Goal Summary:

Meet Konflux SCA requirements to make RHACS the SCA (Software Composition Analysis) of choice in the pipeline to support pro-active vulnerability management.

Requirements: Konflux SCA scanner requirements to support pro-active vulnerability management in pipeline

Background:

Red Hat is migrating it's internal container build pipeline from legacy CPASS to Konflux [konflux-ci.dev/docs] platform. 

Konflux is a platform for building integrated software that streamlines, consolidates, and secures the development lifecycle (Konflux Architecture).

REF: Konflux review for secure supply chain leadership group

Goals and expected outcomes:

• Enhance Scanner V4/Clair functionality to support scanning SBOM file as an input instead of doing its own detection based on file system scanning. The expected SBOM format is SPDX 2.3 (in the future we might switch to SPDX 3.0, especially in case of AI BOMs support, but this is not a requirement as for now). The SBOM content interpretation should follow the Understanding SBOMs guideline. **

Acceptance Criteria:

• ACS CLI (roxctl) can accept SBOM (format: SPDX 2.3) as an artifact for reporting on vulnerabilities impacting the inventory of SW components that make up a software application represented by that SBOM.
• The vulnerability report must include following details: 
  • CVE ID;
  • detected vulnerable component name,
  • detected vulnerability path;
  • CVE Severity/Impact;
  • CVE Data Source;
  • Information about potential patch (based on the data source, for example for Red Hat it will be information about potentially available RHSA)

Success Criteria or KPIs measured: