Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4994

Allow users silence specific CVEs per repo / per org

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Duplicate
    • Icon: Critical Critical
    • None
    • None
    • -area/secscan, quay
    • CVE Silencing
    • False
    • False
    • To Do
    • Quay Hosted
    • Undefined

      Goal: Allow organization and repository owners in Quay silence specific CVEs so that disputed or irrelevant CVEs do not influence the image rating / scan results anymore.

      Example: This vulnerability has been disputed and appears to an application error rather than a glibc error per: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8804

      Acceptance criteria:

      • an organization owner can define a list of CVEs which are then ignored in any CVE report of any manifest in any repository in that organization
      • a repository creator can define a list of CVEs which are then ignored in any CVE report of any manifest in that repository
      • CVE reports can optionally show ignored CVEs but don't do that by default (needs to be possible in API and UI)
      • ignored CVEs never cause or are included in Repository notifications

              Unassigned Unassigned
              kybrown@redhat.com Kyle Brown (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: