Business Problem:

Customers rely on a roxctl scan results as part of the build process to populate various vulnerability management systems, feed compliance and audit systems and use scan results to control workflows and other aspects of the devSecOps lifecycle. The NVD cvss score of a vulnerability can and is sometimes required to accomplish this.  Auditors and regulators are increasingly asking for the NVD cvss score in addition to the RH cvss score. This is not in the current roxctl output regardless of format: json and cvs.

Customers need to find an additional way to get this information (note there is no single API nor is it a simple task using the APIs ) or they abandon roxctl and look for a different tool to do the scanning that does provide this value.

Key Functionality:

Add the NVD cvss score per vulnerability to all supported outputs of a roxctl image scan.

Benefits:

Security and devSecops teams can meet auditing requirements related to vulnerabilities.

Platform engineers will get the required field to satisfy pipeline and auditing/security requirements.

Developers and platform engineers will be able to see the score without having to switch to another environment / system and will have a better support for working in a shift-left style.

Developers and security teams will get greater insight into the differences between the RH and NVD scores and earlier in the process.