Feature Overview (aka. Goal Summary)  

Today it is not a simple task to track a fix from RHEL into RHCOS releases. Eventually we want it to be easy for customers to understand all changes between versions of RHCOS. First and most important, however, is better notification & tracking of CVE remediation for RHEL components in OCP.

Goals (aka. expected user outcomes)

As an OpenShift Container Platform customer I need to be able to determine if my OCP cluster is impacted by a security vulnerability/CVE, and, if so, which OCP updates contains the fix. 

Currently, Product Security can not track RHEL security vulnerabilities/CVEs that also affect OCP.  Customers do not know that their clusters are impacted.  Shipping the fix in RHEL 8 does not immediately fix it in OCP/RHCOS.  A new build of RHCOS based on the updated packages needs to be made available for each active, supported version of OCP. Even then, if customers don't know they are affected, then they won't know they need to update. 

The goal for this phase is for RHEL component CVE pages to also track affected RHCOS releases.