This site uses cookies for managing your session and website analytics purposes. Allow Cookies

Open Vulnerability and Assessment Language, OVAL, Interpreter

VulnIQ Security Scanner, Terzi, supports executing OVAL definitions to determine vulnerabilities with high accuracy. OVAL interpreter code is developed in-house and does not rely on external libraries or programs.

Most vendors, especially Linux vendors like Red Hat, Debian, Ubuntu, Suse, Oracle publish OVAL definitions for issues affecting their products. VulnIQ allows customers to make use of these freely available OVAL data.


Case Study: Checking if an Ubuntu System is affected by a CVE with 100% accuracy

Canonical publishes OVAL definitions for all CVEs affecting Ubuntu systems. You can download the definitions file for your version of Ubuntu and run the checks for no additional cost.

In this example we want to check if a docker container running Ubuntu 18.04 (bionic) is vulnerable to CVE-2018-6954.
First we download OVAL definitions for Ubuntu bionic and find the OVAL definition for CVE-2018-6954, which is oval:com.ubuntu.bionic:def:201869540000000.

Instead of running a full scan we can simply run only this definition using the oval.sh script provided with Terzi, in the bin folder. Running an OVAL check is as simple as running the following command:

#bin/oval.sh -t Docker -n container_name -f ~/Downloads/com.ubuntu.bionic.cve.oval.xml -o oval:com.ubuntu.bionic:def:201869540000000

Running this command will generate the following output. By default, oval.sh generates a verbose plain text output, but you can adjust the verbosity by providing an option or switch to json output mode as you like.

OVALDefinitions Loading definitions OVALDefinitions Finished loading definitions Definition oval:com.ubuntu.bionic:def:201869540000000 Starting to evaluate definition Definition oval:com.ubuntu.bionic:def:201869540000000 Loaded definition - name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - class VULNERABILITY Criteria Starting to evaluate criteria ExtendedDefinitionoval:com.ubuntu.bionic:def:100 Found child extended definition Definition oval:com.ubuntu.bionic:def:100 Starting to evaluate definition Definition oval:com.ubuntu.bionic:def:100 Loaded definition - name Check that Ubuntu 18.04 LTS (bionic) is installed. - class INVENTORY Criteria Starting to evaluate criteria Criteria Found child criterion - commentForChild The host is part of the unix family. Test oval:com.ubuntu.bionic:tst:100 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:100 Loaded test - comment Is the host part of the unix family? Test oval:com.ubuntu.bionic:tst:100 Finished evaluating test - comment Is the host part of the unix family? - result TRUE Criteria Evaluated child criterion - criterionComment The host is part of the unix family. - test oval:com.ubuntu.bionic:tst:100 - result TRUE Criteria Found child criterion - commentForChild The host is running Ubuntu bionic. Test oval:com.ubuntu.bionic:tst:101 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:101 Loaded test - comment Is the host running Ubuntu bionic? Test oval:com.ubuntu.bionic:tst:101 Starting to analyze test Object oval:com.ubuntu.bionic:obj:101 Loaded object - comment The singleton release codename object. Object oval:com.ubuntu.bionic:obj:101 Collected object - value [bionic] Object oval:com.ubuntu.bionic:obj:101 Analyzing object - existenceStatus EXISTS - collectionStatus EXISTS Object oval:com.ubuntu.bionic:obj:101 Existence result - existenceResult TRUE Object oval:com.ubuntu.bionic:obj:101 Results for state - state oval:com.ubuntu.bionic:ste:101 - resultsForState [TRUE] Test oval:com.ubuntu.bionic:tst:101 Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE - finalResult TRUE - check AT_LEAST_ONE - stateResults [TRUE] Test oval:com.ubuntu.bionic:tst:101 Finished evaluating test - comment Is the host running Ubuntu bionic? - result TRUE Criteria Evaluated child criterion - criterionComment The host is running Ubuntu bionic. - test oval:com.ubuntu.bionic:tst:101 - result TRUE Criteria Final result after combining results - operator AND - finalResult TRUE Definition oval:com.ubuntu.bionic:def:100 Evaluated definition criteria - result TRUE Definition oval:com.ubuntu.bionic:def:100 Finished evaluating definition - name Check that Ubuntu 18.04 LTS (bionic) is installed. - result TRUE Criteria Finished evaluating extended definition - childResult TRUE ExtendedDefinitionoval:com.ubuntu.bionic:def:100 Child result is TRUE, applicability check will not change the outcome Criteria Found child criterion - commentForChild systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9'). Test oval:com.ubuntu.bionic:tst:2018168880000000 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:2018168880000000 Loaded test - comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'? Test oval:com.ubuntu.bionic:tst:2018168880000000 Starting to analyze test Object oval:com.ubuntu.bionic:obj:2018168880000000 Loaded object - comment The 'systemd' package binaries. Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is not installed. - package libpam-systemd Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is installed. - package libsystemd0 - version 237-3ubuntu10.6 Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is installed. - package libudev1 - version 237-3ubuntu10.6 Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is not installed. - package systemd Object oval:com.ubuntu.bionic:obj:2018168880000000 Collected object - value [237-3ubuntu10.6, 237-3ubuntu10.6] Object oval:com.ubuntu.bionic:obj:2018168880000000 Analyzing object - existenceStatus EXISTS - collectionStatus EXISTS Object oval:com.ubuntu.bionic:obj:2018168880000000 Existence result - existenceResult TRUE Object oval:com.ubuntu.bionic:obj:2018168880000000 Results for state - state oval:com.ubuntu.bionic:ste:2018168880000000 - resultsForState [TRUE] Object oval:com.ubuntu.bionic:obj:2018168880000000 Results for state - state oval:com.ubuntu.bionic:ste:2018168880000000 - resultsForState [TRUE] Test oval:com.ubuntu.bionic:tst:2018168880000000 Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE - finalResult TRUE - check AT_LEAST_ONE - stateResults [TRUE, TRUE] Test oval:com.ubuntu.bionic:tst:2018168880000000 Finished evaluating test - comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'? - result TRUE Criteria Evaluated child criterion - criterionComment systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9'). - test oval:com.ubuntu.bionic:tst:2018168880000000 - result TRUE Criteria Final result after combining results - operator AND - finalResult TRUE Definition oval:com.ubuntu.bionic:def:201869540000000 Evaluated definition criteria - result TRUE Definition oval:com.ubuntu.bionic:def:201869540000000 Finished evaluating definition - name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - result TRUE ========================================================= RESULTS ========================================================= TRUE CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - vulnerability oval:com.ubuntu.bionic:def:201869540000000 - [CVE-2018-6954] =========================================================
Contact us at info@vulniq.com