Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1279

Allow users silence specific CVEs per repo / per org

XMLWordPrintable

    • CVE silencing
    • False
    • False
    • Green
    • To Do
    • Quay Hosted
    • 32
    • 32% 32%
    • Undefined
    • 0

      Goal: Allow organization and repository owners in Quay to suppress specific CVEs so that disputed or irrelevant CVEs do not influence the image rating/scan results anymore.

      Example: This vulnerability has been disputed and appears to be an application error rather than a glibc error per https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8804

      Acceptance criteria:

      • CVE suppression occurs entirely in Quay
      • an organization admin can define a list of CVE identifiers, which are then suppressed in any CVE report of any manifest in any repository in that organization
      • a repository admin can define a list of CVE identifiers at the repository level, which are then suppressed in any CVE report of any manifest in that repository
      • a repository admin can define a list of CVE identifiers in the context of a manifest, which are then suppressedĀ  in the CVE report of the manifest
      • the manifest security API endpoint in Quay will by default omit suppressed CVEs but can be called in a way where suppressed CVEs are part of the report
      • CVE reports can optionally show suppressed CVEs in the UI but don't do that by default (needs to be possible in API and UI)
      • CVE reports in the UI by default show the number of suppressed CVEs in summary sections
      • if different CVE identifiers are configured to be suppressed at the organization and/or repository and/or manifest level, they will combined into a larger set that will be used to filter the vulnerability report of a manifest
      • suppressed CVEs never cause or are included in Repository notifications
      • modifications of CVE suppression settings are logged in the action logs
      • CVE identifiers are entered as alphanumeric strings without spaces
      • when retrieving a vulnerability report, filtering for suppressed CVEs is done by matching the configured CVE identifiers as substrings against the CVE identifiers in the original report from Clair
      • CVE suppression is only implemented in the new UI, the old UI will only show reported filtered for configured CVE suppressions

            obulatov@redhat.com Oleg Bulatov
            kybrown@redhat.com Kyle Brown (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: