-
Epic
-
Resolution: Done
-
Major
-
None
-
Clair v4 Java scanning support
-
False
-
False
-
To Do
-
CLAIRDEV-11 - Language package vulnerability scanning in ClairV4
-
-
0% To Do, 0% In Progress, 100% Done
-
Undefined
Epic Goal
- Clair v4 can detect Java applications and their imported modules
- Clair v4 can leverage Java security vulnerability feeds in order to match known vulnerabilities in Java modules to a given application in a container images
Why is this important?
- Java is a dominant programming language in the domain of enterprise applications and significant investments are made to provide it with an avenue into the cloud-native space as well (Quarkus)
Scenarios
- Java-based applications in container images and their imports can be detected
- Known CVEs are matched against detected imports and define vulnerabilities associated with the container image
Acceptance Criteria
- Capability is enabled by default
- Capability can be disabled
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- Downstream documentation
Dependencies (internal and external)
- CRDA feed data for Java dependencies
Previous Work (Optional):
- Python package manager enablement
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- is cloned by
-
CLAIRDEV-51 Clair v4 can discover vulnerabilities in NodeJS applications
-
- In Progress
-