-
Feature Request
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
Business Problem:
[Explain the business problem that the customer is trying to solve. There may be several ways to address it, so the more context you provide, the better solution we can design]
In RHACS 4.2.0 we introduced the capability to Define system policies using CVE age or fixability, and this included the policy criteria of
- CVE Is Fixable:
- Days Since CVE Was First Discovered In Image:
- Days Since CVE Was First Discovered In System:
While these new policy criteria are helpful, if a deployment is based upon an image with digest, and this digest is frequently changing to a new digest, then the existing policy criteria will not catch those scenarios where the image digest is updated frequently, less than a day. A solution to this would be to have a policy criteria of "Days since CVE was First Discovered In Deployment".
Note that this is essentially the opposite of ROX-9874
- ROX-9874 - Images with different names but same SHA
ROX-24165(this RFE) - Images with same name but different SHA
Use Cases:
[Describe specific scenarios or situations where the feature would be useful]
Scenario One
The existing policy criteria in Define system policies using CVE age or fixability resulted in confusion for the customer in case 03639310, as their
Days Since CVE Was First Discovered In Image=1, but these violations continued to disappear from the Violations view. The explanation behind this was that
- their deployment was using image digest
- this image digest was being updated frequently
- because of the new image digest, it is technically a new image (as RHACS identifies images based upon SHA)
- their previous violations were resolved as the policy criteria is not met
All of these led to confusion with the customer. (Slack conversation for reference)
Scenario Two
Consider another scenario:
Since system policies are generated on deployments, if a user updates a running RHACS deployment from 4.3.x to 4.4.x, and this deployment has unfixed CVEs, RHACS will lose the information that "xyz" vulnerabilities actually existed since the 4.3.x in the environment (as this would be extra days over the policy criteria).
A solution to this would be to have a policy criteria of "Days since CVE was First Discovered In Deployment".
Related Cases & Customers
Key Functionality:
[Outline the main functions and capabilities of the feature]
A solution to this would be to have a policy criteria of "Days since CVE was First Discovered In Deployment" even if the Deployments underlying image was frequently updated with a new digest.
Benefits:
[Highlight the benefits/advantages of the suggested feature if not addressed above]]
Acceptance criteria:
[Describe the key features that need to be covered by the feature to be able to satisfy the customer]
Implementation Suggestions (optional):
- Integration: [Specify any existing systems or tools that the new feature should integrate with]
- Dependencies: [Describe any dependencies on other 3rd party integrations or OCP components]
- User Experience: [Provide suggestions for designing the UI to optimize usability. Highlight other relevant aspects of the user experience ]
Timeline:
[Specify the preferred implementation date or any specific deadlines for the feature implementation]
Please use the following Jira fields to complete this Feature Request
- [Jira Field] Summary Required: [Provide a clear and concise name/description for the feature]
- [Jira Field] Description:
- [Jira Field] Component:
- [Jira Field] Priority: [Indicate the importance or urgency of the feature on a scale of High, Medium, or Low]
- [Jira Field] Supporting Documentation:
- [Attach any relevant documents, research, or supporting materials that provide additional context or information]
- links to