vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

Collect Red Hat RHSA

Open pombredanne opened this issue 5 years ago • 6 comments

https://www.redhat.com/security/data/oval/ http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml https://www.redhat.com/security/data/metrics/

See also the API such as at https://access.redhat.com/hydra/rest/securitydata/cvrf.json https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/index and https://access.redhat.com/articles/221883

pombredanne avatar Apr 07 '19 07:04 pombredanne

Or maybe CVRF? https://www.redhat.com/security/data/cvrf/ and https://access.redhat.com/hydra/rest/securitydata/cvrf.json

haikoschol avatar Sep 25 '19 16:09 haikoschol

Comparing OVAL and CVRF entries for the same RHSA, it seems that CVRF has all the information we need in an easier to consume structure. However, the XML version of it has more data than the JSON linked above.

haikoschol avatar Nov 04 '19 10:11 haikoschol

Actually we could also start with the simpler https://www.redhat.com/security/data/metrics/rpm-to-cve.xml

We could have for each record:

  1. RHSA references for CVFR and OVAL such as https://www.redhat.com/security/data/oval/com.redhat.rhsa-20193157.xml and https://access.redhat.com/hydra/rest/securitydata/cvrf/RHSA-2019:3281.json
  2. a RedHat CVE ref such as https://access.redhat.com/security/cve/CVE-2019-11757
  3. a CVE id
  4. a package reference where the issue is fixed.

pombredanne avatar Nov 04 '19 10:11 pombredanne

I didn't see this mentioned, so here it is https://access.redhat.com/hydra/rest/securitydata/cve.json

Anyways the larger issue with extracting data from any of the above mentioned sources (and CVRF advisories in general) is that there is no explicit mention of package name and package version . Rather these are combined and hence we will need to split these combined names into package name and version to construct purl.

Here is data extracted from CVRFs https://github.com/nexB/vulnerablecode/issues/62#issuecomment-590656383 notice how package name and version are not separated

sbs2001 avatar Mar 22 '20 16:03 sbs2001

I am reopening as we are missing Oval and/or CVRF data for completeness. Or at least we need to double check https://www.redhat.com/security/data/oval/v2/ The license is not clear though

pombredanne avatar May 23 '22 10:05 pombredanne

Based on the feedback of a RedHat buddy:

The license for what's under https://www.redhat.com/security/data/oval/v2/ is CC BY 4.0 as explained here: https://access.redhat.com/security/data

pombredanne avatar Feb 06 '24 22:02 pombredanne