With ocsap from github CVE-2015-5180 is marked Unknown. The full statistics is: Non-Compliant/Vulnerable/Unpatched = 0, Compliant/Non-Vulnerable/Patched = 1988, Error = 0, Unknown = 6389, Other = 1.
With oscap from official repository: Non-Compliant/Vulnerable/Unpatched = 354 (11 high, 229 medium, 102 low, 12 negligible), Compliant/Non-Vulnerable/Patched = 6829, Error = 0, Unknown = 1194, Other = 1. Here some CVEs contain references to Android, Qualcomm, aarch64, PuTTY (and WinSCP), but I do not understand this (I'm using amd64 laptop). I have Wireshark installed, oscap reports CVEs in it. I removed it. Unpatched decreased to 264, Patched increased to 6919. So wireshark has 90 unpatched CVEs. But openscap from github does not change values. I'll use oscap from official package libopenscap8. As answer to your comment 10 I can say that CVEs 2012-2150, 2017-8386, 2014-8111 (https://lists.ubuntu.com/archives/ubuntu- hardened/2017-July/000940.html) are marked fixed in my results. I read this conversation and understood it. So It seems that you are right. Thank you, Tyler! This bug is fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658759 Title: oscap with com.ubuntu.xenial.cve.oval.xml wrongly reports many unpatched (and unknown) non-installed packages on Ubuntu Xenial 16.04.1 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658759/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
