Weird item with no history and various RedHat data bugs

[pombredanne]

This entry is weird
https://public.vulnerablecode.io/packages/pkg:rpm/redhat/[email protected]%3Farch=6-9?search=pkg:rpm/redhat/[email protected]?arch=6-9

• The vulnerability does not reference anything redhat in https://nvd.nist.gov/vuln/detail/CVE-2021-3918 or in GHSA-896r-f27r-55mw

• there is no history in our entry https://public.vulnerablecode.io/vulnerabilities/VCID-ft33-ayw5-aaad and

• https://ftp.redhat.com/redhat/containers/rhacm2/application-ui-rhel8/v2.3.0-120.txt is a place that references this application-ui-container-v2.3.0-120 application-ui-container-v2.3.0-120.tar.gz (or may be it could be from https://ftp.redhat.com/redhat/containers/rhacm2/application-ui-rhel8/v2.3.6-9.txt ?)

• pkg:rpm/redhat/[email protected]?arch=6-9 is not correct at all and we did not parse the name, version and else correctly.

• There are a bunch of refs to RedHat that are for fixes to packages that bundled the json-schema at fault:

Reference id 	Reference type 	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3918.json
2024702 		https://bugzilla.redhat.com/show_bug.cgi?id=2024702
999765 		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999765
RHSA-2021:5171 		https://access.redhat.com/errata/RHSA-2021:5171
RHSA-2022:0041 		https://access.redhat.com/errata/RHSA-2022:0041
RHSA-2022:0246 		https://access.redhat.com/errata/RHSA-2022:0246
RHSA-2022:0350 		https://access.redhat.com/errata/RHSA-2022:0350
RHSA-2022:0595 		https://access.redhat.com/errata/RHSA-2022:0595
RHSA-2022:0735 		https://access.redhat.com/errata/RHSA-2022:0735
RHSA-2022:4914 		https://access.redhat.com/errata/RHSA-2022:4914
RHSA-2022:4956 		https://access.redhat.com/errata/RHSA-2022:4956
RHSA-2022:7055 		https://access.redhat.com/errata/RHSA-2022:7055

... BUT I do not know where the incorrect data was collected from.

In https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3918.json I see:

{
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8",
    "release_date" : "2022-03-04T00:00:00Z",
    "advisory" : "RHSA-2022:0595",
    "cpe" : "cpe:/a:redhat:acm:2.3::el8",
    "package" : "rhacm2/application-ui-rhel8:v2.3.6-9",
    "impact" : "moderate"
  }

which is likely the thing did not parse correctly.

[pombredanne]

We should drop using OVAL which is problematic, and embrace their CSAF and OSV formats instead

• See https://security.access.redhat.com/data/csaf/
• And OSV https://security.access.redhat.com/data/osv/all.json

And https://openssf.org/blog/2024/11/01/red-hats-collaboration-with-the-openssf-and-osv-dev-yields-results-red-hat-security-data-now-available-in-the-osv-format/

There are also SPDX SBOMs https://security.access.redhat.com/data/sbom/