Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-31161

Fix timestamp processing after image scan results are available for "Days since CVE Fix was published"

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None

      User or Developer story:

      As a user, I want the "Fix published" date to be set for CVEs once a fix is available, either with a vendor-provided fix date, or the best estimate of the fix date that ACS can guess, so that I can create policies that provide a grace period before triggering violations for fixable CVEs.

      Acceptance Criteria:

      1. When a CVE changes state from Not Fixable to Fixable, and the ACS scanner can precisely determine the fixed date from the vendor data (at first, only for Red Hat data), then Central will store the precise fixed date in the database as it received it from ACS Scanner.
      2. When a CVE changes state from Not Fixable to Fixable, and the ACS scanner is not able to determine the fixed date from the vendor data (at first, all non-Red Hat data sources), then Central will use the date of the first time the scan value changed from Not Fixable to Fixable as the fixed date, and store that guessed date in the database.

       

              Unassigned Unassigned
              vwilson@redhat.com Van Wilson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: