- What are currently recommended processes/tools which would allow robust data retrieval of CVE’s affecting a CentOS system? FYI, we tried grype and lynis -- both reported very inaccurate results.
- Is it possible to modify the OVAL files from RedHat and use it for CentOS?
We are trying to retrieve a list of CVEs that affect particular CentOS systems.
What are we seeking?
Currently on RedHat, we use the OVAL file provided by RedHat to detect CVEs. However, OVAL files are not provided by CentOS and we’re seeking community recommendations to solve the challenge.
What we tried:
We tried some basic substitution in the RedHat OVAL file by substituting 'redhat:entrerprise_linux' to 'centos:centos' and 'ref_id="RHSA' to 'ref_id="CESA'. These did not work.
Code: Select all
sudo sed -i 's/cpe:\/o:redhat:enterprise_linux/cpe:\/o:centos:centos/g' com.redhat.rhsa-RHEL8.xml
sudo sed -i 's/cpe:\/a:redhat:enterprise_linux/cpe:\/o:centos:centos/g' com.redhat.rhsa-RHEL8.xml
sudo sed -i 's/ref_id="RHSA/ref_id="CESA/g' com.redhat.rhsa-RHEL8.xml
We also tried this tool (https://github.com/Sep0lkit/oval-for-el) that converts RHEL OVAL files to CentOS OVAL files, but it seems not to be updated – and didn’t work either.
Thank you for your response,