Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1126

Support for CSAF/VEX in Clair

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • 50
    • 50% 50%
    • 0
    • 0

    Description

      Feature Overview

      CSAF and VEX are modern standards for disclosing information about vulnerabilities in software. Clair will need to support those to provide more accurate vulnerability reports since Red Hat InfoSec will gradually adopt these standards to replace the current OVAL v2 data format.

      Goals

      Clair can correctly ingest CSAF and VEX data and use it to create vulnerability reports for indexed software content from container / OCI images. This will solve some problems found with the current reporting as described in OCPSTRAT-1090 and generally lower the probability of false positives and increase accuracy in rating.

      Requirements (aka. Acceptance Criteria):

      Clair needs to be able to support the CSAF/VEX formats from Red Hat ProdSec within the updater framework and have corresponding updaters or change the "rhel" updated to use the CSAF/VEX feeds instead of the current OVAL v2 feeds.

       

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both N/A
      Classic (standalone cluster) N/A
      Hosted control planes N/A
      Multi node, Compact (three node), or Single node (SNO), or all N/A
      Connected / Restricted Network Self-managed needs CSAF/VEX feeds to be available offline
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) N/A
      Operator compatibility N/A
      Backport needed (list applicable versions) N/A
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) N/A
      Other (please specify) N/A

      Questions to Answer (Optional):

      • When are the CSAF/VEX feeds from ProdSec ready for production?

      Background

      Customer Considerations

      For customers, this should be a transparent change.

      Documentation Considerations

      The product documentation needs to include the new URL endpoints for retrieving the CSAF/VEX feeds for allow-listing them in customers' firewalls/proxies.

      Attachments

        Activity

          People

            DanielMesser Daniel Messer
            DanielMesser Daniel Messer
            Henry Donnay
            Joseph Crosland Joseph Crosland
            Steven Smith Steven Smith
            Daniel Messer Daniel Messer
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: