Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1724

Clair v4 uses NVD data to complement missing severity

    XMLWordPrintable

Details

    • Clair v4 uses NVD data
    • False
    • False
    • To Do
    • 100
    • 100% 100%
    • Undefined
    • 0

    Description

      Customer problem

      As a user of Quay I depend on Clair’s grading logic to inform be about the severity of CVEs found in container images stored in Quay. To that end Clair v4 has less information than Clair v2 used to have, in particular on images built on alpine which is a popular base image in the community. This coverage is vital to me since I use Quay as an ingest for untrusted, upstream container images.

      Epic Goal

      • Quay users get CVE ratings from NVD sources when the original CVE feed source does not provide those so they have broader coverage on potential impact of CVEs found in their container images

      Why is this important?

      • Not all updaters provide CVE ratings
      • especially alpine is missing which is a very popular base image for upstream communities
      • Clair v2 used to leverage NVD for gradings but Clair v4 does not, leaving customers and users with a less information about their exposure to known CVEs

      Scenarios

      1. Clair v4 uses updaters that provide ratings, everything happens as usual
      2. Clair v4 uses updaters that do not provide CVE ratings, so the severity would be unknown, in this case NVD data is used to enrich the CVE data with a rating

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. NVD feeds

      Previous Work (Optional):

      1. Clair v2 used to leverage NVD data streams

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          is duplicated by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. PROJQUAY-2014 Ability to show severity information for Debian packages

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. PROJQUAY-2154 Clair v4 should show vulnerability status for detected vulnerabilities in Alpine images

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Task - Represents a small unit of work that is not end-user facing. PROJQUAY-2528 Document CVE Rating Coverage

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              hdonnay Henry Donnay
              DanielMesser Daniel Messer
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: