Based on a discussion with the customer behind the RFE we changed the scope and description towards a CVE whitelisting feature.
The goal is that a Quay user can explicitly whitelist CVEs which are no longer shown (by default) on the Clair scan results page in the Quay UI. The idea behind is to reduce the noise around irrelevant CVEs just shown due to packaging or security metadata issues (example: kernel-headers shows kernel CVEs). Means that the customer himself maintains a list of CVEs he explicitly wants to whitelist. This could become a very long list though and it needs to be maintained on a regular basis.
User stories:
- As a user I can maintain a (potentially long) list of CVEs which shouldn't be shown in the vulnerability listing in the Quay UI unless I expand the hidden by default list of those.
- As a user I can hide / show those whitelisted CVEs inside the vulnerability listing in the Quay UI.
Open Questions
- Is the whitelisting registry or organization wide?
- which user privileges (RBAC) are required to set / edit / view them?
Original RFE description
Containers utilize the host kernel therefore it doesn't make sense to show kernel specific vulns. These vulns are related to dummy packages in the container that are used to fulfil requirements that many package managers have to install software.
The attached list was generated by a customer for one of the images showing these vulns. It was made by querying the API and filtering for all vulnerabilities under the package "linux" where the description had the word "kernel" in it.
- duplicates
-
PROJQUAY-1279 Allow users silence specific CVEs per repo / per org
- In Progress
-
PROJQUAY-4994 Allow users silence specific CVEs per repo / per org
- Closed