Ubuntu OVAL Data

Canonical produces data using the Open Vulnerability and Assessment Language (OVAL) . This data can be used to scan an Ubuntu system or an official Ubuntu OCI image for known vulnerabilities caused from missing patches. The Ubuntu Security Team provides OVAL for all supported Ubuntu releases.

There are two primary methods for consuming this data for your system, the cvescan snap or using OpenSCAP.

Using cvescan
The cvescan tool is a standalone snap that outputs filtered text formatted vulnerability results to facilitate automation, it also includes additional functionality such as nagios compatible output. To begin using cvescan install the snap:
sudo snap install cvescan
Next run a scan by executing the command cvescan

Using OpenSCAP
First you will need to download the compressed XML .
wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
Uncompress the data
bunzip2 com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
Next use openscap to evaluate the OVAL and generate an html report
oscap oval eval --report report.htm com.ubuntu.$(lsb_release -cs).cve.oval.xml
The output is generated in the file report.htm, open it using your browser
xdg-open report.htm

Scanning an OCI Image
To scan an Ubuntu Official Cloud Images for known vulnerabilities the manifest file and xml data can be used together. Unlike above where we were able to use the lsb_release command you will need to manually enter the URL for the OVAL data. In the example below we are using bionic/18.04, you would replace this with the version you are inspecting.
wget https://people.canonical.com/~ubuntu-security/oval/oci.com.ubuntu.bionic.cve.oval.xml.bz2
bunzip2 oci.com.ubuntu.bionic.cve.oval.xml.bz2
Next one would download the manifest file for the image.
wget -O manifest https://cloud-images.ubuntu.com/releases/bionic/release/ubuntu-18.04-server-cloudimg-amd64-root.manifest
Next use openscap to evaluate the OVAL and generate an html report
oscap oval eval --report report.htm oci.com.ubuntu.bionic.cve.oval.xml
The output is generated in the file report.htm, open it using your browser
xdg-open report.htm

Conventions
The files are named using the convention: com.ubuntu.releaseName.cve.oval.xml.bz2
And for OCI images they use the same format with "oci." prepended.
oci.com.ubuntu.releaseName.cve.oval.xml.bz2