Rocky is not missing as we have it there(DefaultConfig) as part of RHEL, because Rocky didn't publish their own OVALs at the time. But now as you mentioned in PR there are some OVALs from Rocky, but unfortunately they don't include correct definitions.

More inside/technical: Rocky OVAL tag <definition> -> <advisory> doesn't include tags <cve> which should be in every definition of vulnerability. If you look on Alma/RHEL/Ubuntu OVALs they have it and we are expecting it. Maybe it could be possible to parse it from <description> but I don't think it is reliable source. Maybe I will try to contact someone if they just forgot to add <cve> tag or where is the problem.

As for now for Rocky 8/9 we are getting OVALs from RHEL, because there is not better source right now. Until they(Rocky) will fix their OVAL.

Sorry for wasting your time then, very unexpected that they would publish data that can only be characterized as faulty. Quite disappointing.

I've decided I could try to investigate/push this issue with the RL team if necessary.

Looking at the XML files I see there are major differences:

1. reference tags pointing to CVEs & RHSAs at RH website.
2. bugzilla tags pointing to RH bugzilla.
3. cve tags that list CVSS metrics and links to RH website.

I believe these may be the missing tags you refer to and I suspect they may have been stripped out in order to not link to RH site or RH content in general.

I was currently looking at how can I contact them. But if you want to help we would be glad.

1. i think that reference tag is there
2. bugzilla - not needed/expected
3. cve tag - is the issue - CVSS is fine, because we will maybe add it to pakiti. But there is no need for links to RH to be there, we only need to reliably know which cves are belonging to definition.

Oh now I see, in previous message I wrote <> tags, especially that tag CVE is missing, but it didn't show up correctly

I was currently looking at how can I contact them. But if you want to help we would be glad.

1. i think that reference tag is there

You are right, it is just missing many of them. Seems they only kept the security advisory but removed CVE links.

2. bugzilla - not needed/expected
3. cve tag - is the issue - CVSS is fine, because we will maybe add it to pakiti. But there is no need for links to RH to be there, we only need to reliably know which cves are belonging to definition.

Oh now I see, in previous message I wrote <> tags, especially that tag CVE is missing, but it didn't show up correctly

That makes sense, I see the edited version now. Thanks. Will inform in this issue if something comes out of it.