Per vulnerability policy rules #1182
Comments
|
Today, if there's a critical CVE violation, EC will emit something like this: However, what has become increasingly clear is that excluding all the CVEs for a particular severity is too heavy handed in most cases. Thus this GitHub issue. Let's tweak the existing policy rules to emit violations like this: So for example, if this is your current policy config: ---
spec:
sources:
- data:
- github.com/release-engineering/rhtap-ec-policy//data
- oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
name: Release Policies
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:latest
config:
exclude:
- cve.cve_blockers:critical
include:
- "@redhat"If you want to continue excluding all critical CVEs, then: ---
spec:
sources:
- data:
- github.com/release-engineering/rhtap-ec-policy//data
- oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
name: Release Policies
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:latest
ruleData:
# Override default value to exclude "critical"
restrict_cve_security_levels: ["high"]
# Optionally, report "critical" as a warning
warn_cve_security_levels: ["critical"]
config:
include:
- "@redhat"And if you want to only exclude a single CVE: ---
spec:
sources:
- data:
- github.com/release-engineering/rhtap-ec-policy//data
- oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
name: Release Policies
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:latest
config:
exclude:
- cve.cve_blockers:CVE-123-456
include:
- "@redhat"Of course, this will require a small migration of the existing EC policy configs, but I do believe this will bring us to a much better state. (There's also the desire to only apply an exclusion to some of the components. That is orthogonal to this work.) |
|
I like it. |
|
Oh, I thought it was already possible to grant an exception for specific CVEs. :) |
This commit changes the CVE policy rules to inspect the full CVE report available in the OCI registry. By doing so, the policies now have the list of CVEs found, instead of just a summary. The policy rules have been rewritten to emit the CVE name as the term. This allows users to add exceptions for a particular CVE. Previously, it was only possible to add exceptions for a certain CVE level/severity. The leeway feature was also tweaked. Now, every violation contains an `effective_on` which is the issue date of the vulnerability plus any leeway days that may have been configured. The policies rely on the EC CLI to downgrade violations to warnings when the effective_on date is in the future. Fixes enterprise-contract#1182 Ref: EC-921 Signed-off-by: Luiz Carvalho <[email protected]>
This commit changes the CVE policy rules to inspect the full CVE report available in the OCI registry. By doing so, the policies now have the list of CVEs found, instead of just a summary. The policy rules have been rewritten to emit the CVE name as the term. This allows users to add exceptions for a particular CVE. Previously, it was only possible to add exceptions for a certain CVE level/severity. The leeway feature was also tweaked. Now, every violation contains an `effective_on` which is the issue date of the vulnerability plus any leeway days that may have been configured. The policies rely on the EC CLI to downgrade violations to warnings when the effective_on date is in the future. Fixes enterprise-contract#1182 Ref: EC-921 Signed-off-by: Luiz Carvalho <[email protected]>
This commit changes the CVE policy rules to inspect the full CVE report available in the OCI registry. By doing so, the policies now have the list of CVEs found, instead of just a summary. The policy rules have been rewritten to emit the CVE name as the term. This allows users to add exceptions for a particular CVE. Previously, it was only possible to add exceptions for a certain CVE level/severity. The leeway feature was also tweaked. Now, every violation contains an `effective_on` which is the issue date of the vulnerability plus any leeway days that may have been configured. The policies rely on the EC CLI to downgrade violations to warnings when the effective_on date is in the future. Fixes enterprise-contract#1182 Ref: EC-921 Signed-off-by: Luiz Carvalho <[email protected]>
From #1180 (review), given that we have access to the full Clair vulnerability report, rather than the aggregate, this now enables per-vulnerability rules. For example term-based exclusion on a per-vulnerability basis.
The text was updated successfully, but these errors were encountered: