-
Notifications
You must be signed in to change notification settings - Fork 1.9k
[rhacs] Update vulnerability reporting for 4.11 #115043
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: rhacs-docs-main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,54 +1,37 @@ | ||||||
| // Module included in the following assemblies: | ||||||
| // | ||||||
| // * operating/manage-vulnerabilities.adoc | ||||||
| // * operating/vulnerability-reporting.adoc | ||||||
|
|
||||||
| :_mod-docs-content-type: PROCEDURE | ||||||
| [id="vulnerability-management20-creating-report_{context}"] | ||||||
| = Creating vulnerability management report configurations | ||||||
|
|
||||||
| [role="_abstract"] | ||||||
| {product-title-short} guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand. | ||||||
| {product-title-short} guides you through the process of creating a vulnerability management report. Your configuration determines the information that the report includes. You can run report jobs at a scheduled time or on-demand. | ||||||
|
|
||||||
| .Procedure | ||||||
| . In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab. | ||||||
| . Click *Create report*. | ||||||
| . In the *Configure report parameters* page, provide the following information: | ||||||
| ** *Report name*: Enter a name for your report configuration. | ||||||
| ** *Report description*: Enter a text describing the report configuration. This is optional. | ||||||
| ** *CVE severity*: Select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration. | ||||||
| ** *CVE status*: Select one or more CVE statuses. | ||||||
| + | ||||||
| The following values are associated with the CVE status: | ||||||
| + | ||||||
| *** *Fixable* | ||||||
| *** *Unfixable* | ||||||
| ** *Image type*: Select one or more image types. | ||||||
| + | ||||||
| The following values are associated with image types: | ||||||
| + | ||||||
| *** *Deployed images* | ||||||
| *** *Watched images* | ||||||
| ** *CVEs discovered since*: Select the time period for which you want to include the CVEs in the report configuration. | ||||||
| ** Optional: Choose the appropriate column that you want to include in the vulnerability report: | ||||||
| + | ||||||
| [NOTE] | ||||||
| ==== | ||||||
| You can select one or more columns to include in the report configuration. | ||||||
| ==== | ||||||
| + | ||||||
| *** Select the *Include NVD CVSS* checkbox, if you want to include the NVD CVSS column in the report configuration. | ||||||
| *** Select the *Include EPSS probability* checkbox, if you want to include the EPSS probability column in the report configuration. | ||||||
| *** Select the *Include advisory name and link* checkbox, if you want to include the advisory name and link column in the report configuration. | ||||||
| ** *Configure collection included*: To configure at least one collection, do any of the following tasks: | ||||||
| *** Select an existing collection that you want to include. | ||||||
| + | ||||||
| To view the collection information, edit the collection, and get a preview of collection results, click *View*. | ||||||
| + | ||||||
| When viewing the collection, entering text in the field searches for collections matching that text string. | ||||||
| *** To create a new collection, click *Create collection*. | ||||||
| + | ||||||
| [NOTE] | ||||||
| ==== | ||||||
| For more information about collections, see "Creating and using deployment collections". | ||||||
| ==== | ||||||
| . To configure the delivery destinations and optionally set up a schedule for delivery, click *Next*. | ||||||
| . Do one of the following actions: | ||||||
| * In the {product-title-short} portal, click *Vulnerability Management* -> *Reports* and ensure that the *Report configurations* tab is active, then click *Create report*. | ||||||
| * In *Vulnerability Management* -> *Results*, click *Create report* and select *Create a scheduled report*. | ||||||
| . In *Details*, enter the following information: | ||||||
| ** *Name*: Enter a name for the report. | ||||||
| ** *Description*: Enter text describing the report. This is optional. | ||||||
| . In *Resources*, select the image types you want to include in the report: | ||||||
| * *Deployed images* | ||||||
| * *Watched images* | ||||||
| . Configure the scope of the report by selecting the scope method. This is optional for watched images, but required for deployed images. | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
More than optional - watched images exist independently of scope, as they typically do not exist as part of any namespace. |
||||||
| * *Collection scope*: Choose the collection you want to use when collecting data for the report. This option is deprecated and will be removed in a future release. | ||||||
| * *Custom scope*: Select *Custom scope* to add clusters, deployments, or namespaces to use when collecting data for the report. You can identify clusters by name, ID, or label. You can identify deployments and namespaces by annotation, ID, label, or name. Add more than one scope criteria to narrow down the vulnerabilities reported. | ||||||
| . In *Filters*, configure the following items: | ||||||
| * *CVEs discovered in image since*: Select the time period for which you want to include the CVEs in the report configuration. | ||||||
| * *Area of concern*: Optional. Further narrow the report by selecting the area of CVEs to include. | ||||||
| * *Vulnerability state*: Select the state of vulnerabilities to include in the report: | ||||||
| ** *Observed* | ||||||
| ** *Deferred* | ||||||
| ** *False positives* | ||||||
| * *CVE severity*: Select the severity of CVEs that you want to include in the report configuration. | ||||||
| * *CVE status*: Select one or more CVE statuses: | ||||||
| ** *Fixable* | ||||||
| ** *Unfixable* | ||||||
| . To filter for a specific CVE, image, or image component, use the selection criteria and enter the information to filter. For example, you can filter for a specific CVE name by selecting *CVE*, selecting *Name*, and entering the name of a CVE. You can use wildcards. Add additional filters to further narrow down the information included on the report. | ||||||
| . In *Delivery*, add information for the report destinations and optionally set up a schedule for delivery. | ||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -8,9 +8,11 @@ toc::[] | |||||
|
|
||||||
| [role="_abstract"] | ||||||
|
|
||||||
| You can create and download an on-demand image vulnerability report by clicking the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs or user workloads in {product-title-short}. | ||||||
| You can create and download an on-demand image vulnerability report by clicking *Vulnerability Management* -> *Reports* and selecting the *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in clusters, deployments, and namespaces. Vulnerabilities in the images of a deplyment are called workload CVEs. Cluster CVEs are vulnerabilities related specifically to the orchestrator itself, such as the kube-api-server or generic OpenShift vulnerabilities, rather than vulnerabilities tied to specific container images or nodes. | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I'm not sure Cluster CVEs are relevant to reporting, at least if you are talking about CVEs listed under the "Kubernetes Components" section, which are specific to Scanner v2 and actually will be removed in a future version. If you are talking about the "Platform" CVEs - this is mostly accurate. These are still CVEs that affect container images, but are limited to container images that are used in platform namespaces. (Platform namespaces are partially defined by the ACS engineering team, but can be added to by end users). I took a stab at updating the wording for accuracy based on how we defined these CVEs:
Suggested change
|
||||||
|
|
||||||
| To share this report with auditors or internal stakeholders, you can schedule emails in {product-title-short} or download the report and share it by using other methods. | ||||||
| To share vulnerability reports with auditors or internal stakeholders, you can schedule emails in {product-title-short} or download the report and share it by using other methods. | ||||||
|
|
||||||
| In addition to creating reports from the *Image vulnerability reports* page, you can also begin a new report configuration directly from your active workflow filters in the *Vulnerability Management* -> *Results* page. You can select *Create report* -> *Scheduled report* after you apply your filter criteria, and the system creates a report that uses the filters you have selected. | ||||||
|
|
||||||
| include::modules/vulnerability-management-reporting.adoc[leveloffset=+1] | ||||||
|
|
||||||
|
|
@@ -34,10 +36,10 @@ include::modules/user-permissions-for-vulnerability-reports.adoc[leveloffset=+3] | |||||
| * xref:../../operating/manage-user-access/manage-role-based-access-control-3630.adoc#resource-definitions_manage-role-based-access-control[Resource definitions] | ||||||
|
|
||||||
| //Vulnerability report row limit | ||||||
| include::modules/vulnerability-report-row-limit.adoc[leveloffset=+1] | ||||||
| include::modules/vulnerability-report-row-limit.adoc[leveloffset=+2] | ||||||
|
|
||||||
| //Configuring the vulnerability report row limit | ||||||
| include::modules/configure-vulnerability-report-row-limit.adoc[leveloffset=+2] | ||||||
| include::modules/configure-vulnerability-report-row-limit.adoc[leveloffset=+3] | ||||||
|
|
||||||
| //Exporting vulnerability report as a CSV file | ||||||
| include::modules/exporting-vulnerability-report-as-a-csv-file.adoc[leveloffset=+2] | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the case? I thought ACS would send
Unknownas the severity if one could not be determined, but I can't be 100% sure.