Feature Overview

CSAF and VEX are modern standards for disclosing information about vulnerabilities in software. Clair will need to support those to provide more accurate vulnerability reports since Red Hat InfoSec will gradually adopt these standards to replace the current OVAL v2 data format.

Goals

Clair can correctly ingest CSAF and VEX data and use it to create vulnerability reports for indexed software content from container / OCI images. This will solve some problems found with the current reporting as described in OCPSTRAT-1090 and generally lower the probability of false positives and increase accuracy in rating.

Requirements (aka. Acceptance Criteria):

Clair needs to be able to support the CSAF/VEX formats from Red Hat ProdSec within the updater framework and have corresponding updaters or change the "rhel" updated to use the CSAF/VEX feeds instead of the current OVAL v2 feeds.

Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

Questions to Answer (Optional):

• When are the CSAF/VEX feeds from ProdSec ready for production?

Background

• https://www.redhat.com/en/blog/common-security-advisory-framework-csaf-beta-files-now-available
• https://www.redhat.com/en/blog/csaf-vex-documents-now-generally-available

Customer Considerations

For customers, this should be a transparent change.

Documentation Considerations

The product documentation needs to include the new URL endpoints for retrieving the CSAF/VEX feeds for allow-listing them in customers' firewalls/proxies.