Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-9793

Scan for package dependency vulnerabilities prior to release

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • DevOps
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

      Feature Overview

      Known CVEs and vulnerabilities can exist within the images of the product.

      Scanning the images and reporting any existing vulnerabilities that customers expect to have been resolved prior to releasing would be great. 

      Goals

      This Section: Provide high-level goal statement, providing user context
      and expected user outcome(s) for this feature

      • As a contributor to the product, I expect to be notified if the images I develop contain a vulnerability or CVE that needs to be resolved prior to the release of the product.

      Requirements

      This Section: A list of specific needs or objectives that a Feature must
      deliver to satisfy the Feature.. Some requirements will be flagged as MVP.
      If an MVP gets shifted, the feature shifts. If a non MVP requirement slips,
      it does not shift the feature.

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a
      requirement for ALL features.      		 YES
      Release Technical Enablement Provide necessary release enablement details
      and documents.      		 YES

       

      Background, and strategic fit

      This comes from a customer who recently scanned the MCE 2.4.3 images and found CVEs that should've already been resolved. It would be great to know that these images contain these vulnerabilities ahead of the customer discovering it.

      Slack thread context: https://redhat-internal.slack.com/archives/C012L9Y9C79/p1707152805630249

       

      Assumptions

      • The CVEs and vulnerabilities we're looking for have been published and the due date is prior to the release of the product

      Customer Considerations

      • Ideally, customers will receive the product and its images without any vulnerabilities 

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this
        product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have a doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content
        Strategy.
      • What concepts do customers need to understand to be successful in
        [action]?
      • How do we expect customers will use the feature? For what purpose(s)?
      • What reference material might a customer want/need to complete [action]?
      • Is there source material that can be used as reference for the Technical
        Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or
        Release Note)?

            pahickey@redhat.com Patrick Hickey
            cchun@redhat.com Crystal Chun
            Patrick Hickey
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: