How to find the right mapping between rpm package repositories and CPE to determine which OVAL files to scan in the RHUI environment

Resolution

In the RHUI, repo labels usually contain the -rhui extension. The repo labels need to have -rhui removed in order to match those available in the repository-to-cpe mapping file. The following is a sed command you can use to adjust the repo labels found in RHUI:

sed -e 's|-rhui||g'

If the RHUI contains custom repository labels where the -rhui extension does not exist or the rhui phrase is added in the middle of the repository label, the above solution will not work. In such cases, you can use the repository url and compare them to the repository relative urls from the repository-to-cpe mapping file. The repository relative urls remain the same even if the RHUI is configured to use a custom repositories' labels.

Example RHUI custom repository label: rhel-8-appstream-rhui-rpms
Run the following command to check the repository baseurl:

dnf repoinfo rhel-8-appstream-rhui-rpms | grep baseurl
Repo-baseurl : https://rhui.REGION.aws.ce.redhat.com/pulp/mirror/content/dist/rhel8/rhui/8/x86_64/appstream/os

When you remove /rhui/ from the baseurl and compare it to the relative urls from the repository-to-cpe mapping file you will see the corresponding Red Hat repository:

"rhel-8-for-x86_64-appstream-rpms": 
{"cpes": 
["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:rhel:8.3::appstream"], 
"repo_relative_urls": 
["content/dist/rhel8/8/x86_64/appstream/os"]}