Can you provide any details if Rocky will be releasing a CVE Library where you can easily search a CVE to discover the Product Errata? As well as ensuring that the Product Errata addresses all corrected packages for vulnerability remediation?
At this time I can only find the Product Errata, where you are unable to search by CVE which makes quite a process for easily obtaining security related information for vulnerability remediation.
Also, I have noticed that the remediated package description within Errata generally misses information.
If we compare to the RedHat 8 Errata there are far more updated packages described RHSA-2020:4751. I’m sure since Rocky 8 is a 121 with RedHat8, the updated package details should be exactly the same.
With a lot of important information missing from your Errata this makes it a lot harder for accurate vulnerability analysis than other Linux Vendors. Thinking that OVAL definitions will be written with the use of Updated Package details.
I am unable to see these described within the CVE’s within the errata, but seeing that some Vulnerability Scanning solutions are mapping to the errata.
Since Rocky 8 is based on RHEL8, and since it’s been fixed in RHEL8 as shown here: https://access.redhat.com/errata/RHSA-2020:4751 then it’s fixed in Rocky 8 as well - since the package versions are identical. Therefore any of the RHEL resources for errata can confirm for the entire CVE list that you posted on whether they have been fixed or not - feel free to check/verify that.
As for the errata not being as up-to-date as you would like, see various posts on the forum, for example:
which explains why since the team are busy with a lot of things, including their day jobs and families. Feel free to volunteer if you would like to help out in that area.
Thanks for the response! Yeah I have been using the RH Errata for the package details. I am currently trying to work out how to suppress false positives where CPE has been used, usually we would map directly to the vendor advisory.
With regards to volunteering, I could be up that! I have a couple of large project’s I am working on which need to be completed by the end of the year, but this is deffo something I would be interested in for 2025. Any chance you could PM details of how we can discuss this further please?
Hey! Thank you for your interest in trying to improve the tool… We really appreciate it. I do apologize for things not working to yours (and others) expectations when it comes to errata…
I like to say just fork it and do a PR of your changes to the repo… I find that to be a good starting point. Though I believe it would be better if someone provided mentoring or better guidance to get you started, especially on the tool itself. I think @neil or @mustafa can provide further guidance and I can see if they’d be willing to reach out to you in regards to the tool.
For more real time direct communication, I always recommend our mattermost and joining our Development and Security channels in regards to this tool (and others).
Not a problem, will cool to help out! My contract in work states ‘No Moonlighting’, so I have messaged my boss to ensure I dont break my contract terms, but I cant see it being a conflict of interest since you are not a competitor of my company.
I will check the tool over, I was thinking maybe a DB would be a good approach. Ingress the RH Errata to a table and a new field for the Rocky Errata ID, can just use a DB query to extract all of the data associated to the update.
