Fleet ditches OVAL for OSV feeds, targeting false positives in RHEL vulnerability scanning

Fleet, the open-source host monitoring platform, is moving its vulnerability detection for Linux systems away from legacy OVAL feeds to the newer OSV (Open Source Vulnerabilities) format. This technical pivot is a direct response to a core flaw in the current system: OVAL feeds, particularly from Ubuntu, group multiple CVEs from a single security notice into one definition, leading to inaccurate alerts and false positives for administrators. The shift promises to deliver per-CVE, per-package, and per-release granularity, fundamentally changing how vulnerabilities are attributed and reported.

The change, framed as the second part of a larger story (issue #39900), is driven by a clear user story from Fleet administrators. They need vulnerability detection they can trust, where each CVE is correctly linked only to the specific packages it actually affects. The structural limitations of OVAL feeds have made this impossible, creating noise and operational overhead. The OSV format, an industry-standard JSON schema, is now natively published by multiple Linux distributions, positioning it as a viable and more precise replacement.

This transition signals a broader industry move towards more granular, machine-readable vulnerability data. For security teams managing large RHEL, Ubuntu, and Debian fleets, the shift from advisory-grouped data to discrete CVE entries could significantly reduce alert fatigue and improve remediation accuracy. The update directly pressures legacy vulnerability management tools to adopt modern standards or risk providing misleading security postures to their users.