Problem

Scanning AlmaLinux packages reports CVEs that have already been patched through backports.

Evidence

Package: curl-7.76.1-34.el9.x86_64.rpm
Source: https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/Packages/c/curl-7.76.1-34.el9.x86_64.rpm

cve-bin-tool reports: 46 CVEs (4 CRITICAL, 13 HIGH, 22 MEDIUM, 7 LOW)

Most of these are false positives - AlmaLinux backports security fixes without changing the base version number.

AlmaLinux Errata Data

AlmaLinux publishes machine-readable security advisories:

• https://errata.almalinux.org/9/errata.json
• https://errata.almalinux.org/8/errata.json

This data could be used to filter false positives, similar to existing RedHat support.

Suggested Approaches

1. Parse errata JSON → generate VEX → use with --vex-file
2. Add as native data source alongside NVD/OSV/RedHat
3. Detect AlmaLinux RPMs and auto-apply errata filtering

Environment

• cve-bin-tool 3.4.1
• Windows 11 / Python 3.11
• Test package: AlmaLinux 9 curl

Related

• Add new checker requests for Alma Linux packages not already covered #2761 (AlmaLinux checker coverage)

I'm willing to help implement this.