SUSE OVAL changes

[msmeissn]

What would you like to be added:

• You can download SUSE oval data now .bz2 compressed. We plan to discontinue the .gz compressed data.
• We changed the severity impact mappings. We now use the CVSS v3.1 offical values: low, medium, high, critical

Why is this needed:

changes on SUSE side.

Additional context:

[msmeissn]

CVE lines now look like:

        <cve impact="high" cvss3="7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" href="https://www.suse.com/security/cve/CVE-2002-20001/">CVE-2002-20001 at SUSE</cve>
        <cve impact="high" cvss3="7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" href="https://nvd.nist.gov/vuln/detail/CVE-2002-20001">CVE-2002-20001 at NVD</cve>

[tgerla]

Hi @msmeissn, thank you for the heads up. When will the .gz files stop being generated? It should be an easy enough change on our side but it would be helpful to know when the change will happen. Thanks!

Dev note: change .gz to .bz2 here:

vunnel/src/vunnel/providers/sles/parser.py

Line 49 in 44df4e2

__oval_url__ = "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.{}.xml.gz"

[spiffcs]

Dev Note:
We can find the new listing of .bz2 files here

[kzantow]

Also, it looks like we will need to update the severities here:

https://github.com/anchore/vunnel/blob/main/src/vunnel/providers/sles/parser.py#L39

[msmeissn]

I currently have no timeline for discontinuing .gz format, as I do not know all the users. So at least a year I would say