Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-963

Add discriminator field in secscan response to classify App vs OS level vulnerability

XMLWordPrintable

    • BU Product Work
    • 67% To Do, 0% In Progress, 33% Done

      This is a RFE from Red Hat Code Ready Analytics(CRDA) team.

      CRDA is a hosted saas platform which deals with Application Stack level vulnerability to help developers fix security vulnerability directly from their IDEs[1]. We expose our services as RESTful endpoints and our Vulnerability data is sourced from Snyk[2].

      We would also like to integrate our platform to Openshift through the same route which Clair takes to expose the Container level Vulnerability to Openshift(Clair -> Quay -> CSO). Currently we are working closely[3][4] with Clair team to integrate our APIs which provides industry leading security information sourced from Snyk. As of today we expose Vulnerability details for Python, Java and Node ecosystems and working to enable rest of popular ones like Go, Ruby, PHP...etc.

      Currently the Quay's secscan API doesn't provide enough details to differentiate the nature of a Vulnerability(App or OS level). Having a differentiation would be helpful to segregate the vulnerability report in Openshift Web Console. As part of this RFE, we would like to add a discriminator field fix the above mentioned problem. A similar change has to be made in CSO exposed CRDs(ImageManifestVuln) as well.

      [1] https://marketplace.visualstudio.com/items?itemName=redhat.fabric8-analytics
      [2] https://snyk.io
      [3] https://github.com/quay/claircore/pull/202
      [4] https://github.com/quay/claircore/pull/203

              ldelossa Louis DeLosSantos (Inactive)
              arajkumar Arunprasad Rajkumar (Inactive)
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: