On 11/10/15 3:04 PM, Su Zhang wrote:
Thanks for your response.
I looked into the doc and found the following description
"The oscap utility maps Red Hat Security Advisories to CVE identifiers
that are linked to the National Vulnerability Database and reports
which security advisories are not applied."
However, does Red Hat security advisories capture all CVEs? Or it only
capture its own product related CVEs? If it does not have a
comprehensive CVEs, then do you know how to incorporate the entire NVD
vulnerability data?
Definitely a good question, and one we may not be documenting in the
best way.
The Red Hat CVE content reflects authoritative content for *Red Hat*
technologies. For example, RHEL6 CVE data would include "core RHEL," but
also packages that we ship/support, such as our release of Apache
included in Enterprise Linux.
For third party vendors (e.g. MongoDB, Websphere) you'd have to get
CVE/OVAL data directly from them. I'm not aware of a "master download"
of NVD, however they do point you to various vendor content:
https://oval.mitre.org/repository/about/other_repositories.html
CIS recently took over DHS' OVAL repository from MITRE, and it contains
many CVE definitions for Unix/Linux/Windows/VMWare:
https://oval.cisecurity.org/repository/download
--
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
[email protected] | 443.534.0130
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
