Gvm-check-setup returns false-positive error: missing SCAP data

gnuletik · March 31, 2025, 9:50pm

Not sure if this is the appropriate place to talk about this issue but it seems that the gvm-check-setup script (available in debian sid) constantly fails with the latest SCAP feed data.

The script always fails with the following error:

gvm-check-setup 23.11.0
  Test completeness and readiness of GVM-23.11.0
[...]
Step 4: Checking data ...
        ERROR: SCAP DATA are missing.
        FIX: Run the SCAP synchronization script greenbone-feed-sync.
        sudo greenbone-feed-sync --type scap.

 ERROR: Your GVM-23.11.0 installation is not yet complete!

Even though the scap-data directory has content:

root@0effd77b888d:/var/lib/gvm/scap-data# du -h /var/lib/gvm/scap-data/
690M    /var/lib/gvm/scap-data/

And running greenbone-feed-sync successfully runs:

root@0effd77b888d:/var/lib/gvm/scap-data# greenbone-feed-sync --type scap
Running as root. Switching to user '_gvm' and group '_gvm'.
Trying to acquire lock on /var/lib/gvm/feed-update.lock
Acquired lock on /var/lib/gvm/feed-update.lock
⠙ Downloading SCAP data from rsync://feed.community.greenbone.net/community/vulnerability-feed/24.10/scap-data/ to /var/lib/gvm/scap-data
Releasing lock on /var/lib/gvm/feed-update.lock

When checking the content of /var/lib/gvm/scap-data, we can see the following files, up-to-date:

root@0effd77b888d:~# ls /var/lib/gvm/scap-data
COPYING                  nvdcve-2.0-1999.json.gz  nvdcve-2.0-2003.json.gz  nvdcve-2.0-2007.json.gz  nvdcve-2.0-2011.json.gz  nvdcve-2.0-2015.json.gz  nvdcve-2.0-2019.json.gz  nvdcve-2.0-2023.json.gz
feed.xml                 nvdcve-2.0-2000.json.gz  nvdcve-2.0-2004.json.gz  nvdcve-2.0-2008.json.gz  nvdcve-2.0-2012.json.gz  nvdcve-2.0-2016.json.gz  nvdcve-2.0-2020.json.gz  nvdcve-2.0-2024.json.gz
nvd-cpe-matches.json.gz  nvdcve-2.0-2001.json.gz  nvdcve-2.0-2005.json.gz  nvdcve-2.0-2009.json.gz  nvdcve-2.0-2013.json.gz  nvdcve-2.0-2017.json.gz  nvdcve-2.0-2021.json.gz  nvdcve-2.0-2025.json.gz
nvd-cpes.json.gz         nvdcve-2.0-2002.json.gz  nvdcve-2.0-2006.json.gz  nvdcve-2.0-2010.json.gz  nvdcve-2.0-2014.json.gz  nvdcve-2.0-2018.json.gz  nvdcve-2.0-2022.json.gz  timestamp
root@0effd77b888d:~# cat /var/lib/gvm/scap-data/timestamp
202503270506

It seems that the issue lies in the gvm-check-setup script:

The script is expecting to find more than 10 .xml files but the directory only contains one:

root@0effd77b888d:~# find $STATEDIR/scap-data -name "*xml"
/var/lib/gvm/scap-data/feed.xml

Did the SCAP data feed recently changed its format that could have broke this script?
I’d be glad to submit a PR on this script but I’m not sure on where to proceed.

Thanks!

NB:
Here’s a short-term fix in order to patch the script

sed -i 's/if \[ \$SCAPCOUNT -lt 10 \]/if \[ \$SCAPCOUNT -lt 1 \]/' `which gvm-check-setup`

cfi · April 1, 2025, 8:06am

The gvm-check-setup script is not provided or maintained by Greenbone so any issue within this script would need to be forwarded / reported to the current maintainer (in this case probably Debian).

My scap-data folder content is matching the output given previously so this seems to be valid content.

gnuletik · April 1, 2025, 9:55am

Thanks for the feedback @cfi !
Do you know where to report the issue to the maintainers of this script?
The Gitlab instance linked above doesn’t have issues enabled.

DeeAnn · April 1, 2025, 2:04pm

Hi @gnuletik , a good place to try first would be the Debian BTS (bug reporting system) using the reportbug tool, and there is a guide here on how to use it Debian -- Debian BTS - reporting bugs and it should then get forwarded to the security tools packaging team.

diego.zacche · April 4, 2025, 2:24pm

Dear, this is not a Debian problem. I just started a Kali and when installing Greenbone on it, I am facing the same problem.

DeeAnn · April 4, 2025, 3:02pm

This is a bit confusing, but in this case it should be reported to Debian first even though it shows up also in Kali. Debian is the upstream for Kali (which is generally pretty straightforward) but the package maintainer for Kali in this case is also maintainer for the Debian version so there is crossover in the Debian security tools packaging team. As the report here in the original post is for the upstream version in the Debian repository, that’s where the issue report for the package should first be filed (even if it’s redirected later). In any case if there is an issue in one (Debian or Kali) it will most likely show up in both.

casper · April 6, 2025, 3:44pm

Came across the same (repetitive) error message while running gvm this morning.
I confirmed the directories were in order, then started gvm: with no issues till now.

petersun · April 15, 2025, 9:09am

You should not modify this file.

The gvm-check-setup script included in Kali is outdated (version 23.11) and is not compatible with the newer gvmd 24.6.1.

A newer version of gvm-check-setup is available on the official website. Download it, save it, and run it — there should be no issues.

DeeAnn · April 15, 2025, 10:28am

Very cool and thanks for letting us know @petersun

grisutheguru · April 16, 2025, 7:01am

The problem is solved in the new version committed to unstable