Scanning COS images with Oval vulnerability feed
COS provides an Open Vulnerability and Assessment Language (OVAL) vulnerability feed, which
is a structured, machine-readable dataset for all supported COS releases. You can use the
feed to evaluate packages installed on a COS system for security issues.
You can access the OVAL feed at gs://cos-oval-vulnerability-feed.
The feed depends on the cos-package-info.json file, which lists installed packages on an
image. This file is located at /etc directory on your VM instances.
Scanning COS VM instances with Oval feed
You can use the OVAL feed to scan any COS instance. For example, assume you want to scan
an instance running the COS-109 image:
Download the Oval feed for your instance. Make sure you choose the correct milestone.
For the current example, it is 109:
gcloud storage cp gs://cos-oval-vulnerability-feed/cos-109.oval.xml.tar.gz .
Extract the downloaded Oval feed:
tar xf cos-109.oval.xml.tar.gz
Copy cos-package-info.json from your VM instance, in this case my-cos-instance:
gcloud compute scp my-cos-instance:/etc/cos-package-info.json .
Use your preferred Security Content Automation Protocol (SCAP) compliant tool that can process Oval feed. In this case, we use OpenSCAP:
oscap oval eval --report report.html cos-109.oval.xml
Note that the cos-package-info.json file and the COS Oval feed need to be in the same
directory. If not, update the path of the cos-package-info.json in the COS Oval feed file.
How to fix vulnerabilities reported by the scanner
The feed lists all the vulnerabilities fixed in the latest COS image. As such,
you can fix all open vulnerabilities reported by the scanner on your system by
updating to the latest COS image for that particular milestone.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCOS provides an Open Vulnerability and Assessment Language (OVAL) feed, a structured dataset for identifying security vulnerabilities in supported COS releases.\u003c/p\u003e\n"],["\u003cp\u003eThe OVAL feed, accessible at \u003ccode\u003egs://cos-oval-vulnerability-feed\u003c/code\u003e, relies on the \u003ccode\u003ecos-package-info.json\u003c/code\u003e file, which lists installed packages on an image and is located in the \u003ccode\u003e/etc\u003c/code\u003e directory.\u003c/p\u003e\n"],["\u003cp\u003eScanning a COS instance involves downloading and extracting the OVAL feed for the specific milestone, copying the \u003ccode\u003ecos-package-info.json\u003c/code\u003e file from the VM, and using an SCAP-compliant tool like OpenSCAP.\u003c/p\u003e\n"],["\u003cp\u003eVulnerabilities reported by the scanner can be resolved by updating to the latest COS image for the applicable milestone, as the feed lists vulnerabilities fixed in these images.\u003c/p\u003e\n"]]],[],null,[]]
