Chapter 3. Bug fixes

Fixed vulnerability information for Ubuntu-related CVEs

When gathering Ubuntu-related Common Vulnerabilities and Exposures (CVE) information from the OpenSource Vulnerabilities (OSV) database would give the following error message: Failed to get vulnerability from OSV for CVE CVE2024-XXXXX. With this release, we fixed RHTPA with the full set of currently released Ubuntu versions. This allows for a successful ingestion of CVEs related to Ubuntu packages.

Missing CVSS scores for some CVEs

Some Common Vulnerabilities and Exposures (CVE) have elements in the metrics array, but have no corresponding Common Vulnerability Scoring System (CVSS) score. Not having the CVSS score limits the ability to query for data on CVEs. With this release, we do a check for a valid CVSS score within the elements in the metrics array, and properly display the CVE’s CVSS score.

Nested packages within a CycloneDX SBOM are not ingested

We fixed a bug where only the main package gets ingested, but the nested packages do not. With this release, RHTPA correctly traverses a CycloneDX software bill of materials (SBOM) manifest file, and includes those nested packages in the database.

Large SBOM manifest files generate an error when uploading

When uploading a large software bill of materials (SBOM) manifest file to RHTPA, the index updates properly, but the database does not. We consider a large SBOM manifest file to be 90 MB in size, containing 70,000 packages. With this release, we fixed the issue with the database update.