Skip to content

Instantly share code, notes, and snippets.

Last active September 28, 2023 23:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HoussemNasri/023088c1831b534e5acca5195e35d5f3 to your computer and use it in GitHub Desktop.
Save HoussemNasri/023088c1831b534e5acca5195e35d5f3 to your computer and use it in GitHub Desktop.
Student Houssem Nasri
Organization openSUSE
Primary repository uyuni-project/uyuni
Project name Improve Security Auditing in Uyuni by Incorporating OVAL Data
Project mentors @admd, @parlt91
Project page Google Summer of Code 2023 Project Page
Status Completed

Project Summary

Uyuni's current CVE auditing feature solely depends on channels data, which can lead to false system evaluations. To illustrate this, consider the scenario where you audit a system that has a vulnerability that hasn't been patched yet. In such cases, Uyuni would provide an incorrect assessment, indicating that the system is 'Not affected' or 'Patched', despite it being vulnerable to the unpatched vulnerability.

The incorrect evaluation is due to the absence of vulnerability data. Channels only offer patch data for packages that have been patched. The algorithm verifies the installed packages on the system based on this information. This puts us at risk of receiving a false system evaluation if a package does not have a patch yet.

The reason behind the incorrect results is because of deficiencies in the dependent data. Therefore, to achieve accurate audits, it is imperative to incorporate additional data sources that provide comprehensive vulnerability information, regardless if they have patches or not, in addition to channels.

The goal of the project is to utilize OVAL (Open Vulnerability and Assessment Language) data, which is widely adopted within the Linux community and offers a standardized format, and integrate it within the CVE auditing feature to achieve more accurate results.

Pull Requests to main branch

GSOC Related

#7466 — [GSOC23] - A - Implement a fully functional CVE auditing feature based on OVAL data

#7509 — [GSOC23] - B - Enable the downloading and synchronization of OVAL data

#7510 — [GSOC23] - C - Implement a StAX parser for OVAL files

#7570 — [GSOC23] - D - Define RPC endpoints for listing the affected packages regarding a CVE

uyuni-docs#2471 — [GSOC23] - E - Update CVE Audit documentation

Outside of GSOC

#7556 — Fix NoClassDefFoundError when opening notifications

#7102 — Stay consistent with the Create/Refresh buttons order

#7163 — Fix CSV download exception



Project Timeline

June 1 - June 21 (3 weeks)

Goal: Develop a software module to parse and persist OVAL data for SUSE products

  • Wrote an ADR for selecting an XML parsing library to parse the OVAL documents.
  • Developed the parser component (with JAXB)
  • Wrote a rough draft of the RFC
  • Designed a draft database scheme and created the required tables
  • Implemented and Tested the Test and Criteria evaluation algorithms
  • Implemented an algorithm to extract vulnerable packages from SUSE OVAL definition

June 22 - July 20 (4 weeks)

Goal: Integrate the developed module with Uyuni's codebase

  • Integrated the OVAL parser with Uyuni
  • Integrated the OVAL database code with Uyuni
  • Reworked the OVAL database scheme to integrate well with Uyuni (naming, reuse available data, etc...)
  • Optimized database code
  • Updated the RFC
  • Implemented and Tested the new CVE auditing algorithm
  • Add support for SUSE products

July 21 - July. 28 (1 week)

Goal: Add support for Debian and Red Hat products

  • Add support for Debian
  • Add support for Red Hat

July. 29 - Aug. 19 (3 weeks)

Goal: Final touches

  • Develop the OVAL Downloader component
  • Schedule the OVAL sync task with Taskomatic
  • Refactoring and performance tuning

Aug. 20 - Sep. 3 (2 weeks)

  • Design and implement the needed UI components
  • Read OVAL configurations from a file
  • Implement a custom grain module to get server's CPE
  • Implement a StAX parser for better performance

Sep 4 - Sep. 18 (2 weeks)

Goal: Spacecmd Integration

  • Modify CVEAuditHandler to implement the OVAL methods
  • Define commands and help messages in python code
  • Test python code

Sep. 19 - Sep. 26 (1 week)

Goal: Support Ubuntu

  • Add support for Ubuntu

Sep. 27 - Oct. 4 (1 week)

A Buffer of one week is kept for any unpredictable delay


While the planned feature has been successfully implemented and is currently functional, there remain opportunities for further improvements and optimizations. You can find documentation of these potential enhancements in the 'Todo' section of the project board.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment