feat(feeds): add Enterprise Linux vulnerability feed support for CT-Ops RPM inventory #42
Labels
No labels
autorelease: pending
autorelease: tagged
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
carrtech/ct-cve#42
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
While diagnosing AlmaLinux CT-Ops hosts showing zero CT-CVE findings, I confirmed CT-CVE accepted the corrected Alma package inventory but had no affected-package records capable of matching it.
Evidence from the live CT-CVE database after a successful manual inventory push on 2026-05-24:
The Alma host inventory now contains full RPM EVR source versions, e.g.
openssl-libssourceopensslsource_version1:3.5.1-7.el9_7, but there are no RHEL/Alma/Rocky/RPM advisories in CT-CVE to compare it against. As a result AlmaLinux hosts display zero findings even when inventory is present and valid.Suggested fix: add and enable an Enterprise Linux advisory source that produces
affected_packagesrows for RHEL-compatible RPM distros, including fixed EVRs. The matcher already has RPM and RHEL-compatible distro paths, so the missing piece appears to be feed ingestion/data coverage rather than CT-Ops inventory shape.