-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hardcode OpenShift CPEs #1795
hardcode OpenShift CPEs #1795
Conversation
Now we need to put a reminder somewhere... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be open to adding generate-dumps-on-pr
so we can see what the bundle will look like with this change?
e8c6dd6
to
bf6d2bb
Compare
/retest |
I was just spot checking a few vulns in genesis dump from this PR to the one produced as part of the 2.35.3 (4.6.2) release.
This PR:
Wondering if this too is a result of the flapping issue already reported... current OVAL data indicating 4.15 cpes for all unpatched openshift vulns. These are the files in the 2.35.3 genesis that are NOT in the genesis from this PR:
|
I wonder how much this explains things:
|
/retest |
Retried the comparison with a genesis dump from one of the more recent master runs:
Looks to be a combo of the two previous compares. |
Hard to tell: is this an LGTM or a call to dive into discrepancies? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks 'OK' to me, would like to have had OVAL in a state where it had accurate data to compare and confirm the only diff before/after this PR is the CPEs on CVEs. Of the CVEs spot checked it appears to be working as desired.
See https://issues.redhat.com/browse/SECDATA-869 for more information. The OpenShift unfixed vuln OVAL files keep flapping. This PR ignores the CPE's minor version in favor of using our own hardcoded ones just to make the data consistently work.
The idea is: OpenShift 4.20 will not be released for quite some time, so we won't need to update this any time soon (ideally, never).