Score:3

Security OVAL files seem to give false positives

ph flag

I'm scanning some systems running 18.04 LTS using OpenSCAP and the Ubuntu OVAL file. The scan tells me the systems have vulnerabilities like USN-5123-1 when we haven't installed the mysql-server packages referenced in the USN on Ubuntu's site. Looking at the OVAL XML, it looks like this is because the test for that USN looks for a number of other packages, including libmysqlclient20, which we do have (see oval:com.ubuntu.bionic:var:512310000000 in the XML).

Is there a reason for the apparent disagreement between the website and OVAL here?

Score:1
co flag

We try to trim the binary packages listed in our USNs to just the packages that we think are related to the fixes in question, to avoid the emails being ridiculous long lists of dozens or hundreds of packages. (The -dev or -doc packages are almost never actually affected by security issues.)

We've chosen to list all the binary packages generated from a single source package as affected in our OVAL data feeds. While this can be misleading from the perspective of source packages that provide both clients and servers, it's the conservative choice and also reflects how package upgrades are expected to happen.

(In the specific case of MySQL, it's also a good idea: Oracle does not publish much information about their security issues. We shouldn't try to guess which binary package contains which specific CVE fixes from Oracle. It's best to upgrade them all when they're released rather than trying to understand which specific fixes are in which specific packages.)

The USN list of packages is trimmed a bit to keep them readable. The OVAL intentionally lists everything. Both approaches have problems, but we figured the OVAL should err on the side of safety and the USNs should err on the side of legibility.

Thanks

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.