Merge ~ebarretto/ubuntu-cve-tracker:oval-bugs into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merged at revision: | e8bc729a439c0407a3985bd2c2f69a2c499acf32 |
Proposed branch: | ~ebarretto/ubuntu-cve-tracker:oval-bugs |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
26 lines (+6/-9) 1 file modified
scripts/oval_lib.py (+6/-9) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
David Fernandez Gonzalez | Approve | ||
Review via email: mp+461720@code.launchpad.net |
Description of the change
Currently we handle `pending (<version>)` status as fixed, because there's a version to compare against, even though that fixed version is still not available to customers.
That usually works fine, but we realized that for kernel, the main "user" of `pending (<version>)` status that creates some issues, where for OCI based OVAL it can get tricky to match the kernel binary name.
Since `pending` status will report vulnerable anyway as the fixed version is not yet public, I'm proposing handling `pending` as vulnerable by default instead of fixing the name match.
A current example can be found today in id `2021448790000000` for OCI CVE-based OVAL for focal.
You can see that the fixed version is: 0:5.4.0-173.191 but the package being retrieved from the cache and trying to match against installed versions is: `^linux-
That's because we default to getting the earliest version of such package if a version is not found in the cache, but since the kernel has the version in the binary name, that makes things tricky.
We will do a second separate check to see if that is currently happening for any other CVE that is not in `pending` status.
LGTM!