You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Figure out how to incrementally process the newest updates instead of processing everything every time. (This is possible with the Google feed)
2. Check the results against OVAL using osquery-perf
Run both OSV and OVAL vulnerability scans in parallel against a representative set of Ubuntu hosts using osquery-perf.
Compare the results to identify:
False positives eliminated by OSV (e.g., CVE-2024-30205 on emacs-common per #39370).
Any false negatives introduced by OSV (vulnerabilities caught by OVAL but missed by OSV).
Overall difference in CVE counts per host across Ubuntu 20.04, 22.04, and 24.04.
3. Have a fallback to OVAL for 1 or more releases
Implement a fallback mechanism so that if OSV data is unavailable or incomplete for a specific Ubuntu release, the system falls back to existing OVAL-based scanning.
This ensures no regression in coverage during the transition period.
4. Recommended: get more customer data
Collect vulnerability scan results from customer environments (with appropriate permissions) to validate OSV accuracy against real-world host configurations.
Compare OSV vs OVAL results on customer data to quantify the improvement in false positive rates.
Test plan is finalized
Contributor API changes: No changes
Feature guide changes: No changes
Database schema migrations: No changes
Load testing: Compare OSV scan performance against current OVAL scan across Ubuntu hosts using osquery-perf
Pre-QA load test: Yes — run comparative scan with osquery-perf before QA
Load testing/osquery-perf improvements: No changes
This is a premium only feature: No
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
Risk level: Low
Risk description: This is a POC that runs in parallel with existing OVAL scanning. No production vulnerability data is modified.
Test plan
Verify OSV data can be downloaded and parsed for Ubuntu 20.04, 22.04, and 24.04.
Verify CVE-2024-30205 is NOT flagged for emacs-common on Ubuntu 24.04 when using OSV (the known false positive from #39370).
Verify CVE-2024-39331 IS still flagged for emacs-common on Ubuntu 24.04 when using OSV (legitimate vulnerability).
Run osquery-perf comparison between OVAL and OSV results and document differences.
Verify fallback to OVAL works when OSV data is missing for a release.
Testing notes
This is a POC. Testing focuses on validating accuracy of OSV data compared to OVAL, not on production readiness.
Confirmation
Engineer: Added comment to user story confirming successful completion of test plan.
QA: Added comment to user story confirming successful completion of test plan.
Goal
This is a POC for #39900.
Changes
Product
Engineering
This POC should cover the following areas:
1. Add OSV feed
https://storage.googleapis.com/osv-vulnerabilities/Ubuntu/all.zip) or the official https://github.com/canonical/ubuntu-security-notices2. Check the results against OVAL using osquery-perf
emacs-commonper #39370).3. Have a fallback to OVAL for 1 or more releases
4. Recommended: get more customer data
Collect vulnerability scan results from customer environments (with appropriate permissions) to validate OSV accuracy against real-world host configurations.
Compare OSV vs OVAL results on customer data to quantify the improvement in false positive rates.
Test plan is finalized
Contributor API changes: No changes
Feature guide changes: No changes
Database schema migrations: No changes
Load testing: Compare OSV scan performance against current OVAL scan across Ubuntu hosts using osquery-perf
Pre-QA load test: Yes — run comparative scan with osquery-perf before QA
Load testing/osquery-perf improvements: No changes
This is a premium only feature: No
QA
Risk assessment
Test plan
emacs-commonon Ubuntu 24.04 when using OSV (the known false positive from #39370).emacs-commonon Ubuntu 24.04 when using OSV (legitimate vulnerability).Testing notes
This is a POC. Testing focuses on validating accuracy of OSV data compared to OVAL, not on production readiness.
Confirmation