Feature Overview
RHACS should present unified reporting output for on-demand evidence CSV and scheduled email reporting, including the ability to export all available metadata including severity and path of observed vulnerability. Export filters should be added to include date-based filtering to allow for newer than/older than criteria as well as other commonly expected criteria
Goals
< Who benefits from this feature, and how? What is the difference between today’s current state and a world with this feature? >
Government customers frequently track vulnerabilities and make presentations based on rollup reports of data. Common examples include:
- Cat 1 (High, Critical) Findings Greater than 30 days
- All vulnerabilities greater than 90 days
- All vulnerabilities within last 7 days
Amplified data is available in the JSON and presented in the console with regard to the file path of discovered vulnerabilities in JAVA code deployed to a container. This information is not currently exported in a readily consumable form for distribution to other business entities.
Amplified Severity data is only available in JSON and emailed periodic reports. Due to security requirements at many customer facilities, vulnerability data must be encrypted both at rest (CAC/PIV) and in transit (TLS). Since the automated email function cannot encrypt the resultant CSV, customers are limited to on-demand “Export Evidence as CSV” style functions.
Greater alignment of these reporting methods and the ability to export the full granular data set will allow greater customer reporting flexiblity.
Requirements
A list of specific needs or objectives that a Feature must deliver to satisfy the Feature. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts. If a non MVP requirement slips, it does not shift the feature.
requirement | Notes | isMvp |
Align Email with Evidence reporting |
Expand data set to export all available data |
Allow filter criteria including date range and < > |
(Optional) Use Cases
< How will the user interact with this feature? >
- Existing email and on-demand reporting
< Which users will use this and when will they use it? >
- Administrative and RBAC-scoped non-administrative users
< Is this feature used as part of current user interface? >
- yes
Out of Scope
N/A
Background, and strategic fit
What does the person writing code, testing, documenting need to know?
- Full data set from JSON for vulnerability scan should be presented in csv reports
- Must include severity
- Must include location metadata
- Must not aggregate data (current “export evidence as csv” behaviour)
Assumptions
Expectation: One line per CVE/Vulnerability/per image; full expansion
Customer Considerations
Email export unavailable in some environments
Documentation Considerations
< What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)? >
Limited documentation update: Additional fields available
<What does success look like?>
Customer can export full dump of vulnerability status with iterated line-item vulnerabilities with the complete list of fields available in the JSON output
< Does this feature have doc impact? Possible values are: New Content, Updates to existing content, Release Note, or No Doc Impact?>
Release note or No Doc impact
Questions
Question | Outcome |