Middleware security scanning problem

Issue

The security scanning detection problems for Middleware content are well known to Red Hat and the Middleware upstream industry. It is important to mention that these detection issues are not only related to Red Hat Middleware products, but are related to the whole Middleware Maven and Java ecosystem. The scale of this issue depends on Middleware product deliverable types, such as container images that contain non-rpm related content from various Middleware Red Hat products.

Root cause

The primary root cause is related to the way in which Java software is built and how Maven packages are shared across products. Additionally, for Red Hat Middleware products, there are mainly human-readable, text-only advisories published when a new Middleware product version is released, which contain some security patches. For example: RHSA-2023-5978

Resolution

Red Hat started working on Middleware security information improvements two years ago. After multiple discussions, build and release pipeline changes, Red Hat started releasing accurate security data in the CSAF and VEX format, as well as SBOM files for the first Red Hat Middleware product, Red Hat Build of Quarkus 2.13 and 3.2.

For example, new Quarkus security data can be found in the following links:

CSAF advisory: CSAF advisory Human readable version: RHSA-2023-3809

CVEs directly correlated with the RHSA-2023:3809 on our CVE pages: CVE-2022-45787 CVE-2023-0481 CVE-2023-1584 CVE-2023-2974 CVE-2023-28867

CVE files in VEX format: CVE-2022-45787 CVE-2023-0481 CVE-2023-1584 CVE-2023-2974 CVE-2023-28867

The same Quarkus package data can be found in the official Red Hat SBOM files for this product: Quarkus package data

Conclusion

Security scanning vendors are encouraged to consume these CSAF-VEX Red Hat security data files to detect Red Hat content and check the security status for CVEs accurately.

Red Hat is working with our security scanning partners on their onboarding to the new security data format published by Red Hat, including CSAF-VEX files.

Red Hat is also working on onboarding the next Middleware xproducts from our portfolio to this new process to generate the same data as the Red Hat build of Quarkus. An update will be added to this article when new Red Hat Middleware products are onboarded to the CSAF-VEX security data.