feat(feeds): add Enterprise Linux vulnerability feed support for CT-Ops RPM inventory #42

Closed
opened 2026-05-24 13:48:14 +00:00 by simon · 0 comments
Owner

While diagnosing AlmaLinux CT-Ops hosts showing zero CT-CVE findings, I confirmed CT-CVE accepted the corrected Alma package inventory but had no affected-package records capable of matching it.

Evidence from the live CT-CVE database after a successful manual inventory push on 2026-05-24:

select source, distro_id, count(*) from affected_packages group by source, distro_id;
-- ubuntu-osv | ubuntu | 2003730

select count(*) from affected_packages where distro_id in ('rhel', 'almalinux', 'rocky') or source = 'rpm';
-- 0

The Alma host inventory now contains full RPM EVR source versions, e.g. openssl-libs source openssl source_version 1:3.5.1-7.el9_7, but there are no RHEL/Alma/Rocky/RPM advisories in CT-CVE to compare it against. As a result AlmaLinux hosts display zero findings even when inventory is present and valid.

Suggested fix: add and enable an Enterprise Linux advisory source that produces affected_packages rows for RHEL-compatible RPM distros, including fixed EVRs. The matcher already has RPM and RHEL-compatible distro paths, so the missing piece appears to be feed ingestion/data coverage rather than CT-Ops inventory shape.

While diagnosing AlmaLinux CT-Ops hosts showing zero CT-CVE findings, I confirmed CT-CVE accepted the corrected Alma package inventory but had no affected-package records capable of matching it. Evidence from the live CT-CVE database after a successful manual inventory push on 2026-05-24: ```sql select source, distro_id, count(*) from affected_packages group by source, distro_id; -- ubuntu-osv | ubuntu | 2003730 select count(*) from affected_packages where distro_id in ('rhel', 'almalinux', 'rocky') or source = 'rpm'; -- 0 ``` The Alma host inventory now contains full RPM EVR source versions, e.g. `openssl-libs` source `openssl` source_version `1:3.5.1-7.el9_7`, but there are no RHEL/Alma/Rocky/RPM advisories in CT-CVE to compare it against. As a result AlmaLinux hosts display zero findings even when inventory is present and valid. Suggested fix: add and enable an Enterprise Linux advisory source that produces `affected_packages` rows for RHEL-compatible RPM distros, including fixed EVRs. The matcher already has RPM and RHEL-compatible distro paths, so the missing piece appears to be feed ingestion/data coverage rather than CT-Ops inventory shape.
simon closed this issue 2026-05-24 14:03:04 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carrtech/ct-cve#42
No description provided.