False Vulnerability reports from OVAL Content
Product Name
CIS-CAT Pro Assessor
Product Version
All
Date
Nov 18, 2020
Problem
False vulnerability being reported in CIS-CAT Pro Assessment. Appears to be an error in the content
Solution
CIS-CAT Pro Assessor CLI is designed primarily to assess CIS Benchmark configuration recommendations. However, it can also assess SCAP and OVAL content.
For Windows Vulnerability reports, the OVAL files are downloaded for these vulnerability assessments from the official OVAL Repository, which is operated by CIS. It is important to note that the content contained in the official OVAL Repository is not authored by CIS – instead, this content is submitted by those making contributions to the OVAL community. So CIS does perform structural QA on the content that is submitted. But CIS does not validate the instructions embodied by the content.
Therefore, there can be issues with the instructions embodied by the OVAL content. To best address these issues, the creator of the content should be tasked to review and fix the content. A GitHub issue can be created in the OVAL Repository to address this, and should include the exact OVAL definition identifier and labeled as a “bug” or “question”.
With this OVAL Community set up, there is a difference in the compatibility and support with CIS-CAT compared to the Benchmarks that are specifically built and updated to run in the CIS-CAT Pro Assessor.
If there are false flags in the assessment, that is actually more likely an issue with the OVAL content generated by the community, rather than the CIS-CAT Tools ability to assess the content and questions should be directed towards the appropriate community