Switch RedHat vulnerability provider from OVAL to CSAF #323
Comments
westonsteimel
added
enhancement
westonsteimel
changed the title
|
I was hoping that the CSAF data would include the data about non-fixed and not affected packages so that we could drop having to also rely on the CVE api, but unfortunately it doesn't. There is currently only CSAF data available for entries that do have advisories issued. This means that even with the switch to CSAF we'll still need to first call the summary api to get all applicable cves, download the full cve json, parse the entries from the cve json, and then enhance the entries that have RHSA with the data from the CSAF document for that RHSA. |
|
It will also end up being more network calls for the CSAF data since each CSAF RHSA is stored as a separate json whereas the OVAL data was stored as a bulk xml per rhel release |
|
Maybe we can use a general CSAF parser also for SUSE, for example instead of #635. |
|
This will affect RHEL 10 when it lands, our best path forward here is to fuse this with the hydra data |
What would you like to be added:
The RedHat provider currently uses the v2 OVAL files for RedHat vulnerability data; however, those will only continue to be updated until the end of 2024. We need to transition to using the new CSAF endpoints per https://www.redhat.com/en/blog/future-red-hat-security-data
The text was updated successfully, but these errors were encountered: