-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
nodejs Support
-
False
-
False
-
To Do
-
CLAIRDEV-11 - Language package vulnerability scanning in ClairV4
-
-
0
-
0%
-
Undefined
Epic Goal
- Clair v4 can detect NodeJS applications and their imported modules
- Clair v4 can leverage NodeJS security vulnerability feeds in order to match known vulnerabilities in NPM modules to a given application in a container images
Why is this important?
- NodeJS is a dominant programming language in the domain of cloud-native apps, especially user frontend which fit the stateless layer support in Kubernetes very well
Scenarios
- NodeJS-based applications in container images and their imports can be detected
- Known CVEs are matched against detected imports and define vulnerabilities associated with the container image
Acceptance Criteria
- Capability is enabled by default
- Capability can be disabled
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- Downstream documentation
Dependencies (internal and external)
- CRDA feed data for NPM packages
Previous Work (Optional):
- Python package manager enablement
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- clones
-
-
- Closed
-
- incorporates
-
PROJQUAY-5099 Support npm package.json files in Clair
-
- Closed
-
