Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-393

Allow-Listing of CVEs to hide them in the Clair scan results shown in Quay

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • quay-v3.2.0
    • quay, quay.io

      Based on a discussion with the customer behind the RFE we changed the scope and description towards a CVE whitelisting feature.

      The goal is that a Quay user can explicitly whitelist CVEs which are no longer shown (by default) on the Clair scan results page in the Quay UI. The idea behind is to reduce the noise around irrelevant CVEs just shown due to packaging or security metadata issues (example: kernel-headers shows kernel CVEs). Means that the customer himself maintains a list of CVEs he explicitly wants to whitelist. This could become a very long list though and it needs to be maintained on a regular basis.

      User stories:

      • As a user I can maintain a (potentially long) list of CVEs which shouldn't be shown in the vulnerability listing in the Quay UI unless I expand the hidden by default list of those.
      • As a user I can hide / show those whitelisted CVEs inside the vulnerability listing in the Quay UI.

      Open Questions

      • Is the whitelisting registry or organization wide?
      • which user privileges (RBAC) are required to set / edit / view them?

      Original RFE description

      Containers utilize the host kernel therefore it doesn't make sense to show kernel specific vulns. These vulns are related to dummy packages in the container that are used to fulfil requirements that many package managers have to install software.

      The attached list was generated by a customer for one of the images showing these vulns. It was made by querying the API and filtering for all vulnerabilities under the package "linux" where the description had the word "kernel" in it.

              Unassigned Unassigned
              kybrown@redhat.com Kyle Brown (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: