-
Story
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
-
- CVE suppression occurs entirely in Quay and are gated by a feature toggle SECURITY_VULNERABILITY_SUPPRESSION which is true by default
- an organization admin can define a list of CVE identifiers, which are then suppressed in any CVE report of any manifest in any repository in that organization
- a repository admin can define a list of CVE identifiers at the repository level, which are then suppressed in any CVE report of any manifest in that repository
- a repository admin can define a list of CVE identifiers in the context of a manifest, which are then suppressed in the CVE report of the manifest
- the security API endpoint in Quay will, by default, omit suppressed CVEs but can be called in a way where suppressed CVEs are part of the report (suppressions parameter)
- the manifest API got a new endpoint that allows to set/unset the a list of CVE identifiers for suppression (`/suppressed_vulnerabilities)
- the organization API now accepts a property called suppressed_vulnerabilities as a way to specify org-level CVE suppression (UpdateOrg) and also returns a property called suppressed_vulnerabilities containing them (getOrganization)
- the repository API (updateRepo) now accepts a property called suppressed_vulnerabilities as a way to specify repo-level CVE suppression and also returns a property called suppressed_vulnerabilities containing them (getRepo)
- CVE reports can optionally show suppressed CVEs in the UI but don't do that by default (needs to be possible in API and UI)
- CVE reports in the UI by default show the number of suppressed CVEs in summary sections
- if different CVE identifiers are configured to be suppressed at the organization and/or repository and/or manifest level, they will combined into a larger set that will be used to filter the vulnerability report of a manifest
- suppressed CVEs never cause or are included in Repository notifications
- modifications of CVE suppression settings are logged in the action logs
- CVE identifiers are entered as alphanumeric strings without spaces
- when retrieving a vulnerability report, filtering for suppressed CVEs is done by matching the configured CVE identifiers as substrings against the CVE identifiers in the original report from Clair
- CVE suppression is only implemented in the new UI, the old UI will only show reported filtered for configured CVE suppressions
