Research: VEX consumption

[rjmateus]

Description

Uyuni has a feature that performs a CVE analysis on the managed machines. That analysis is done by comparing the installed package version with metadata of those packages and which CVE identifiers are associated with it.

Currently, this metadata is obtained using two independent methods:

1. Package released metadata
2. OVAL data files (see https://oval.mitre.org/)

The scanner process is also split and it can independently perform the analysis based on package metadata or OVAL metadata.

Linux OS companies are planning on replacing OVAL with VEX definition. In 2023 Red Hat announced support for VEX and was planning to replace OVAL with VEX by the end of 2024. SUSE also publishes VEX data so it could be good for a student to look into it.

Tasks overview

• Download, process, and save to the database the metadata information in the VEX format.
• Enhance the scanner process to consider this new method.

As part of this research, we should also consider if it's possible to use the same database tables as for OVAL data, and re-use also the same scan process/method.

Languages and technologies

• VEX processor: Python
• Scanner: Java

Next steps

• ?

Mentors

@admd ?
@parlt91 ?