For those who may not be aware, the community feeds from Greenbone have certain limitations. Several years ago, Greenbone began differentiating more clearly between their community feed and the Enterprise feed by excluding NVTs related to "Enterprise" elements. This move is understandable as a strategy to distinguish the products they offer, given that they are a commercial, for-profit company. I greatly value their contributions to the opensource community and recognize the need for some of these distinctions, although I do not agree with all of them.
One of the primary requirements for my vulnerability scanner is to identify any vulnerable packages that need to be updated on the hosts I scan. When GB updated to version 22.04 in 2022, the notus-scanner was introduced to handle this task. This tool checks all installed packages against the latest versions available from the vendors. (As long as that info is included in the feed.) Knowing exactly what is and what is not covered can be a challenge. They do have a "Feed Comparison" page, but it does not go into detail on what is covered and what is not. For Linux distributions covered by the notus-scanner, I was able to look at the feed data and found that only the following Distributions are covered by the community feed:
- Debian
- Ubuntu
- Suse
- Euleros
- Mageia
- Slackware
If your distribution is not in this list, then the OpenVAS scanner will not be able to verify package versions via notus with the community feed.
This brings up my particular point of contention; my preferred Linux distribution, Rocky Linux. Greenbone classifies this free and open-source distribution as an Enterprise product, which means content specific to Rocky Linux is not included in the community feed. I raised this issue on their forum, but unfortunately, they have no plans to revise this policy (see forum post here). I first considered a subscription to their Enterprise feed. Unfortunately, I found the pricing prohibitively expensive, at a minimum of €12,500 per month! To me, this suggests an intention to limit access to the feed.
What to do? Despite listing the .notus format specification as "open and part of the documentation", I struggled to find the documentation and had to rely on existing .notus files as examples (discussion thread here). I started looking into it, and after some minor hurdles, I managed to successfully create .notus files for Rocky Linux using metadata available via the RockyLinux API and the NVD. I plan to include these files in my container distribution, updating them bi-monthly.
If you are interested in more frequent updates, please consider our subscription options here, which are far more affordable than the Enterprise feed. ;) If you are already a subscriber, and your Linux distro of choice is missing, please let me know. I wrote my tools to be adaptable to pulling from other distribution's meta-data APIs.
- Log in to post comments
- 842 views