Security Scan on RHEL

Latest response

RedHat publishes oval file and I am using it against my systems to scan for vulnerabilities. I have few questions here.
a) rpm-to-cve.xml This file contains many CVE's not matched in oval file. The purpose of the file seems to be given rpm what CVE it matches. What is the purpose of rpm-to-cve file?
b) What is the purpose of rhsamapcpe.txt file?

So far I thought OVAL is enough, why are these extra files RHEL publishes?
Thanks,
Sam

Responses

Hello Sambaiah Kilaru,

As an initial starting point, please examine the Red Hat CVE database.

Sambaiah Kilaru, please also see this link https://www.redhat.com/security/data/metrics/ which might offer more background on the rpm-to-cve.xml and other files.

Please let us know if this helps, or post back with additional information. Please see the questions I mentioned above.

Regards,
RJ

Thanks for the info, I went through all that before asking question. rpm-to-cve.xml has entry RHSA-2018:2709 noarch CVE-2018-14632 CVE-2018-14645 Both CVEs are not related to python-setuptools, but why is it listed under python-setuptools?