Meeting the Certification Requirements

The Process

In the next few sections we will review the process of leveraging the Red Hat OVAL v2 streams to accurately determine which CVEs affect Red Hat products and packages present in a container image.

Before we get started lets review the certification requirements and how they align with the process we will discuss next.

Red Hat Vulnerability Scanner Certification Requirements

Requirement	Details
Base vulnerability scan results on Red Hat OVAL v2 security data feed	Consume RHEL7, RHEL8 and RHEL 9 OVAL v2 Product Streams For additional details see Red Hat OVAL v2 section
Accurately determine Red Hat package versions to detect Red Hat security fixes backporting	The implementation is up to the Partner Leverage RPM if necessary to identify files and packages are associated with a Red Hat package For additional details see Identification and RPM and Identification and RPM Modules sections
Integrate Red Hat four point scale severity rating in scan results	Critical, Important, Moderate, Low - More Details Key step: Determine correct Product-Version (CPE) For additional details see Determining Common Platform Enumeration section Red Hat Severity Rating and State section Severity Ratings definitions
Clearly indicate Red Hat patched vulnerabilities where applicable.	Either suppress the vulnerability or show the fix and RHSA definition class="patch" or =”vulnerability” in OVAL See Red Hat Severity Rating and State section

As part of the certification process partner product generated scan results (for the certification test harness images) will be compared with Clair v4 (open source container vulnerability scanner) scan results; for handful of pre-identified use cases.

Hence, in the next few sections, in some instances we will provide links to Clair v4 implementation details under resources section as a reference.