Hide Forgot
Description of problem: When scanner lists it's capabilities, descriptions of each scanner type should be clear about what is scanned. So user can check it for example in scap-workbench and read the rules. Also any property that is not obvious, but may affect users should be mentioned. Issues of current description. 1 - It is not stated, there is CVE OVAL baked-in the openscap container image, thus it is inherently outdated. 2 - It is not clear enough the standards_compliance use normal "Standard" profile of latest shipped Scap Security Guide. 3 - It would be nice to have some general information about the scanner [not scan_type description, but scanner description], where link to Red Hat Security Guide would reside. Version-Release number of selected component (if applicable): openscap-docker-7.3-4 How reproducible: reliably Steps to Reproduce: 1. atomic install rhel7/openscap 2. atomic scan --scanner openscap --list Actual results: ==== Scanner: openscap Image Name: rhel7/openscap Scan type: cve * Description: Performs a CVE scan based on known CVE data Scan type: standards_compliance Description: Performs a standard scan * denotes defaults ==== Expected results: ==== Scanner: openscap Description: Scanner using openscap toolset and scap-security-guide rules. For full documentation, see <link to Security guide section> Image Name: rhel7/openscap Scan type: cve * Description: Performs a CVE scan based on Red Hat released CVE OVAL. !Warning! This CVE is build into container image, and it might be out-of-date. Scan type: standards_compliance Description: Performs scan with Standard profile, as present in Scap Security Guide shipped in Red Hat Enterprise Linux. * denotes defaults ==== Additional info:
Items 1 and 2 were fixed upstream https://github.com/projectatomic/atomic/pull/953
And items 1 and 2 are tracked in Bug 1439315
So this erratum is just about item 3
Giving devel_ack+ for item 3, we won't track adding scanner description into atomic in this ticket, that has to be tracked separately.