Commit 5574d7b
CVE guide (#3193)
* Add CVE verification and remediation guide for Rocky Linux
Covers RPM changelog inspection, dnf updateinfo commands, RHSA/RLSA advisory
numbering, module stream version naming, Windows-only CVE identification,
CVSS scoring thresholds, build system monitoring, EOL implications, and
vulnerability scanner false positive resolution.
Assisted-by: Claude claude-sonnet-4-6
Co-Authored-By: Howard Van Der Wal <hvanderwal@ciq.com>
* Update guide title to remove redundant Rocky Linux reference
Assisted-by: Claude claude-sonnet-4-6
* Update tested versions to include Rocky Linux 8, 9, and 10
Tested on Rocky Linux 8.10, 9.7, and 10.1 on Vultr.
Assisted-by: Claude claude-sonnet-4-6
* Update tested with to show specific minor versions
Assisted-by: Claude claude-sonnet-4-6
* Remove irrelevant SELinux prerequisite
The guide does not cover SELinux context management.
Assisted-by: Claude claude-sonnet-4-6
* Remove unnecessary prerequisite
Assisted-by: Claude claude-sonnet-4-6
* Add verification methods overview, OVAL scanning, upstream references
- Add methods overview section listing all CVE verification approaches
- Replace "Red Hat" references with "Upstream" throughout
- Add upstream security advisories URL
- Add OVAL scanning with OpenSCAP section
- Correct RPM changelog from "most reliable" to "one way"
Assisted-by: Claude claude-opus-4-6
* Add AI usage disclaimer section
Assisted-by: Claude claude-opus-4-6
* Fix CVSS threshold wording: "above 7.0" to "7.0 or higher"
The upstream policy threshold is >=7.0 (7 or higher), not >7.0 (above 7).
Assisted-by: Claude claude-opus-4-6
* Remove CIQ LTS extended support paragraph
Assisted-by: Claude claude-opus-4-6
* Add references section and inline superscript citations
Add 14 references with superscript citations throughout the document
linking to Rocky Linux Errata, upstream security advisories, build
systems, OVAL data, OpenSCAP, DNF Automatic docs, and more.
Assisted-by: Claude claude-opus-4-6
* Remove Red Hat-specific changelog example and Windows CVE section
- Replace changelog example with generic CVE entry format
- Remove Identifying Windows-only CVEs section
- Replace "Red Hat" with "upstream vendor" in References section
Assisted-by: Claude claude-opus-4-6
* Update tested with versions to major versions only
Assisted-by: Claude claude-opus-4-6
* Update upstream CVE pages link to use base URL
Assisted-by: Claude claude-opus-4-6
* Replace 'by the upstream vendor' with 'by Upstream' in references
Assisted-by: Claude claude-opus-4-6
* Remove CVSS scoring and backport policies section
Assisted-by: Claude claude-opus-4-6
* Clean up prerequisites section wording
Assisted-by: Claude claude-opus-4-6
* Fix punctuation and superscript reference placement
Assisted-by: Claude claude-opus-4-6
* Fix punctuation and superscript reference placement throughout
Assisted-by: Claude claude-opus-4-6
* Change title to CVE hygiene
Assisted-by: Claude claude-opus-4-6
* Move ai_contributors under contributors in front matter
Assisted-by: Claude claude-opus-4-6
* Rename file to match title: cve_hygiene.md
Assisted-by: Claude claude-opus-4-6
* Update cve_hygiene.md
Add a very long sub-heading on vulnerability scanner arbitration.
---------
Co-authored-by: sspencerwire <sspencerwire@gmail.com>1 parent 83ea5b1 commit 5574d7b
1 file changed
+424
-0
lines changed
0 commit comments