Patton integration

[iranzo]

https://github.com/BBVA/patton-server stores and tracks published CVE's and CPE's from NIST and can check provided package list for known issues

[iranzo]

Depends on BBVA/patton-cli#4

[shatadru]

Hi iranzo, does this tool rely upon package version?
Actually the rpms shipped in RHEL might have different version than the upstream and can cause false positive if just rpm version is checked as many times patches are backported in older version. This is true in most package in normal rhel repos.

[shatadru]

For example we backport patches from 4.16 series kernel in older 3.10.0 kernel shipped in rhel7. So if just pckg version is checked there will be lots of false positives for RHEL.

Reference : https://access.redhat.com/security/updates/backporting

[iranzo]

Yup, that was also one of my concerns and I'll have to dig it as right now it also doesn't support RPM (afaik)

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days