Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5919

RHACS: Filtering out RHSA entries from ACS vulnerability reports

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • RHACS, Vuln Management
    • False
    • None
    • False
    • Not Selected

      Business Problem:

      Customer having multiple US govt clients and they need to submit monthly ConMon (Continuous Monitoring) reports on container image vulnerabilities as part of regulatory compliance with FedRAMP.

      Use Cases:

      They use ACS as the vulnerability scanner on Openshift.  ACS vulnerability reports show both CVE and RHSA entries.  Our understanding is RHSAs simply indicate that Redhat has taken some action against that particular component, but do not constitute a separate unique vulnerability, i.e. they are "additional information" about steps Redhat may have taken against a particular component to address issues which may or may not be referenced in CVEs in the report.  Unfortunately, this means RHSA entries need to be filtered out of the report before submitting these reports to regulatory authorities.

      Key Functionality:

      They are requesting a configuration option which would allow exclusion of RHSA from generated vulnerability reports.

      Benefits:

      Seamless submission of vulnerability reports to regulatory authorities from ACS automation without manual intervention to first curate results.

      Acceptance criteria:

      A report generation option for said exclusion, resulting in a report which contains only the CVEs and not the RHSAs.

      Implementation Suggestions (optional):

      • Integration: Simple checkbox for RHSA inclusion when creating reports.

       

      Description:

      The customer uses the ACS vulnerability reports as the basis for reports required by government regulatory processes, since they support government customers.  By default, in addition to CVEs found in running containers, ACS reports include RHSAs.  Our understanding is RHSAs simply indicate that Redhat has taken some action against that particular component, but do not constitute a separate unique vulnerability, i.e. they are "additional information" about steps Redhat may have taken against a particular component to address issues which may or may not be referenced in CVEs in the report.  Unfortunately, this means RHSA entries need to be filtered out of the report before submitting it to regulatory authorities, such as the ConMon reporting portion of FedRAMP.  They are requesting a configuration option which allows these entries to be excluded from generated reports.

       

       

            sbadve@redhat.com Shubha Badve
            rhn-support-stulshan Shashi Tulshannagari
            Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: