-
Epic
-
Resolution: Duplicate
-
Critical
-
None
-
None
-
CVE Silencing
-
False
-
False
-
To Do
-
Quay Hosted
-
Undefined
Goal: Allow organization and repository owners in Quay silence specific CVEs so that disputed or irrelevant CVEs do not influence the image rating / scan results anymore.
Example: This vulnerability has been disputed and appears to an application error rather than a glibc error per: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8804
Acceptance criteria:
- an organization owner can define a list of CVEs which are then ignored in any CVE report of any manifest in any repository in that organization
- a repository creator can define a list of CVEs which are then ignored in any CVE report of any manifest in that repository
- CVE reports can optionally show ignored CVEs but don't do that by default (needs to be possible in API and UI)
- ignored CVEs never cause or are included in Repository notifications
- duplicates
-
-
- In Progress
-
- is duplicated by
-
PROJQUAY-393 Allow-Listing of CVEs to hide them in the Clair scan results shown in Quay
-
- Closed
-
- relates to
-
PROJQUAY-2880 clair shows vulnerable packages from pyup.io which are actually fixed by RHSA
-
- Closed
-
-
PROJQUAY-1303 Request for SRE/Eng to correct severity of CVE-2017-8804 in quay.io database
-
- Closed
-
