False positives for packages from yum module streams (perl, nginx)

[wellhardh]

We have an issue with false positives on RHEL 8 / CentOS 8 / Oracle Linux 8. We have tracked down the problem to the new module stream support in yum, i.e. same application is delivered in multiple versions depending on what module is enabled, example:

[root@host ~]# yum module list perl
Last metadata expiration check: 0:19:16 ago on Fri 11 Feb 2022 03:14:46 PM CET.
Oracle Linux 8 Application Stream (x86_64)
Name                Stream                  Profiles                          Summary                                               
perl                5.24                    common [d], minimal               Practical Extraction and Report Language              
perl                5.26 [d]                common [d], minimal               Practical Extraction and Report Language              
perl                5.30                    common [d], minimal               Practical Extraction and Report Language              

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

Patchman reports updates for packages that belongs to a more modern stream even if the machine is fully updated and is using the default stream, exampe:

perl-4:5.26.3-420.el8-x86_64 -> perl-4:5.30.1-452.module+el8.4.0+20078+01326e37-x86_64 (Bugfix)
perl-algorithm-diff-1.1903-9.el8-noarch -> perl-algorithm-diff-1.1903-10.module+el8.3.0+7729+86a74f64-noarch (Bugfix)
perl-archive-tar-2.30-1.el8-noarch -> perl-archive-tar-2.32-440.module+el8.3.0+7729+86a74f64-noarch (Bugfix)

In the example above, perl-4:5.26.3-420.el8-x86_64 is the latest version for perl:5.26 but there exists a newer package for perl:5:30 but that is not enabled on the machine.

I tried switching to perl:5.30 and indeed the update notification was removed from patchman, but always running the latest module stream is probably not a good idea.

[wellhardh]

I forgot my question. Is it possible to filter out package updates somehow, either manually in the web UI or with some other clever way?

[furlongm]

Adding support for modularity is on my to-do list. You could maybe use something like grep -v ".module+" in the patchman-client for now?

[wellhardh]

I don't think filtering in the client will help because the updates are not listed by "yum -C list updates" and thus never reported to the server. It looks like the matching is done server side when the report is processed using the list of installed patches and the contents of the repository.

[garbled1]

I'm having this same problem. I tried a few hacks to the patchman-client, but the problem is, that once you run patchman -a on the server, it finds all the modules it could possibly have, and then says the server needs hundreds of updates. The more servers I upgrade to RHEL8, the more this breaks me.. :(

Running patchman 2.0.3

[Jolinar1]

I'm having the same type of issue with Rocky Linux 8.5 (Green Obsidian)
Patchman shows updates for zabbix, ruby, python and perl but there are actually none...

[furlongm]

This should be addressed by https://github.com/furlongm/patchman/pull/400/files

Feel free to test and let me know if it works for you.

I may delay the release of this for the next major version of patchman as it requires migrations, but happy to discuss.

[furlongm]

This should be resolved now, let me know if it is not