I ran the following test on Xenial, Bionic, Focal and Groovy with archive openscap and openscap from -proposed and compared the results:
$ wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
$ bunzip2 com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
$ oscap oval eval --report report.htm com.ubuntu.$(lsb_release -cs).cve.oval.xml
For Xenial the results are the same with both versions of openscap, which means the changes didn't introduce a regression so far. Same is true for Focal.
For Bionic the results differ:
- With the archive openscap I get 607 vulnerabilities still needing a fix, while the -proposed version returns 606 vulnerabilities still needs a fix. The difference is CVE-2017-9763 and I could check that this is a false positive with archive openscap, which means that -proposed version fixed it.
For Groovy the results also differ:
- With archive openscap I get 220 vulnerabilities still needing a fix, while the -proposed version returns 211 vulnerabilities still needs a fix. The differences are: CVE-2020-14803 CVE-2020-14798 CVE-2020-14797 CVE-2020-14796 CVE-2020-14792 CVE-2020-14782 CVE-2020-14781 CVE-2020-14779 CVE-2019-18348
And I could check that those were all false positives with archive openscap, which means that -proposed version fixed it.
Hey Brian,
I ran the following test on Xenial, Bionic, Focal and Groovy with archive openscap and openscap from -proposed and compared the results: /people. canonical. com/~ubuntu- security/ oval/com. ubuntu. $(lsb_release -cs).cve. oval.xml. bz2 $(lsb_release -cs).cve. oval.xml. bz2 $(lsb_release -cs).cve.oval.xml
$ wget https:/
$ bunzip2 com.ubuntu.
$ oscap oval eval --report report.htm com.ubuntu.
For Xenial the results are the same with both versions of openscap, which means the changes didn't introduce a regression so far. Same is true for Focal.
For Bionic the results differ:
- With the archive openscap I get 607 vulnerabilities still needing a fix, while the -proposed version returns 606 vulnerabilities still needs a fix. The difference is CVE-2017-9763 and I could check that this is a false positive with archive openscap, which means that -proposed version fixed it.
For Groovy the results also differ:
CVE-2020- 14803
CVE-2020- 14798
CVE-2020- 14797
CVE-2020- 14796
CVE-2020- 14792
CVE-2020- 14782
CVE-2020- 14781
CVE-2020- 14779
CVE-2019- 18348
- With archive openscap I get 220 vulnerabilities still needing a fix, while the -proposed version returns 211 vulnerabilities still needs a fix. The differences are:
And I could check that those were all false positives with archive openscap, which means that -proposed version fixed it.
Hope this helps, let me know in case of doubts.