Distinction between operating system & third party packages

We often have the situation in which we perform an authenticated scan against several Linux VMs running end-of-life OSes. The report becomes rather long listing hundreds, sometimes thousands of packages to be upgraded.

While some of the packages are shipped with the operating system baseline, other are third party packages that have been installed additionally and are not manageable via the system packet manager.

Is there a way to generate a listing (ideally XML, XLSX or anything that can be processed easily) of vulnerable packages that distinguishes between those packages that are part of the operating system baseline and those coming from third party vendors?


I think this would fall inline with my request for Vulnerability and Software Tagging, it would make assignments of remediation projects a lot easier.

1 Like