Vulnerability Report¶

Scan RPM packages in a repository version for known CVEs by querying the OSV database.

Results are linked to the repository version and individual packages.

Prerequisites¶

Before scanning, ensure you have:

An RPM repository with synced or uploaded content.
Connectivity to the OSV API (https://api.osv.dev/v1/query).
The repository configured with an osv_config specifying which ecosystem(s) to query.

Supported ecosystems¶

The following ecosystems from the OSV ecosystem list are supported:

Ecosystem	Expected releases format
AlmaLinux	Release number (e.g. `9`)
Azure Linux	Release number (e.g. `3.0`)
Mageia	Release number (e.g. `9`)
openEuler	`YY.MM` numeric version (e.g. `22.03`)
openSUSE	`PRETTY_NAME` from `/etc/os-release` (e.g. `openSUSE Leap 15.5`)
Photon OS	Release number (e.g. `4.0`)
Red Hat	CPE (e.g. `cpe:/o:redhat:enterprise_linux:9::baseos`)
Rocky Linux	Release number (e.g. `9`)
SUSE	`PRETTY_NAME` from `/etc/os-release` (e.g. `SUSE Linux Enterprise Server 15 SP5`)

The releases list is required for all ecosystems and scopes the OSV query to specific product releases. Each release triggers a separate query to OSV, so a package with two releases will be scanned twice - once per release.

Configure osv_config¶

Set osv_config on the repository before triggering a scan:

# AlmaLinux
http PATCH $BASE_URL$REPO_HREF \
  osv_config:='[{"name": "AlmaLinux", "releases": ["9"]}]'

# Red Hat (releases must be CPEs)
http PATCH $BASE_URL$REPO_HREF \
  osv_config:='[{"name": "Red Hat", "releases": ["cpe:/o:redhat:enterprise_linux:9::baseos"]}]'

Multiple ecosystems can be combined:

http PATCH $BASE_URL$REPO_HREF \
  osv_config:='[
    {"name": "Red Hat", "releases": ["cpe:/o:redhat:enterprise_linux:9::baseos"]},
    {"name": "AlmaLinux", "releases": ["9"]}
  ]'

Generating a Vulnerability Report¶

Scan a RepositoryVersion by passing the repository version href:

http POST $BASE_URL$VERSION_HREF/vulnerability_report/

Understanding Scan Results¶

Results appear at two levels:

1. Repository Version Level¶

pulp rpm repository version show --repository my-repo --version 1

The response includes a vuln_report field:

{
  "pulp_href": "/pulp/api/v3/repositories/rpm/rpm/.../versions/1/",
  "number": 1,
  "vuln_report": "/pulp/api/v3/vuln-reports/..."
}

2. Viewing Vulnerability Details¶

pulp vulnerability-report show --href $VULN_REPORT_HREF

Reports include CVE identifiers, affected versions, references, and impacted repository content.

Example Workflow¶

# Create a repository and sync content
pulp rpm remote create --name myremote --url https://fixtures.pulpproject.org/rpm-signed/
pulp rpm repository create --name myrepo --remote myremote
pulp rpm repository sync --name myrepo

# Configure the OSV ecosystem
http PATCH $BASE_URL$REPO_HREF \
  osv_config:='[{"name": "AlmaLinux", "releases": ["9"]}]'

# Trigger the scan
http POST $BASE_URL$VERSION_HREF/vulnerability_report/

# Retrieve and inspect the report
VULN_REPORT=$(pulp rpm repository version show --repository myrepo | jq -r '.vuln_report')
pulp vulnerability-report show --href $VULN_REPORT

Remove the config¶

Set osv_config to null to opt the repository back out:

http PATCH $BASE_URL$REPO_HREF \
  osv_config:=null

Removing the config does not delete existing scan results already stored for prior versions.