Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion modules/exporting-vulnerability-report-as-a-csv-file.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@

:_mod-docs-content-type: PROCEDURE
[id="exporting-vulnerability-report-as-a-csv-file_{context}"]
= Exporting vulnerability report as a CSV file
= Exporting a vulnerability report as a CSV file

[role="_abstract"]
You can export a vulnerability report according to the custom filters you have applied to organize the vulnerability findings list.

[NOTE]
Expand Down
19 changes: 16 additions & 3 deletions modules/vulnerability-management-reporting.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,24 @@

As organizations must constantly reassess and report on their vulnerabilities, some organizations find it helpful to have scheduled communications to key stakeholders to help in the vulnerability management process.

You can use {product-title} to schedule these reoccurring communications through e-mail. These communications should be scoped to the most relevant information that the key stakeholders need.
You can use {product-title} to schedule these recurring communications through email. Scope these communications to the most relevant information that the key stakeholders need.

For sending these communications, you must consider the following questions:
For sending these communications, consider the following questions:

* What schedule would have the most impact when communicating with the stakeholders?
* Who is the audience?
* Should you only send specific severity vulnerabilities in your report?
* Should you only send fixable vulnerabilities in your report?
* Should you only send fixable vulnerabilities in your report?

Vulnerability reports include information such as the following items:

* Vulnerable component: Identifies the cluster, namespace, deployment, or image.
* Component version: Lists the component that includes the CVE that was discovered.
* CVE number: The unique identifier for the CVE.
* Fixable: Indicaes whether the CVE is fixable.
* Version: If applicable, lists the component version in which the CVE was fixed.
* Severity: Originates directly from the upstream vulnerability data source specific to the affected package or operating system. {product-title-short} will calculate a rating if one is not provided.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

{product-title-short} will calculate a rating if one is not provided.

Is this the case? I thought ACS would send Unknown as the severity if one could not be determined, but I can't be 100% sure.

* CVSS: The single numerical Common Vulnerability Scoring System (CVSS) base score assigned to that specific vulnerability
* EPSS probability percentage: The likelihood that the vulnerability could be exploited according to the link:https://www.first.org/epss/[Exploit Prediction Scoring System (EPSS)]. This EPSS data provides a percentage estimate of the probability that exploitation of this vulnerability will be observed in the next 30 days. The EPSS collects data of observed exploitation activity from partners, and exploitation activity does not mean that an attempted exploitation was successful. The EPSS score should be used as a single data point _along with other information_, such as the age of the CVE, to help you prioritize the vulnerabilities to address. For more information, see link:https://access.redhat.com/articles/7106599[{product-title-short} and EPSS]. This information is visible only when using Scanner V4.
* Discovered at: The time a CVE was first discovered in the associated image. If the image existed before the deployment was created, for example, as part of another deployment, then the "Discovered At" time will precede the deployment time. This time can be used to determine the age of the CVE in an image.
* Reference: Provides a URL to the upstream data source from which {product-title-short} obtains the vulnerability information. Depending on the type of package affected, the reference points to different sources such as the Red Hat CVE database, the National Vulnerability Database (NVD), or OSV.dev. You can use this URL to manually verify the impact, read detailed descriptions, or review mitigation instructions directly from the source that provided the rating.
2 changes: 1 addition & 1 deletion modules/vulnerability-management20-clone-reports.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
You can make copies of vulnerability report configurations by cloning them. This is useful when you want to reuse report configurations with minor changes, such as reporting vulnerabilities in different deployments or namespaces.

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Reports* -> *Report configurations* tab.
. Locate the report configuration that you want to clone in the list of report configurations.
. Click the overflow menu, {kebab}, and then click *Clone report*.
. Make any changes that you want to the report parameters and delivery destinations.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,19 @@
= Configuring delivery destinations and scheduling

[role="_abstract"]
Configuring destinations and delivery schedules for vulnerability reports is optional, unless on the previous page, you selected the option to include CVEs that were discovered since the last scheduled report. If you selected that option, configuring destinations and delivery schedules for vulnerability reports is required.
Configuring destinations and delivery schedules for vulnerability reports is optional. You can configure email destinations and schedule delivery.

.Procedure
. To configure destinations for delivery, in the *Configure delivery destinations* section, you can add a delivery destination and set up a schedule for reporting.
. To email reports, you must configure at least one email notifier. Select an existing notifier or create a new email notifier to send your report by email. For more information about creating an email notifier, see "Configuring the email plugin" in the "Additional resources" section.
+
When you select a notifier, the email addresses configured in the notifier as *Default recipients* appear in the *Distribution list* field. You can add additional email addresses that are separated by a comma.
. A default email template is automatically applied. To edit this default template, perform the following steps:
.. Click the edit icon and enter a customized subject and email body in the *Edit* tab.
.. Click the *Preview* tab to see your proposed template.
.. Click *Apply* to save your changes to the template.
. A default email template is automatically applied. You can change the following values:
* Custom subject
* Custom body
+
[NOTE]
====
When reviewing the report jobs for a specific report, you can see whether the default template or a customized template was used when creating the report.
====
. In the *Configure schedule* section, select the frequency and day of the week for the report.
. In the *Configure schedule* section, select the frequency, days, and time for generation of the report.
. Click *Next* to review your vulnerability report configuration and finish creating it.
71 changes: 27 additions & 44 deletions modules/vulnerability-management20-creating-report.adoc
Original file line number Diff line number Diff line change
@@ -1,54 +1,37 @@
// Module included in the following assemblies:
//
// * operating/manage-vulnerabilities.adoc
// * operating/vulnerability-reporting.adoc

:_mod-docs-content-type: PROCEDURE
[id="vulnerability-management20-creating-report_{context}"]
= Creating vulnerability management report configurations

[role="_abstract"]
{product-title-short} guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand.
{product-title-short} guides you through the process of creating a vulnerability management report. Your configuration determines the information that the report includes. You can run report jobs at a scheduled time or on-demand.

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. Click *Create report*.
. In the *Configure report parameters* page, provide the following information:
** *Report name*: Enter a name for your report configuration.
** *Report description*: Enter a text describing the report configuration. This is optional.
** *CVE severity*: Select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration.
** *CVE status*: Select one or more CVE statuses.
+
The following values are associated with the CVE status:
+
*** *Fixable*
*** *Unfixable*
** *Image type*: Select one or more image types.
+
The following values are associated with image types:
+
*** *Deployed images*
*** *Watched images*
** *CVEs discovered since*: Select the time period for which you want to include the CVEs in the report configuration.
** Optional: Choose the appropriate column that you want to include in the vulnerability report:
+
[NOTE]
====
You can select one or more columns to include in the report configuration.
====
+
*** Select the *Include NVD CVSS* checkbox, if you want to include the NVD CVSS column in the report configuration.
*** Select the *Include EPSS probability* checkbox, if you want to include the EPSS probability column in the report configuration.
*** Select the *Include advisory name and link* checkbox, if you want to include the advisory name and link column in the report configuration.
** *Configure collection included*: To configure at least one collection, do any of the following tasks:
*** Select an existing collection that you want to include.
+
To view the collection information, edit the collection, and get a preview of collection results, click *View*.
+
When viewing the collection, entering text in the field searches for collections matching that text string.
*** To create a new collection, click *Create collection*.
+
[NOTE]
====
For more information about collections, see "Creating and using deployment collections".
====
. To configure the delivery destinations and optionally set up a schedule for delivery, click *Next*.
. Do one of the following actions:
* In the {product-title-short} portal, click *Vulnerability Management* -> *Reports* and ensure that the *Report configurations* tab is active, then click *Create report*.
* In *Vulnerability Management* -> *Results*, click *Create report* and select *Create a scheduled report*.
. In *Details*, enter the following information:
** *Name*: Enter a name for the report.
** *Description*: Enter text describing the report. This is optional.
. In *Resources*, select the image types you want to include in the report:
* *Deployed images*
* *Watched images*
. Configure the scope of the report by selecting the scope method. This is optional for watched images, but required for deployed images.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
. Configure the scope of the report by selecting the scope method. This is optional for watched images, but required for deployed images.
. Configure the scope of the report by selecting the scope method. This is irrelevant for watched images, but required for deployed images.

More than optional - watched images exist independently of scope, as they typically do not exist as part of any namespace.

* *Collection scope*: Choose the collection you want to use when collecting data for the report. This option is deprecated and will be removed in a future release.
* *Custom scope*: Select *Custom scope* to add clusters, deployments, or namespaces to use when collecting data for the report. You can identify clusters by name, ID, or label. You can identify deployments and namespaces by annotation, ID, label, or name. Add more than one scope criteria to narrow down the vulnerabilities reported.
. In *Filters*, configure the following items:
* *CVEs discovered in image since*: Select the time period for which you want to include the CVEs in the report configuration.
* *Area of concern*: Optional. Further narrow the report by selecting the area of CVEs to include.
* *Vulnerability state*: Select the state of vulnerabilities to include in the report:
** *Observed*
** *Deferred*
** *False positives*
* *CVE severity*: Select the severity of CVEs that you want to include in the report configuration.
* *CVE status*: Select one or more CVE statuses:
** *Fixable*
** *Unfixable*
. To filter for a specific CVE, image, or image component, use the selection criteria and enter the information to filter. For example, you can filter for a specific CVE name by selecting *CVE*, selecting *Name*, and entering the name of a CVE. You can use wildcards. Add additional filters to further narrow down the information included on the report.
. In *Delivery*, add information for the report destinations and optionally set up a schedule for delivery.
2 changes: 1 addition & 1 deletion modules/vulnerability-management20-delete-reports.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@
Deleting a report configuration deletes the configuration and any reports that were previously run using this configuration.

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Reports* -> *Report configurations* tab.
. Locate the report configuration that you want to delete in the list of reports.
. Click the overflow menu, {kebab}, and then select *Delete report*.
6 changes: 3 additions & 3 deletions modules/vulnerability-management20-download-reports.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ You can only download reports that you have generated; you cannot download repor
====

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Reports* -> *Report configurations* tab.
. In the list of report configurations, locate the report configuration that you want to use to create the downloadable report.
. Choose the appropriate method to generate the vulnerability report:
* To generate the report from the *Report configurations* tab, complete the following steps:
.. Click the overflow menu, {kebab}, and then select *Generate download*.
.. After the report is generated, click the *Ready for download* link in the *My last job status* column. The report is in `.csv` format and is compressed into a `.zip` file for download.
.. After the report is generated, click the *Report ready for download* link in the *My last job status* column. The report is in `.csv` format and is compressed into a `.zip` file for download.
* To generate the report from the *Configuration details* tab, complete the following steps:
.. To open the *Configuration details* tab, click the report configuration name.
.. Click *Actions*, and then select *Generate download*.
.. Click the *All report jobs* tab from the menu on the header.
.. After the report is generated, click the *Ready for download* link in the *Status* column. The report is in `.csv` format and is compressed into a `.zip` file for download.
.. After the report is generated, click the *Report ready for download* link in the *Status* column. The report is in `.csv` format and is compressed into a `.zip` file for download.
2 changes: 1 addition & 1 deletion modules/vulnerability-management20-edit-reports.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
You can edit existing vulnerability report configurations from the list of report configurations, or by selecting an individual report configuration first.

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Reports* -> *Report configurations* tab.
. To edit an existing vulnerability report configuration, complete any of the following actions:
* Locate the report configuration that you want to edit in the list of report configurations. Click the overflow menu, {kebab}, and then select *Edit report*.
* Click the report configuration name in the list of report configurations. Then, click *Actions* and select *Edit report*.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@
You can review the details of your vulnerability report configuration before creating it.

.Procedure
. In the *Review* section, you can review the report configuration parameters, delivery destination, email template that is used if you selected email delivery, delivery schedule, and report format. To make any changes, click *Back* to go to the previous section and edit the fields that you want to change.
. In the *Review* section, you can review the report configuration parameters, delivery destination, and delivery schedule. To make any changes, click *Back* to go to the previous section and edit the fields that you want to change.
. To create the report configuration and save it, click *Save*.
2 changes: 1 addition & 1 deletion modules/vulnerability-management20-send-reports.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@
You can send vulnerability reports immediately, rather than waiting for the scheduled send time.

.Procedure
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab.
. In the {product-title-short} portal, click the *Vulnerability Management* -> *Reports* -> *Report configurations* tab.
. In the list of report configurations, locate the report configuration for the report that you want to send.
. Click the overflow menu, {kebab}, and then select *Send report*.
10 changes: 6 additions & 4 deletions operating/manage-vulnerabilities/vulnerability-reporting.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ toc::[]

[role="_abstract"]

You can create and download an on-demand image vulnerability report by clicking the *Vulnerability Management* -> *Vulnerability Reporting* -> *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs or user workloads in {product-title-short}.
You can create and download an on-demand image vulnerability report by clicking *Vulnerability Management* -> *Reports* and selecting the *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in clusters, deployments, and namespaces. Vulnerabilities in the images of a deplyment are called workload CVEs. Cluster CVEs are vulnerabilities related specifically to the orchestrator itself, such as the kube-api-server or generic OpenShift vulnerabilities, rather than vulnerabilities tied to specific container images or nodes.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cluster CVEs are vulnerabilities related specifically to the orchestrator itself, such as the kube-api-server or generic OpenShift vulnerabilities, rather than vulnerabilities tied to specific container images or nodes.

I'm not sure Cluster CVEs are relevant to reporting, at least if you are talking about CVEs listed under the "Kubernetes Components" section, which are specific to Scanner v2 and actually will be removed in a future version.

If you are talking about the "Platform" CVEs - this is mostly accurate. These are still CVEs that affect container images, but are limited to container images that are used in platform namespaces. (Platform namespaces are partially defined by the ACS engineering team, but can be added to by end users).

I took a stab at updating the wording for accuracy based on how we defined these CVEs:

Suggested change
You can create and download an on-demand image vulnerability report by clicking *Vulnerability Management* -> *Reports* and selecting the *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in clusters, deployments, and namespaces. Vulnerabilities in the images of a deplyment are called workload CVEs. Cluster CVEs are vulnerabilities related specifically to the orchestrator itself, such as the kube-api-server or generic OpenShift vulnerabilities, rather than vulnerabilities tied to specific container images or nodes.
You can create and download an on-demand image vulnerability report by clicking *Vulnerability Management* -> *Reports* and selecting the *Report configurations* tab in the {rh-rhacs-first} portal. This report contains a comprehensive list of common vulnerabilities and exposures in clusters, deployments, and namespaces. Vulnerabilities in the application images of a deployment are called workload CVEs. Platform CVEs are vulnerabilities related specifically to the orchestrator itself, such as the kube-api-server or generic OpenShift vulnerabilities, and are limited to container images that appear in namespaces designated "Platform Components".


To share this report with auditors or internal stakeholders, you can schedule emails in {product-title-short} or download the report and share it by using other methods.
To share vulnerability reports with auditors or internal stakeholders, you can schedule emails in {product-title-short} or download the report and share it by using other methods.

In addition to creating reports from the *Image vulnerability reports* page, you can also begin a new report configuration directly from your active workflow filters in the *Vulnerability Management* -> *Results* page. You can select *Create report* -> *Scheduled report* after you apply your filter criteria, and the system creates a report that uses the filters you have selected.

include::modules/vulnerability-management-reporting.adoc[leveloffset=+1]

Expand All @@ -34,10 +36,10 @@ include::modules/user-permissions-for-vulnerability-reports.adoc[leveloffset=+3]
* xref:../../operating/manage-user-access/manage-role-based-access-control-3630.adoc#resource-definitions_manage-role-based-access-control[Resource definitions]

//Vulnerability report row limit
include::modules/vulnerability-report-row-limit.adoc[leveloffset=+1]
include::modules/vulnerability-report-row-limit.adoc[leveloffset=+2]

//Configuring the vulnerability report row limit
include::modules/configure-vulnerability-report-row-limit.adoc[leveloffset=+2]
include::modules/configure-vulnerability-report-row-limit.adoc[leveloffset=+3]

//Exporting vulnerability report as a CSV file
include::modules/exporting-vulnerability-report-as-a-csv-file.adoc[leveloffset=+2]
Expand Down