Epic Goal

• Clair v4 can detect Java applications and their imported modules
• Clair v4 can leverage Java security vulnerability feeds in order to match known vulnerabilities in Java modules to a given application in a container images

Why is this important?

• Java is a dominant programming language in the domain of enterprise applications and significant investments are made to provide it with an avenue into the cloud-native space as well (Quarkus)

Scenarios

1. Java-based applications in container images and their imports can be detected
2. Known CVEs are matched against detected imports and define vulnerabilities associated with the container image

Acceptance Criteria

• Capability is enabled by default
• Capability can be disabled
• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• Downstream documentation

Dependencies (internal and external)

1. CRDA feed data for Java dependencies

Previous Work (Optional):

1. Python package manager enablement

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>