Apollo: V2 Advisory included both RL8 and RL9 when only RL9 is requested

[wagner-robert]

All,
I am running the docs: https://apollo.build.resf.org/docs#/v2_compat/list_advisories_compat_v2_v2_advisories_get
with these options:

curl -X 'GET' \
  'https://apollo.build.resf.org/v2/advisories?filters.product=Rocky%20Linux%209&filters.cve=CVE-2025-21502&filters.type=TYPE_SECURITY&filters.fetchRelated=true&limit=100' \
  -H 'accept: application/json'

For this particular CVE, the output contains both el8 and el9

     "name": "RLSA-2024:8117",
      "synopsis": "Moderate: java-1.8.0-openjdk security update",
       "affectedProducts": [
        "Rocky Linux 8",
        "Rocky Linux 9"
      ],

      "publishedAt": "2024-10-25T17:16:21.716473Z",
      "rpms": {
        "Rocky Linux 8": {
          "nvras": [
            "java-1.8.0-openjdk-1:1.8.0.432.b06-2.el8.aarch64.rpm",
            "java-1.8.0-openjdk-1:1.8.0.432.b06-2.el8.src.rpm",
            "java-1.8.0-openjdk-1:1.8.0.432.b06-2.el8.x86_64.rpm",
...

We are trying to convert this to an OVAL file for use in OpenSCAP. If we are setting the product to Rocky Linux 9, should the output still include RL8 rpms? I am open for suggestions - Trying to fix some of this python code -https://github.com/rocky-linux/oval/tree/main
I don't know if this is an error with apollo or the python code. Does moving to V3 help?

[nazunalika]

Looking at this particular advisory (RLSA-2024:8117), both products are grouped together on purpose. Upstream (Red Hat) is grouping them together, see here. This would answer why you're getting both back on the legacy V2 API. Not many packages have this occur, but can happen when multiple versions of Rocky Linux (or RHEL) share the same package versions.

I don't think the product filter is supposed to remove products from the output. The point of the filter is to display results that apply to the applied filter. And since both Rocky Linux 8 and 9 are affected by this advisory/CVE, that's what comes up in the results.

For the sake of the example, if I try to look up Rocky Linux 10 as a product filter (which doesn't exist yet), notice the output using the same CVE we're looking for:

[nazu@router tmp]$ curl -s -X 'GET'   'https://apollo.build.resf.org/v2/advisories?filters.product=Rocky%20Linux%2010&filters.cve=CVE-2025-21502&filters.type=TYPE_SECURITY&filters.fetchRelated=true&limit=100'   -H 'accept: application/json'
{"advisories":[],"total":0,"lastUpdated":"2025-03-31T13:52:49Z","page":0,"size":100}

I get nothing back.

I do not believe this to be an error with apollo and the data and V2 output are working as intended.

[wagner-robert]

I see that, however, your Apollo process starts with pulling RH8 and RH9 OVAL files: https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2

That file contains:

<definition class="patch" id="oval:com.redhat.rhsa:def:20248117" version="635">
 <metadata>
  <title>RHSA-2024:8117: java-1.8.0-openjdk security update (Moderate)</title>
  <affected family="unix">
   <platform>Red Hat Enterprise Linux 9</platform>
  </affected>
  <reference ref_id="RHSA-2024:8117" ref_url="https://access.redhat.com/errata/RHSA-2024:8117" source="RHSA"/>
  <reference ref_id="CVE-2023-48161" ref_url="https://access.redhat.com/security/cve/CVE-2023-48161" source="CVE"/>
  <reference ref_id="CVE-2024-21208" ref_url="https://access.redhat.com/security/cve/CVE-2024-21208" source="CVE"/>
  <reference ref_id="CVE-2024-21210" ref_url="https://access.redhat.com/security/cve/CVE-2024-21210" source="CVE"/>
  <reference ref_id="CVE-2024-21217" ref_url="https://access.redhat.com/security/cve/CVE-2024-21217" source="CVE"/>
  <reference ref_id="CVE-2024-21235" ref_url="https://access.redhat.com/security/cve/CVE-2024-21235" source="CVE"/>
  <description>The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
...

So, we start with them separated out nicely in Red Hat, then combine them, but never end up with a nice OVAL file that has it separated out. We are trying to download an OVAL file just like RH, but with the RH stuff replaced with Rocky verbiage.

Any chance someone can just sanitize the https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2 file into a RL file?
I understand the combined website for lookup, but we need a clean OVAL file to run OpenSCAP.

[wagner-robert]

It looks like these were available at one point in time: https://dl.rockylinux.org/pub/oval/
However, they have not been updated since 10-May-2024

[nazunalika]

Updated ovals should be available now. However, I cannot guarantee their accuracy.

[wagner-robert]

Thank you for posting updates!!!! I owe you one!

Some size deltas:
28.3 MB (29,721,957 bytes) rhel-8.oval versus 21.4 MB (22,534,646 bytes) org.rockylinux.rlsa-8
13.3 MB (13,973,135 bytes) rhel-9.oval versus 7.52 MB (7,890,514 bytes) org.rockylinux.rlsa-9

I will try and figure out what the difference is between the rhel and rockylinux. I assume you are starting with the rhel versions.

[wagner-robert]

The OVAL file is not valid according to OpenSCAP:
File 'org.rockylinux.rlsa-9.xml' line 256: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion', attribute 'test_ref': [facet 'pattern'] The value 'oval:org.rockylinux.rlsa:tst:unk' in not accepted by the pattern 'oval:[A-Za-z0-9_\-\.]+:tst:[1-9[0-9]*'. Warning: No precomputed value available, the value was either invalid or something strange happened. Also lines 4764, 5408, 5868, 6126, 14153...
I think these are CVEs that are have both Rocky Linux 8 and Rocky Linux 9 in them. Those also have RPMs which point to the el8 versions. This need to follow the RHEL9 files and only contain el9 RPMs and look for Rocky Linux 9 OS.

Other Errors:
File 'org.rockylinux.rlsa-9.xml' line 16954: ... Duplicate key-sequence ['oval:org.rockylinux.rlsa:def:20243830'] in key identity-constraint '{http://oval.mitre.org/XMLSchema/oval-definitions-5}definitionKey

[wagner-robert]

Just compare the results for: CVE-2025-21502 - The RHEL version is completely different from the RL version. I also think you have the OR/AND messed up. From RHEL:

 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20223893008"/>
  <criteria operator="AND"> -------------------------------------------------------<this AND
   <criterion comment="Red Hat Enterprise Linux 9 is installed" test_ref="oval:com.redhat.rhba:tst:20223893007"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="java-17-openjdk is earlier than 1:17.0.14.0.7-2.el9" test_ref="oval:com.redhat.rhsa:tst:20250422001"/>
     <criterion comment="java-17-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20221729002"/>

From org.rockylinux.rlsa-9:

  <criteria operator="OR">
    <criterion comment="Rocky Linux must be installed"
      test_ref="oval:org.rockylinux.rlsa:tst:20250426001"/>
  <criteria operator="AND">
    <criterion comment="java-21-openjdk is earlier than 1:21.0.6.0.7-1.el8"
      test_ref="oval:org.rockylinux.rlsa:tst:20250426003"/>
    <criterion comment="java-21-openjdk is signed with Rocky Linux rockyrelease2 key"
      test_ref="oval:org.rockylinux.rlsa:tst:20250426004"/>
  </criteria>
....
  <criteria operator="OR">
    <criterion comment="Rocky Linux 8 must be installed"
      test_ref="oval:org.rockylinux.rlsa:tst:unk"/>
  </criteria>
....
  <criteria operator="OR">   -------------------------------------------------< this OR
    <criterion comment="Rocky Linux 9 must be installed"
      test_ref="oval:org.rockylinux.rlsa:tst:20250426002"/>
  </criteria>

Hope this helps! Thanks for taking a stab at fixing this!

FYI - If you wish to test yourself here is the OpenSCAP command:
sudo oscap oval eval --report unit-test.html --results results.xml org.rockylinux.rlsa-9.xml

FYI - The same command with the rhel-9.oval.xml file runs fine

[wagner-robert]

FYI - There is some question about whether or not the details for various CVEs are valid when compared to Red Hat.
So CVE-2025-21502
Red Hat says: comment="java-17-openjdk is earlier than 1:17.0.14.0.7-2.el9"
Rocky OVAL says: comment="java-21-openjdk is earlier than 1:21.0.6.0.7-1.el9"

Should we expect these to align to the same el9 version?