<div dir="ltr">Thanks for the explanation. I understand that is not trivial. It may be a good idea to review the Redhat OVAL process because it works very well: <a href="https://www.redhat.com/security/data/oval/">https://www.redhat.com/security/data/oval/</a>.<div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">But 109 is an approachable problem</blockquote><div> </div><div>I don't agree. If I have 100 Ubuntu servers and I run oscap every day... I will get 10900 useless alerts. Of course, I can ignore them, but it is also a hard task. On the other hand, 109 fails will be 200 in one year?. I think the Ubuntu oval feed must be a feed with 0 false positives to be useful. I mean, false positives must be fixed when you are aware of them.</div><div><br></div><div>Do not misunderstand, I appreciate all the work done, but I think this process still needs a revision.</div><div><br></div><div>Thanks a lot!.</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 7, 2017 at 2:13 AM, Seth Arnold <span dir="ltr"><<a href="mailto:seth.arnold@canonical.com" target="_blank">seth.arnold@canonical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:<br> > it is parsed as "vulnerable" status. The oval generated for "vulnerable"<br> </span>> CVEs is: "check if the package exist". *It doesn't check any version*. This<br> <span class="">> may make sense for some packages, but I think it is not possible to have<br> > 109 fails in an updated host.<br> <br> </span>Strictly speaking, 109 fails in an updated host may make perfect sense:<br> <br> - The Ubuntu security team provides security support for packages in<br> main. The security team triages CVEs into different priorities and<br> may not get around to fixing 'low' or 'negligible' CVEs quickly.<br> <br> - The Ubuntu community provides security support for packages in universe.<br> The community may update some packages frequently (mariadb comes to<br> mind) while others never get updated.<br> <br> - As Tyler mentioned, it's possible for individual CVE entries to<br> incorrectly mark that an update is still needed for an issue even<br> though a fix has filtered in through Debian, perhaps years ago. We<br> fix these as we find them but probably the majority of fixes in this<br> category comes from Ubuntu community members researching the open CVEs<br> on their systems.<br> <br> This is one of my hopes of having a good OVAL tool: no one can inspect<br> 4000 open CVEs to see which ones still need to be closed. But 109 is an<br> approachable problem. If everyone with more open CVEs than they expect<br> investigates a few we'll have this list knocked down in no time!<br> <br> Thanks<br> <br>--<br> ubuntu-hardened mailing list<br> <a href="mailto:ubuntu-hardened@lists.ubuntu.com">ubuntu-hardened@lists.ubuntu.<wbr>com</a><br> <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/<wbr>mailman/listinfo/ubuntu-<wbr>hardened</a><br> <br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b style="font-size:12.8px"><font color="#0b5394">Jesus Linares</font></b><div style="font-size:12.8px"><i><font color="#999999">IT Security Engineer</font></i></div><div style="font-size:12.8px"><i><font color="#999999"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"><br></font></i></div></div></div> </div>