VMaaS
VMaaS (Vulnerability Metadata as a Service) scans RPM repositories and imports CVE metadata to provide vulnerability data for the Vulnerability service. It consists of two containers: iop-service-vmaas-reposcan (a processor that syncs repository and CVE data) and iop-service-vmaas-webapp-go (an API backend that exposes the ingested data for querying by the Vulnerability service).
Overview
VMaaS Reposcan periodically synchronizes two kinds of data: RPM repository metadata from Pulp and CVE metadata from Red Hat's security data. The webapp-go component queries the resulting database to answer vulnerability evaluation requests from the Vulnerability service.
Repository Sync (Reposync)
Reposync retrieves RPM repository metadata from Foreman's content management system (Katello/Pulp). In IoP, the reposcan container communicates with Katello through the IoP Gateway's bidirectional Smart Proxy relay on port 9090.
The sync follows these steps:
- List organizations — Reposcan calls the Katello API to enumerate all Foreman organizations:
- List repositories — For each organization, reposcan queries all Red Hat-marked yum repositories:
Only repositories with content_type: yum are processed. The response includes the Pulp repository URL in the full_path field.
3. Download debug certificates — For each organization, reposcan downloads a debug certificate (also known as an access certificate) that grants access to the organization's content in Pulp:
- Download repository metadata — Using the debug certificates, reposcan connects directly to Pulp (bypassing the gateway) to download repository metadata files:
repomd.xml,primary.xml, andupdateinfo.xml. The metadata is parsed to extract package and errata information. - Store per organization — Repository data is stored in the database per organization. Systems are evaluated within the context of the organization they belong to.
Reposcan downloads metadata directly from Pulp using the URLs and certificates obtained from the Katello API. The gateway is only used for the Katello API calls, not for the actual repository content.
The Katello connection is configured through the following environment variables:
The Katello CA certificate is mounted into the container at /katello-server-ca.crt via the Podman secret iop-service-vmaas-reposcan-client-ca-cert.
CVE Map (cvemap.xml)
The CVE map provides Red Hat-specific CVE metadata (severity, CVSS scores, CWE identifiers, affected products). It is delivered to VMaaS in two stages: first the file is downloaded to the Foreman host, then reposcan imports it.
Download to Host
A systemd timer (iop-cvemap-download.timer) runs every 24 hours (configurable via iop_cvemap_downloader_timer_interval) and executes a download script that fetches cvemap.xml from Red Hat's security data:
The file is placed at a location served by Apache httpd:
When the download script detects that the file has been updated, it triggers a full VMaaS sync through the gateway using mTLS with the Foreman client certificate:
The trigger is retried up to 5 times with exponential backoff if the gateway is not yet available.
The timer, service, and path units are managed by the foremanctl iop_cvemap_downloader role, or the legacy puppet-iop cvemap_downloader class.
The foremanctl role provides the following configuration variables:
Disconnected Environments
In disconnected (air-gapped) environments, cvemap.xml must be copied manually to:
A systemd path unit (iop-cvemap-download.path) watches this file for changes. When the file is modified, it triggers the download service, which copies the file to the public location and triggers the VMaaS sync.
Import by Reposcan
Reposcan fetches cvemap.xml from the IoP Gateway, which serves the file from Apache's public directory via the Smart Proxy relay:
The iop-core-gateway domain is only avaiable from the iop container network.
The import process checks the Last-Modified header against the last known timestamp in the database. If the file is newer, it downloads and parses the XML, extracting CVE data including threat severity, CVSS v2/v3 scores, CWE identifiers, published and modified dates, and descriptions. The data is stored in the vmaas_db database.
The CVE map URL is configured via the REDHAT_CVEMAP_URL environment variable.
Configuration
Reposcan Environment Variables
Webapp-Go Environment Variables
Database
Both containers connect to the vmaas_db PostgreSQL database as user vmaas_admin. Database credentials are supplied through Podman secrets. See Database Topology for details.