[ubuntu-hardened] Improved OVAL data

Steve Beattie sbeattie at ubuntu.com
Thu May 2 18:30:11 UTC 2019 

On Fri, Apr 26, 2019 at 09:06:46AM -0700, Steve Beattie wrote:
> The Ubuntu Security Team has been working on an
> improvement to the generated OVAL data published at
> https://people.canonical.com/~ubuntu-security/oval/ .
> 
> Specifically, the OVAL data would generate package tests based on the
> status from the Ubuntu CVE Tracker data, but would only use the source
> package name for the installation and version checks (source packages
> are the basis for tracking in the Ubuntu CVE Tracker). However, many
> source packages produce binary packages that have different names than
> the source package, rendering the generated OVAL tests inaccurate.
> The proposed improvement to the OVAL data generator addresses this
> issue, by generating test comparisons against the binary packages
> produced by a given source package.
> 
> Test OVAL data files generated under this proposed improvement are
> available at https://people.canonical.com/~ubuntu-security/oval-test/ ;
> Please note that because many source packages generate multiple binary
> packages (in some cases a large number of them), the OVAL xml files have
> significantly increased in size; bzip2 compressed files are available
> and preferred[0].
> 
> We have verified that the openscap tools in bionic and newer handle the
> updated OVAL xml files; e.g.:
> 
>   oscap oval eval --results cve-results.xml com.ubuntu.bionic.cve.oval.xml
> 
>   oscap oval generate report cve-results.xml > oscap-report.html
> 
> It would be useful to get feedback on other uses of/consumers of our
> OVAL data.
> 
> The changes in question to generate the improved data are available from
> https://git.launchpad.net/~sbeattie/ubuntu-cve-tracker?h=generate-oval-branch
> I would like to put these changes in place next week.

Please note that these changes have now landed and the generated OVAL
data available in https://people.canonical.com/~ubuntu-security/oval/
reflects this.

Thanks!

> [0] Note that bzip2 compressed files are also available at
>     https://people.canonical.com/~ubuntu-security/oval/ to save
>     on bandwidth.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20190502/c8f75290/attachment.sig>

More information about the ubuntu-hardened mailing list