[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Seth Arnold
seth.arnold at canonical.com
Thu Oct 20 14:03:57 UTC 2016
On Thu, Oct 20, 2016 at 12:48:04PM +0200, Jesus Linares wrote:
> The oval is checking if I have installed tomcat 6 or 7. It is not installed
> in my system, but the check returns always *true*. It is due to the
> attribute *check_existence="any_exist" (*
> Is it a bug?
I don't know the OVAL format well, but this does look like a bug:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py
Search for 'negate' in the code base and I think you'll agree that the
only use of 'check_existence="any_exist"' is also supposed to add
'negate = "True"' to the conditions but that string doesn't appear in any
of the precise, trusty, or xenial oval files.
Any advice is appreciated.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20161020/2b189eff/attachment.pgp>
More information about the ubuntu-hardened
mailing list