New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not load the CVE OVAL error for Canonical provider's feeds #20573
Comments
I've got the same problem on the same Wazuh version. I also had it on a version earlier than the one mentioned in this thread, but I don't remember which one it was as I thought updating it would fix the problem.
|
ResearchThe bug is caused by Canonical adding the following line to the beginning of the OVAL, causing it to fail to parse the feed correctly: <?xml version="1.0" ?> WorkaroundDownload the OVALs to the server locally, unzip them and delete the first line (if it matches): mkdir custom-ubuntu-ovals-fixed
cd custom-ubuntu-ovals-fixed
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
bzip2 -d com.ubuntu.*
sed -i '/<?xml version="1.0" ?>/d' com.ubuntu.* Once the above is done, modify the Canonical provider configuration block, for its corresponding offline update:
<provider name="canonical">
<enabled>yes</enabled>
<os path="/custom-ubuntu-ovals-fixed/com.ubuntu.trusty.cve.oval.xml">trusty</os>
<os path="/custom-ubuntu-ovals-fixed/com.ubuntu.xenial.cve.oval.xml">xenial</os>
<os path="/custom-ubuntu-ovals-fixed/com.ubuntu.bionic.cve.oval.xml">bionic</os>
<os path="/custom-ubuntu-ovals-fixed/com.ubuntu.focal.cve.oval.xml">focal</os>
<os path="/custom-ubuntu-ovals-fixed/com.ubuntu.jammy.cve.oval.xml">jammy</os>
<update_interval>1h</update_interval>
</provider>
And in the case of using ESM OVALs, apply the same steps but change the links and file names. |
Description
The Vulnerability Detector is failing to correctly parse Canonical provider's feeds. The manager's logs reveal the following errors:
This issue appears to be linked to recent changes in the feeds from the providers, causing failures within the last 24 hours, as evidenced by the nightly tests:
Steps to reproduce
The text was updated successfully, but these errors were encountered: