There is currently a blocker on the product security side and how we present CVE information to customers preventing the implementation of the desired one tracker for each vulnerability found in a given flavour of fuse.

Without the ability to break down the trackers into each flavour of fuse (via a PSComponent) we are unable to claim a fix as all instances (flavours), this is not possible with the proposed patching tool.

DoD

• A proposed workflow for ProdSec MW/AS
• The ability to create a product security tracker specifically for a flavour of fuse (Karaf or Spring Boot initially)
• The ability for an RHSA to mark that flavour fixed upon posting metadata