package changelog indicates that these CVEs have been addressed.

I can reproduce with AL9 container image (using 9.5 at time of writing)

docker run --rm --name al9test -it almalinux:9 bash
dnf update -y
dnf module enable -y nodejs:20
dnf install -y openscap scap-security-guide nodejs
curl -s -O https://security.almalinux.org/oval/org.almalinux.alsa-9.xml
oscap oval eval --results oval_results.xml --report oval_report.html --fetch-remote-resources org.almalinux.alsa-9.xml

from another terminal, one may retrieve the HTML report to see the aforementioned vulnerability ID is set to “true” and applies to the reference system:

docker cp al9test:/oval_report.html .

Within the container I can confirm that the installed nodejs package changelog indicates that the CVEs have been fixed

[root@a900dce78a00 /]# rpm -q nodejs
nodejs-20.18.2-1.module_el9.5.0+137+381f3eaf.x86_64
[root@a900dce78a00 /]# rpm -q nodejs --changelog | head
* Wed Jan 29 2025 Andrei Radchenko <aradchen@redhat.com>
- Update to version 20.18.2
  Fixes: CVE-2025-23083 CVE-2025-23085 CVE-2025-22150
  Resolves: RHEL-76536 RHEL-76364

joexona · March 14, 2025, 4:42pm

@jhernandez i wonder if this is of a similar nature to Possible OVAL feed bug - #3 by joexona.

jhernandez · March 18, 2025, 12:44am

Hey @joexona, thanks for the heads up! I missed the notification.
@nwxona thanks for the report, I’ve just checked it and you’re right, it looks like the OVAL record is missing the modular data. We’ll take a closer look and get it fixed ASAP. Sorry for any inconvenience.

joexona · March 18, 2025, 3:15pm

no worries! thanks for looking.

jhernandez · April 7, 2025, 12:44pm

Hey @joexona and @nwxona, I just wanted to provide an update on this. The fix was already applied in our pipeline and now modular erratas shouldn’t miss the module check in OVAL anymore.

In addition to that, the OVAL data of affected erratas were also regenerated as part of this issue, I’d appreciate if you can double check that things are in place for you now.

As always, thanks again for your help!

joexona · April 7, 2025, 1:33pm

@jhernandez our related CI build that calls oscap oval is green / problem solved. Thanks again!