Customer problem

As a user of Quay I depend on Clair’s grading logic to inform be about the severity of CVEs found in container images stored in Quay. To that end Clair v4 has less information than Clair v2 used to have, in particular on images built on alpine which is a popular base image in the community. This coverage is vital to me since I use Quay as an ingest for untrusted, upstream container images.

Epic Goal

• Quay users get CVE ratings from NVD sources when the original CVE feed source does not provide those so they have broader coverage on potential impact of CVEs found in their container images

Why is this important?

• Not all updaters provide CVE ratings
• especially alpine is missing which is a very popular base image for upstream communities
• Clair v2 used to leverage NVD for gradings but Clair v4 does not, leaving customers and users with a less information about their exposure to known CVEs

Scenarios

1. Clair v4 uses updaters that provide ratings, everything happens as usual
2. Clair v4 uses updaters that do not provide CVE ratings, so the severity would be unknown, in this case NVD data is used to enrich the CVE data with a rating

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. NVD feeds

Previous Work (Optional):

1. Clair v2 used to leverage NVD data streams

Open questions::

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>