For FedRamp, FISMA, and STIG compliance, RHCOS should have it's own CPE CPE should probably be cpe:/o:redhat:enterprise_linux:8::coreos
Introducing a new CPE for RHCOS would increase the complexity around reporting when a problem is fixed via the errata process. Additionally, it would undermine the idea that "RHCOS is RHEL", which is something we are actively trying to oppose. Closing as WONTFIX.
Tossing out an idea, CPE does allow for product variant fields. For example, from RHEL 7: - cpe:/o:redhat:enterprise_linux:7::client - cpe:/o:redhat:enterprise_linux:7::computenode - cpe:/o:redhat:enterprise_linux:7::server Here's the specific CPE that Red Hat ProdSec uses for RHEL 7-based RHV-H: - cpe:/o:redhat:enterprise_linux:7::hypervisor/redhat-virtualization-host If we're able to collaborate on a CPE tag for RHCOS, that extends the base RHEL 8 CPE similarly to how RHVH extended RHEL 7, tthen we may be able to further show the market that RHCOS is a RHEL variant versus separate product. Additionally this may further simplify the errata process. CVEs for RHEL 8 are marked applicable to cpe:/o:redhat:enterprise_linux_8:*, whereas any RHCOS-specific CVEs could be applied to the to-be-developed "cpe:/o:redhat:enterprise_linux_8::CoreOS"
I think that there is some confusion of CPE. The suggested CPE: `cpe:/o:redhat:enterprise_linux:8::coreos` basically means that RHCOS is RHEL which helps the underlying market idea. CPE is an identifier that is used globally in multiple different markets for security designations. It is used for all software and software components. All that is needed in /etc/os-release is the following line: CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" This tells security professionals and software basically that RHCOS is RHEL which strengthens that idea in the market.
Hello - Checking in on this. Will CoreOS ship CPEs in the next update?
(In reply to Shawn Wells from comment #6) > Hello - Checking in on this. Will CoreOS ship CPEs in the next update? Looking for some guidance here...is it OK to change the CPE in our product before there is an entry in the NIST database? If we have the green light there, we could make this change ASAP.
(In reply to Micah Abbott from comment #8) > (In reply to Shawn Wells from comment #6) > > Hello - Checking in on this. Will CoreOS ship CPEs in the next update? > > Looking for some guidance here...is it OK to change the CPE in our product > before there is an entry in the NIST database? > > If we have the green light there, we could make this change ASAP. Gabe Alford can add/modify CPEs directly with NIST. As long as we're coordinated about it (eg agree on what it should be), then we can likely to them in parallel.
(In reply to Shawn Wells from comment #10) > Gabe Alford can add/modify CPEs directly with NIST. As long as we're > coordinated about it (eg agree on what it should be), then we can likely to > them in parallel. OK, we'll move forward with the MR to define the RHEL CoreOS CPE as "cpe:/o:redhat:enterprise_linux:8::coreos" Gabe, could you submit the CPE to NIST on our behalf?
We are currently working on higher priority features and bug fixes and will be unable to include this fix as part of 4.5 GA. As such, this BZ will be retargeted for 4.6 and clones for the older releases will be made. It should be reasonable to deliver these changes in the relevant z-stream releases.
This is fixed in `redhat-release-coreos-46.82-2.el8` and is part of latest RHCOS 4.6 build (46.82.202007071437-0)
[core@ibm-p8-kvm-03-guest-02 ~]$ rpm-ostree status State: idle Deployments: * ostree://a36f1c5bfdb54f8f9a8164688bd219fcfe983b8c173e7fd5365269692cd0dbe4 Version: 46.82.202007071437-0 (2020-07-07T14:41:41Z) [core@ibm-p8-kvm-03-guest-02 ~]$ cat /etc/os-release NAME="Red Hat Enterprise Linux CoreOS" VERSION="46.82.202007071437-0" VERSION_ID="4.6" OPENSHIFT_VERSION="4.6" RHEL_VERSION="8.2" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 46.82.202007071437-0 (Ootpa)" ID="rhcos" ID_LIKE="rhel fedora" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.6" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.6" OSTREE_VERSION='46.82.202007071437-0'
RHCOS 46.82.202007071437-0 is included in OCP 4.6.0-0.nightly-2020-07-10-135238
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196