Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8416

Enhancing Offline Java Vulnerability Reporting for Disconnected Environments in Clair

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • clair
    • clair-offline-java
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • To Do
    • CLAIRDEV-102 - Clair ships a Maven offline index
    • CLAIRDEV-102Clair ships a Maven offline index

      Epic Goal

      • The primary objective of this epic is to make Clair more independent from online services like Maven Central, enabling the same quality of Java vulnerability reporting in disconnected environments. By shipping a Maven offline index containing required information about Java libraries and leveraging it for reverse lookups, we aim to provide consistent vulnerability assessments even when online resources are unavailable.

      Why is this important?

      • Improved Security: Ensuring comprehensive vulnerability reports in disconnected environments guarantees that users can identify and address potential security risks effectively, regardless of their network connectivity.
      • Consistency and Reliability: By relying on a local Maven offline index, Clair can provide consistent and reliable Java vulnerability assessments without being impacted by occasional rate-limiting or other online service issues.
      • Simplified Deployment: Integrating the offline index into the existing offline bundle experience simplifies deployment and reduces the complexity of setting up disconnected Clair environments.

      Scenarios

      • Scenario 1: A user deploys a disconnected Clair instance, which automatically includes an updated Maven offline index containing all necessary information about Java libraries. The indexer API utilizes this index to perform reverse lookups, accurately identifying old Java libraries with insufficient metadata and associating them with the correct CVEs.
      • Scenario 2: In a disconnected environment, Clair leverages the local Maven offline index to generate comprehensive vulnerability reports for container images containing Java libraries, ensuring no critical CVEs are overlooked due to incomplete or missing metadata.
      • Scenario 3: The Maven offline index is kept up-to-date at appropriate intervals through an automated process, ensuring that disconnected Clair instances always have access to the most recent information about Java libraries and their associated vulnerabilities.

      Acceptance Criteria

      • Above Scenarios must pass

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

          1.
          		 QE tracker Sub-task New Undefined Dongbo Yan

              Unassigned Unassigned
              doconnor@redhat.com Dave O'Connor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: