Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan

[philroche]

We have encountered an issue with a GKE image which cvescan is showing as not vulnerable but did have kernel packages installed that were vulnerable.

This was confirmed by scanning using oscap and the oci Oval data instead.

The CVE was https://ubuntu.com/security/CVE-2021-3444 the manifest was
bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt

Scanning this manifest with cvescan no vulnerability is shown for CVE-2021-3444

$ cvescan --priority all --manifest ./bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
CVE ID          PRIORITY    PACKAGE          FIXED VERSION                       REPOSITORY
CVE-2019-16884  medium      runc             1.0.0~rc10-0ubuntu1~18.04.2         Ubuntu Archive
CVE-2019-19921  medium      runc             1.0.0~rc10-0ubuntu1~18.04.2         Ubuntu Archive
CVE-2020-15157  medium      docker.io        19.03.6-0ubuntu1~18.04.2            Ubuntu Archive
CVE-2021-3429   medium      cloud-init       21.1-19-gbad84ad4-0ubuntu1~18.04.1  Ubuntu Archive
CVE-2021-3449   high        libssl1.1        1.1.1-1ubuntu2.1~18.04.9            Ubuntu Archive
CVE-2021-3449   high        openssl          1.1.1-1ubuntu2.1~18.04.9            Ubuntu Archive
CVE-2021-21300  medium      git              1:2.17.1-1ubuntu0.8                 Ubuntu Archive
CVE-2021-21300  medium      git-man          1:2.17.1-1ubuntu0.8                 Ubuntu Archive
CVE-2021-28153  medium      libglib2.0-0     2.56.4-0ubuntu0.18.04.8             Ubuntu Archive
CVE-2021-28153  medium      libglib2.0-data  2.56.4-0ubuntu0.18.04.8             Ubuntu Archive

Summary
------------------------------------  ------
Ubuntu Release                        bionic
Installed Packages                    417
CVE Priority                          All
Unique Packages Fixable by Patching   9
Unique CVEs Fixable by Patching       7
Vulnerabilities Fixable by Patching   10
Fixes Available by `apt-get upgrade`  10
------------------------------------  ------

This is not accurate and can be proven using oscap

# Install oscap
sudo apt install libopenscap8
# Download the up to data Oval data for the bionic release of Ubuntu
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Extract this data
bunzip2 oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Copy the downloaded manifest to "manifest" in current directory
cp -v bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt manifest 
# Run oscap eval against your local manifest and the Oval data you downloaded - this will generate HTML report cloud-report-vulnerable.html in the same directory.
oscap oval eval --report cloud-report-vulnerable.html oci.com.ubuntu.bionic.usn.oval.xml

This produces cloud-report-vulnerable.html (
cloud-report-vulnerable.html.tar.gz attached) which lists the kernel as vulnerable to CVE-2021-3444.

I have attached the oval data used by oscap oval eval as com.ubuntu.bionic.cve.oval.xml.tar.gz and the json data used by cvescan as ubuntu-vuln-db-bionic.json.tar.gz

After speaking with mdeslaur on Canonical security team it appears that the oval generation script adds the meta source package and the signed source package which the json used by cvescan does not appear to contain.

Is it possible to bring both data sources in sync so that using cvescan will result in the same output as oscap?

In the attached json we can see that the section for CVE-2021-3444 lists the following:

"linux-gkeop-5.4": {
                        "binaries": [
                            "linux-gkeop-5.4-source-5.4.0",
                            "linux-gkeop-5.4-headers-5.4.0-1012",
                            "linux-gkeop-5.4-tools-5.4.0-1012",
                            "linux-gkeop-5.4-cloud-tools-5.4.0-1012",
                            "linux-image-unsigned-5.4.0-1012-gkeop",
                            "linux-modules-5.4.0-1012-gkeop",
                            "linux-modules-extra-5.4.0-1012-gkeop",
                            "linux-headers-5.4.0-1012-gkeop",
                            "linux-image-unsigned-5.4.0-1012-gkeop-dbgsym",
                            "linux-tools-5.4.0-1012-gkeop",
                            "linux-cloud-tools-5.4.0-1012-gkeop",
                            "linux-buildinfo-5.4.0-1012-gkeop"
                        ],
                        "repository": "Ubuntu Archive",
                        "status": [
                            "released",
                            "5.4.0-1012.13~18.04.1"
                        ]
                    },

But the Oval data for CVE-2021-3444 does appear to include packages present in the manifest.