-
Feature Request
-
Resolution: Done
-
Undefined
-
None
-
rhacs-4.5.0
-
None
-
False
-
None
-
False
-
Not Selected
-
-
Provide more specific / granular information as to which versions of OpenShift a CVE fix is available for.
Customers use ACS to identify CVEs against cluster components as well as end-user applications. ACS indicates when a fix is available for a CVE.
However, a fix may be available for the most recent OCP release, e.g. 4.16, but not yet available for the version of OCP that the customer is running, e.g. 4.14 or 4.12. Since RH releases patches for the most recent versions first and then backports to earlier versions, there can be a point in time when the fix is not yet available for the version the customer is running.
Without the additional level of information, the admin is "blindly" applying z stream patches without knowing whether or not they contain the fix for the CVEs in question.
The additional information reduces the need for a back-and-forth between security and operations and provides a better indicator as to when to apply patches. Since not all solutions backport CVE fixes, this is particularly relevant for software provided by Red Hat.
Users would like this information to be available in the UI and in reports and would like to be able to filter on this data.