[dnf] Add 'dnf updateinfo list cves' command

[jcastill]

Add 'dnf updateinfo list cves' to the dnf plugin.

Related: RHEL-94859

---

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

• Is the commit message split over multiple lines and hard-wrapped at 72 characters?
• Is the subject and message clear and concise?
• Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
• Does the commit contain a Signed-off-by: First Lastname email@example.com?
• Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
• Are all passwords or private data gathered by this PR obfuscated?

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo yum install -y dnf-plugins-core on RHEL 8
• sudo dnf install -y dnf-plugins-core on Fedora
• dnf copr enable packit/sosreport-sos-4120
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[pmoravec]

What is the additional value to dnf updateinfo list --available?

The --available one already prints the errata ID so the details about CVEs and BZs/JIRAs from the cves output can be found on the errata page, when required. E.g. for line:

RHSA-2025:6966  Moderate/Sec.  kernel-uki-virt-5.14.0-570.12.1.el9_6.x86_64

the page https://access.redhat.com/errata/RHSA-2025:6966 lists the CVEs that the cve output provides.

Or do you focus on scenarios where the cves output would be malformed due to malformed metadata on the system..? I simply miss the use case when this output can be valuable to extra collect.

[jcastill]

You are right that --available already prints the errata ID, so for a single check that's useful - the support engineer can go to that web page and check everything. But if you are interested in more than one errata, the output of list cves saves a lot of time and gives you a better overall review of the system, neatly grouped and in a clearer way that '--available' could do. Or even if you are just interested in the cves for whatever reason and not in the erratas, this new command gives you everything you need.

[pmoravec]

Hm so this is a request to rather "postprocess" some collected data, than collect anything new. Similarly like we generate some xml output in sar plugin.

Here this command takes 3ish seconds to execute.

I dont know if it is worth of the cost..?

[jcastill]

No, the data about CVEs hasn't been collected at this point. Only this command will provide it, for all the packages installed in the system.
If you are concerned about these 3 seconds, we can gate it behind an option like we do with some of the rpm plugin captures.
If that's still not enough for you, let me know.

[pmoravec]

I see collecting this data on a border line where pros ~= cons. So I am deferring to other reviewers for their opinion.

[jcastill]

That's why I think gating it with an option (default off) could help here