On the NVD website, CVE-2023-1989 is stated as being present in various kernels, among them 5.11 to 5.15.105. After an OpenSCAP scan of a 5.15.0 image, I noticed that vulnerability and several others to be missing from the generated report.
In the Jammy OVAL XML file that OpenSCAP uses, the CVE definition exists under oval:com.ubuntu.jammy:def:60331000000, which specifies two tests:
<unix:uname_test check="at least one" comment="Is kernel 6.1.0-\d+(-oem) currently running?" id="oval:com.ubuntu.jammy:tst:603310000000" version="1"><unix:object object_ref="oval:com.ubuntu.jammy:obj:603310000000"/><unix:state state_ref="oval:com.ubuntu.jammy:ste:603310000000"/></unix:uname_test><ind:variable_test id="oval:com.ubuntu.jammy:tst:603310000010" version="1" check="all" check_existence="all_exist" comment="kernel version comparison"><ind:object object_ref="oval:com.ubuntu.jammy:obj:603310000010"/><ind:state state_ref="oval:com.ubuntu.jammy:ste:603310000010"/></ind:variable_test>The state_ref links to:
<ind:variable_state id="oval:com.ubuntu.jammy:ste:603310000010" version="1"><ind:value datatype="debian_evr_string" operation="less than">0:6.1.0-1009</ind:value></ind:variable_state>Which ends up meaning that only kernels running 6.1.0-n are checked for n<1099. However, a 5.15.0 kernel, for example, does have the vulnerability, since its source does not contain the corresponding patch in drivers/bluetooth/btsdio.c.
Why does the OVAL file not include a check for older kernels?