-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
-
Business Problem:
Customer having multiple US govt clients and they need to submit monthly ConMon (Continuous Monitoring) reports on container image vulnerabilities as part of regulatory compliance with FedRAMP.
Use Cases:
They use ACS as the vulnerability scanner on Openshift. ACS vulnerability reports show both CVE and RHSA entries. Our understanding is RHSAs simply indicate that Redhat has taken some action against that particular component, but do not constitute a separate unique vulnerability, i.e. they are "additional information" about steps Redhat may have taken against a particular component to address issues which may or may not be referenced in CVEs in the report. Unfortunately, this means RHSA entries need to be filtered out of the report before submitting these reports to regulatory authorities.
Key Functionality:
They are requesting a configuration option which would allow exclusion of RHSA from generated vulnerability reports.
Benefits:
Seamless submission of vulnerability reports to regulatory authorities from ACS automation without manual intervention to first curate results.
Acceptance criteria:
A report generation option for said exclusion, resulting in a report which contains only the CVEs and not the RHSAs.
Implementation Suggestions (optional):
- Integration: Simple checkbox for RHSA inclusion when creating reports.
Description:
The customer uses the ACS vulnerability reports as the basis for reports required by government regulatory processes, since they support government customers. By default, in addition to CVEs found in running containers, ACS reports include RHSAs. Our understanding is RHSAs simply indicate that Redhat has taken some action against that particular component, but do not constitute a separate unique vulnerability, i.e. they are "additional information" about steps Redhat may have taken against a particular component to address issues which may or may not be referenced in CVEs in the report. Unfortunately, this means RHSA entries need to be filtered out of the report before submitting it to regulatory authorities, such as the ConMon reporting portion of FedRAMP. They are requesting a configuration option which allows these entries to be excluded from generated reports.