-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
-
View App Dependency vulnerabilities in Project Dashboard
-
To Do
-
Impediment
-
0% To Do, 0% In Progress, 100% Done
-
S
-
GA
-
2
Overview
Vulnerabilities were added to OpenShift Developer Console in 4.7, but are limited to base image vulnerabilities. Quay 3.5 is a dependency to be able to support application dependencies and Snyk integration.
Problem:
Currently, developers don't have visibility into vulnerabilities in their projects.
Goal:
Our initial requirement is to allow developers the ability to view vulnerabilities across all container images within a specific Project.
Why is it important?
Use cases:
To be updated/confirmed via Epic Exploration
- As a developer, I want to view a count of all vulnerabilities related to app stack dependencies, across all apps in my project.
- As a developer, I want to be able to see the vulnerability counts per application in my project.
- As a developer, I want to be able to view a list of vulnerabilities, severity, name of the direct dependency, current version, fixed-in version, and recommended version
- As a developer, I want to be able to click through a vulnerability to get more details from Snyk
Acceptance criteria
As a developer, ...
- I should be able to see a list of vulnerabilities in the Vulnerabilities tab of the Project page
- I should be able to differentiate between different vulnerability severities
- I should be able to drill in and see the details of one of the vulnerabilities
- I should be able to filter between All vulnerabilities, App dependency or Base Image vulnerabilities on the IMV Details page
- I should be able to access Snyk data when available
Dependencies (External/Internal):
CSO
Quay 3.5
Slack Channel
#tmp-odc-app-vulnerabilities in CoreOS slack
Design Artifacts:
UX design: https://github.com/openshift/openshift-origin-design/pull/508
Exploration Results
Artifacts from Epic Exploration can be found in this drive
– Update this list after Epic Exploration
- GA feature, thus should be properly documented
- GA feature, thus need to provide enablement
- Include in what's new RHD blog
- Consider for stretch RHD blog
Step 1 - Empathize
Step 2 - Define
Step 3 - Ideate
Note:
Initial use case/journey ideas https://docs.google.com/presentation/d/12XmfeoZxnaOjsbRMIGr7FJtrE9ywvW5B2tEFi2wG3dQ/edit?usp=sharing
Notes
Depending on the user's role, the permissions might limit the sorts of actions they have access to.
- clones
-
ODC-4372 View Base Image vulnerabilities in Project Dashboard
- Closed
- is blocked by
-
PROJQUAY-963 Add discriminator field in secscan response to classify App vs OS level vulnerability
- Closed
- links to
1.
|
Docs Tracker | Closed | Shipra Singh | ||
2.
|
QE Tracker | Closed | Sanket Pathak | ||
3.
|
TE Tracker | Closed | Unassigned |