Overview

This epic focuses on providing administrators with comprehensive reporting capabilities for vulnerability data, including executive summaries and customizable CVE reports. These reporting features enable admins to communicate security posture to stakeholders, demonstrate compliance, and provide evidence of vulnerability management efforts.

Background

As part of the larger effort to support a locally installed GA version of the Insights Vulnerability service (SAT-36020), administrators need robust reporting capabilities to communicate vulnerability status to different audiences. Management needs high-level executive summaries, while security teams require detailed, customizable reports showing the current state of CVE exposure across their RHEL infrastructure.

Goals

• Provide executive-level reporting that summarizes vulnerability exposure in a management-friendly format
• Enable customizable PDF reports that can be tailored to specific filtering criteria and use cases
• Allow administrators to generate reports quickly and efficiently for regular status updates
• Support both high-level overview reports and detailed CVE-specific reports

User Stories

User Story: Executive report for CVEs affecting my environment
As a RHEL Admin, I need to provide my management with status on a regular basis. I save myself a lot of time by running the executive report from the vulnerability service and sending it to my manager.

User Story: Customizable reports for CVEs affecting my environment
As a RHEL Admin, I need something more powerful than the list export to share with my security team to prove the current state of security exposure for my RHEL deployment. I generate a customized report of all CVEs and forward it to the security team for visibility.

User Story: Report by CVEs
As a RHEL Admin, I want to generate a customizable PDF report of vulnerabilities identified by Red Hat across workloads that may impact my RHEL servers, so I can share detailed CVE information with stakeholders.

In Scope

• Executive report generation in PDF format with high-level vulnerability summary
• Customizable CVE report generation with filtering capabilities
• Report by CVEs feature allowing detailed vulnerability reporting
• Download functionality for generated reports
• Report customization options (filters, date ranges, severity levels, etc.)
• Visual data presentation in reports (charts, graphs, summary statistics)

Acceptance Criteria

Executive Report:

• AC1: Executive report option is available and generates a multi-page PDF report
• AC2: Report includes executive summary with total counts (analyzed systems, identified CVEs, security rules)
• AC3: Report includes CVE analysis section with CVSS score distribution (pie chart and table)
• AC4: Report shows recently published CVEs (last 7, 30, and 90 days)
• AC5: Report includes top 3 vulnerabilities with CVE ID, CVSS score, affected systems, and descriptions
• AC6: Report includes security rules section with severity breakdown (table and bar chart)
• AC7: Report includes top 3 security rules with severity, affected systems, and associated CVEs
• AC8: Report includes Red Hat branding, timestamps, and page numbers
• AC9: Generated PDF can be downloaded to local system

Customizable CVE Report (Report by CVEs):

• AC10: "Report by CVEs" modal is accessible from the vulnerability interface
• AC11: Users can provide a custom report title
• AC12: Users can filter CVEs by severity level
• AC13: Users can filter CVEs by CVSS base score range
• AC14: Users can filter CVEs by business risk
• AC15: Users can filter CVEs by status
• AC16: Users can filter CVEs by affected OS version
• AC17: Users can filter by affected system types (Conventional RPM-DNF, Immutable OSTree)
• AC18: Users can filter by tags applied to systems
• AC19: Users can choose between "All columns" or "Choose columns" for CVE data inclusion
• AC20: Users can sort CVEs by CVSS base score (High to Low or Low to High)
• AC21: Users can add optional notes to the report
• AC22: "Export report" button generates the PDF with selected filters and options
• AC23: Generated PDF includes all selected filter criteria and data columns
• AC24: Generated PDF can be downloaded to local system

User Experience:

• AC25: Report generation provides progress feedback to users
• AC26: Users receive clear confirmation when reports are ready for download
• AC27: Error messages are clear and actionable if report generation fails
• AC28: Report generation is limited to users with appropriate permissions

Performance:

• AC29: Executive report generation completes within 30 seconds
• AC30: Customizable reports with filters complete within 60 seconds
• AC31: Report generation does not negatively impact system performance
• AC32: Reports can handle large datasets (1000+ hosts, 10000+ CVEs)

Dependencies

• Parent Epic: SAT-36020
• Requires vulnerability data to be available and accessible
• May require integration with PDF generation libraries/services
• Depends on vulnerability analysis being enabled for hosts

Technical Considerations

• PDF generation performance optimization for large datasets
• Report caching strategies to improve generation speed
• Data aggregation and summarization algorithms for executive reports
• Chart and graph generation for visual data representation
• Flexible filtering and query capabilities for customizable reports
• Consider template engine for report formatting and branding
• Ensure reports handle pagination appropriately for large result sets
• Red Hat branding and design guidelines compliance