Loading...

XML

Word

Printable

Details

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: openshift-4.11
Affects Version/s: None
Component/s: None
Labels:

Epic Name:
View App Dependency vulnerabilities in Project Dashboard
Epic Status:
To Do
Flagged:

Impediment
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%
Size:
S
Support Scope:
GA
Target Version:

openshift-4.11

Actual Effort:
2

SFDC Cases Links:
SFDC Cases Counter:

Description

Overview

Vulnerabilities were added to OpenShift Developer Console in 4.7, but are limited to base image vulnerabilities. Quay 3.5 is a dependency to be able to support application dependencies and Snyk integration.

Problem:

Currently, developers don't have visibility into vulnerabilities in their projects.

Goal:

Our initial requirement is to allow developers the ability to view vulnerabilities across all container images within a specific Project.

Why is it important?

Use cases:

To be updated/confirmed via Epic Exploration

As a developer, I want to view a count of all vulnerabilities related to app stack dependencies, across all apps in my project.
As a developer, I want to be able to see the vulnerability counts per application in my project.
As a developer, I want to be able to view a list of vulnerabilities, severity, name of the direct dependency, current version, fixed-in version, and recommended version
As a developer, I want to be able to click through a vulnerability to get more details from Snyk

Acceptance criteria

As a developer, ...

I should be able to see a list of vulnerabilities in the Vulnerabilities tab of the Project page
1. I should be able to differentiate between different vulnerability severities
I should be able to drill in and see the details of one of the vulnerabilities
1. I should be able to filter between All vulnerabilities, App dependency or Base Image vulnerabilities on the IMV Details page
2. I should be able to access Snyk data when available

Dependencies (External/Internal):

CSO

Quay 3.5

Slack Channel

#tmp-odc-app-vulnerabilities in CoreOS slack

Design Artifacts:

UX design: https://github.com/openshift/openshift-origin-design/pull/508

Exploration Results

Artifacts from Epic Exploration can be found in this drive
– Update this list after Epic Exploration

GA feature, thus should be properly documented
GA feature, thus need to provide enablement
Include in what's new RHD blog
Consider for stretch RHD blog

Step 1 - Empathize
Step 2 - Define
Step 3 - Ideate

Note:

Initial use case/journey ideas https://docs.google.com/presentation/d/12XmfeoZxnaOjsbRMIGr7FJtrE9ywvW5B2tEFi2wG3dQ/edit?usp=sharing

Notes

Depending on the user's role, the permissions might limit the sorts of actions they have access to.

Attachments

Issue Links

clones

ODC-4372 View Base Image vulnerabilities in Project Dashboard

Closed

is blocked by

PROJQUAY-963 Add discriminator field in secscan response to classify App vs OS level vulnerability

Closed

links to

openshift/console#11325: Gherkin and automation for project vulnerability

Sub-Tasks

1.	Docs Tracker	Closed	Shipra Singh
2.	QE Tracker	Closed	Sanket Pathak
3.	TE Tracker	Closed	Unassigned

Activity

People

Assignee:: Vikram Raj

Reporter:: Serena Nichols

Owner:: Vikram Raj

QA Contact:: Sanket Pathak

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2020/11/12 3:09 PM

Updated:: 2022/08/26 2:58 PM

Resolved:: 2022/07/28 8:49 AM