Comment on page
Red Hat OVAL v2 streams
It is the organization of the OVAL definitions into product-version streams that allows Red Hat to support OVAL definitions for Red Hat products other than Red Hat Enterprise Linux (RHEL), as the OVAL definitions in a particular stream will only contain tests that are relevant to that product-version.
The Red Hat OVAL v2 product-version specific streams are enhanced to provide insight into which vulnerabilities are addressed (patched, definition class="patch") as well as yet to be addressed (un-patched, definition class="vulnerability") by Red Hat.
Red Hat OVAL v1 files are now deprecated by Red Hat Product Security.
The nature of RPM and open source repositories present some unique challenges. RPM versions are not comparable outside of a given repository. As an example
In RHEL Extended Update Support (EUS) the "base" version of the RPMs is frozen, and then as updates are backported, an additional versioning number is added. This means that if RHEL 7.3 contained "kernel-1.2.3-4.el7", RHEL 7.3 EUS might additionally contain "kernel-1.2.3-4.1.el7_3" and "kernel-1.2.3-4.2.el7_3" when things are backported, whereas RHEL 7.4 would contain "kernel-1.2.3-5.el7".
Most of the Red Hat products leverage a technique called backporting to ingest upstream fixes. The RPM versions in an OVAL file generated for RHEL 7.4 will therefore always return ‘vulnerable’ results if applied against a RHEL 7.3 EUS system, since the installed kernel version will always be "a lower version than" the version in which the OVAL file says the CVE was fixed. The same can be true for other non-RHEL "layered products."
Red Hat Enterprise Linux Bash shell package
Red Hat Product Security highly recommends all third party security solutions, with vulnerability scanning functionality, to migrate to using the appropriate OVAL streams in the v2 directory instead of consuming the historical OVAL files in the directory one level higher (OVAL v1). The traditional "v1" OVAL files are still accurate, but only if you exclusively care about base RHEL, which is what they were designed / generated for.