Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-7323

Grace Period ACS Policy criterion from when a CVE "FIX" is available

XMLWordPrintable

    • Future Sustainability
    • Hide

      Client has expressed extreme interest in the implementation of this feature. This is a must have for the operation of the client to integrate ACS.

      The client has urgently requested acknowledge of this feature and confirmation of integration into the new version.

      Show
      Client has expressed extreme interest in the implementation of this feature. This is a must have for the operation of the client to integrate ACS. The client has urgently requested acknowledge of this feature and confirmation of integration into the new version.
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Goal Summary:

      30 Day Grace Period ACS Scanner Policy from when a CVE "FIX" is discovered, rather than when a CVE is discovered.

      Goals and expected user outcomes: The user should have the ability to configure a 30-day grace period from the date a fix for a CVE is released. This will allow developers time to address the vulnerability without blocking image deployments. The feature should enhance the existing vulnerability management policy criteria in OpenShift ACS by using vendor-published CVE fix dates instead of when RHACS first detects the vulnerability.

      Acceptance Criteria:

      • ACS successfully provides developers a 30-day grace period for images in the environment that have a recently discovered CVE fix.
      • The grace period should begin from the date the CVE fix is released, not from when RHACS detects the CVE in an image.
      • The policy should override enforcement temporarily while still triggering alerts for identified vulnerabilities.
      • RHACS should correctly recognize the vendor-published CVE fix date as the starting point for the grace period.
      • Grace period expiration should lead to automatic enforcement of policy violations, blocking new deployments of unpatched images.
      • Ensure compatibility with existing OpenShift ACS policies and logging mechanisms.

      Success Criteria or KPIs measured:

      • Reduction in blocked deployments due to newly discovered CVEs.
      • Increase in timely remediation of vulnerabilities before grace period expiration.
      • Accurate policy enforcement aligning with vendor-provided CVE fix timelines.
      • Reduction in manual intervention required to manage CVE-based policy enforcement.

      Use Cases (Optional):

      1. Initial Scan & Deployment
        • A CI pipeline scans an image with no critical vulnerabilities, allowing it to be pushed to the registry and deployed.
      1. New Vulnerability Detected
        • A new critical vulnerability is identified in the image, triggering an alert but not blocking deployments.
      1. Grace Period Activation
        • The vendor releases a fix for the CVE.
        • The 30-day grace period begins, temporarily overriding the block rule to allow remediation time.
      1. Grace Period Expiration
        • If unpatched beyond the grace period, RHACS enforces policy and blocks further deployments of the image.

      This approach ensures that vulnerability policies are enforced based on vendor-provided fix timelines rather than the date RHACS detects the vulnerability, leading to more effective security compliance and development workflows.

              bmichael@redhat.com Boaz Michaely
              hromerot@redhat.com Heber Romero Tellez (Inactive)
              None
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: