Overview

This release improves the accuracy and completeness of vendor severity, CVSS scores, fix-version data, and fix publish dates across selected operating systems and programming-language ecosystems.

This is a data-quality update only and does not expand policy scope or introduce new vulnerability sources.

What’s Changing

RHEL 10 Coverage Expansion

  • Added CSAF-based support for Red Hat Enterprise Linux 10
  • Expanded advisory and package coverage for RHEL 10

Programming Language False-Positive Cleanup

  • Removed rejected CVEs from programming-language vulnerability data
  • Reduced false positives in scan results

Alpine and Red Hat Fix Metadata Improvements

  • Corrected Alpine fix versions
  • Improved fix-version and fix publish date accuracy for selected Red Hat content

Amazon Linux and SUSE Vendor Metric Alignment

  • Aligned severity and CVSS scores with vendor-provided data sources
  • Applies to Amazon Linux and SUSE distributions

Why It Matters

Accurate vulnerability data is critical for prioritization and compliance. This update:

  • Improves alignment with vendor-provided severity and remediation data
  • Reduces false positives in programming-language ecosystems
  • Enhances fix metadata reliability, enabling better remediation decisions
  • Expands RHEL 10 visibility, including packages without available fixes

Customer Impact

What you may notice after rollout:

  • Changes in severity or CVSS scores (Amazon Linux, SUSE)
  • Expanded RHEL 10 coverage, including packages without fixes
  • Fewer false positives in programming-language results
  • Updates to:
    • Fix versions
    • Remediation guidance
    • Fix publish dates (Alpine and selected Red Hat content)

Policy impact:
Customers using policies based on:

  • Severity
  • CVSS scores
  • Fix availability
  • Remediation timelines

may see images or workloads move:

  • Into or out of Assurance failure
  • Into or out of Non-compliant status

Recommended Customer Actions

Before the Update

  • Identify potential impact to images/workloads
  • Optionally acknowledge CVEs in advance with SLA-aligned expiration

After the Update

  • Rescan a representative set of images or workloads
  • Review:
    • Dashboards
    • Alerts
    • Compliance reports
    • Policy gates

Focus areas:

  • Amazon Linux
  • RHEL 10
  • Alpine
  • SUSE
  • Programming-language results

Impact

  • Immediate Impact: Changes are applied automatically upon rollout
  • Post-Update Impact:
    • Updated severity, CVSS, and fix data may affect scan results
    • Potential changes to compliance and assurance outcomes

Example Changes

The following CSV and spreadsheet examples illustrate representative changes customers may observe after the update. These examples demonstrate improvements to vendor severity alignment, fix metadata accuracy, API enrichment data, and expanded advisory coverage across supported operating systems.

Included Example Datasets

Dataset

Description

amazon_redhat_cve_scores.csv

Examples of updated vendor severity and CVSS score alignment for Amazon Linux and Red Hat content

rhel10_vulns.csv

Examples of expanded RHEL 10 advisory and package coverage, including fix metadata

new_alpine_vulnerabilities.xlsx

Examples of Alpine vulnerability and fix metadata updates

api-enrichment-report.csv

Examples of vulnerability enrichment and metadata accuracy improvements from API-provided data sources

Example Highlights

Amazon Linux and Red Hat

  • Vendor severity alignment updates
  • Updated CVSS v2/v3/v4 scoring data
  • Improved consistency with vendor-provided advisories

RHEL 10

  • Expanded CSAF-based advisory coverage
  • Additional package visibility, including packages without fixes
  • Improved fix-version tracking

Alpine

  • Corrected vulnerability and fix metadata
  • Updated package remediation information
  • Improved fix publish date accuracy

API Enrichment Updates

  • Improved vulnerability metadata completeness
  • Enhanced remediation and fix information accuracy
  • Better alignment between upstream and vendor-provided data sources

Example Data Fields

The example datasets may contain fields such as:

  • CVE ID / Vulnerability ID
  • Package name
  • Operating system version
  • Vendor severity
  • CVSS scores
  • Fix version
  • Fix status
  • Advisory status
  • Fix publish dates
  • Enrichment source metadata

Notes

  • These examples are representative and may not reflect all changes in customer environments.
  • Actual impacts will vary depending on operating systems, installed packages, and policy configurations.
  • Customers are encouraged to rescan representative workloads after rollout to validate updated scan results and remediation guidance.

Summary

This release delivers a data-quality update that improves the accuracy of vulnerability severity, CVSS scores, fix versions, and remediation timelines across multiple operating systems and programming-language ecosystems. Customers may see changes in scan results, including reduced false positives and updated compliance or assurance outcomes, but no new vulnerability sources or policy scope changes are introduced.