Bug 2223817

Summary: Remote resource referenced from datastream is missing https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
Product: Red Hat Enterprise Linux 7 Reporter: Flos Qi Guo <qguo>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: VERIFIED --- QA Contact: Milan Lysonek <mlysonek>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.9CC: ggasparb, jcerny, jjaburek, mhaicman, mlysonek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el7_9 Doc Type: Bug Fix
Doc Text:
.Red Hat CVE feeds have been moved The version 1 of Red Hat CVE feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/. Consequently, the links in SCAP source data streams provided by the `scap-security-guide` package have been updated to link the new version of the Red Hat CVE feeds.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Flos Qi Guo 2023-07-19 04:13:24 UTC 
This bug was initially created as a copy of Bug #2222583

I am copying this bug because:
This issue also affects RHEL7.


Description of problem:
When trying to scan with ssg-rhel7-ds profile, the remote resource is not available anymore on Red Hat web site:

-----------8< -----------8< -----------8< -----------8< -----------8< -----------
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2>&1 | grep 'WARNING:'
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2' file which is referenced from datastream
-----------8< -----------8< -----------8< -----------8< -----------8< -----------

File not found:
-----------8< -----------8< -----------8< -----------8< -----------8< -----------
# curl -s -I -w "%{http_code}" 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2' -o /dev/null
404
-----------8< -----------8< -----------8< -----------8< -----------8< -----------

Only V2 version are available in https://access.redhat.com/security/data/oval

Why the old versions have been removed, even if they are not updated anymore, they are needed for previous packages.

> Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-1.el7_9.noarch

> How reproducible:
always

> Steps to Reproduce:
1. yum install scap-security-guide.noarch
2. run command
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
3.

> Actual results:
Profile not updated

> Expected results:
Remote ressource available on Red Hat web site

> Additional info:
This issue affects all OSCAP user of RHEL7.
Comment 3 Vojtech Polasek 2023-07-20 09:27:01 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/10842