[Bug 1911791] Re: Openscap can report false positives

[Eduardo Barretto]

Hey Brian,

I ran the following test on Xenial, Bionic, Focal and Groovy with archive 
openscap and openscap from -proposed and compared the results:
$ wget 
https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.$(lsb_release 
-cs).cve.oval.xml.bz2
$ bunzip2 com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
$ oscap oval eval --report report.htm com.ubuntu.$(lsb_release -cs).cve.oval.xml

For Xenial the results are the same with both versions of openscap,
which means the changes didn't introduce a regression so far. Same is
true for Focal.

For Bionic the results differ:
 - With the archive openscap I get 607 vulnerabilities still needing a fix, 
while the -proposed version returns 606 vulnerabilities still needs a fix. The 
difference is CVE-2017-9763 and I could check that this is a false positive 
with archive openscap, which means that -proposed version fixed it.

For Groovy the results also differ:
 - With archive openscap I get 220 vulnerabilities still needing a fix, while 
the -proposed version returns 211 vulnerabilities still needs a fix. The 
differences are:
         CVE-2020-14803
         CVE-2020-14798
         CVE-2020-14797
         CVE-2020-14796
         CVE-2020-14792
         CVE-2020-14782
         CVE-2020-14781
         CVE-2020-14779
         CVE-2019-18348 
   And I could check that those were all false positives with archive openscap, 
which means that -proposed version fixed it.


Hope this helps, let me know in case of doubts.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9763

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18348

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14779

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14781

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14782

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14792

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14796

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14797

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14798

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14803

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1911791

Title:
  Openscap can report false positives

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs