Skip to content

Ignore false fixable vulnerabilities#906

Merged
rukletsov merged 1 commit intomasterfrom
alexr/moar-allowed-vulns
Mar 11, 2022
Merged

Ignore false fixable vulnerabilities#906
rukletsov merged 1 commit intomasterfrom
alexr/moar-allowed-vulns

Conversation

@rukletsov
Copy link
Copy Markdown
Member

@rukletsov rukletsov commented Mar 11, 2022

(cherry picked from commit 8781d51)

Checklist

  • Investigated and inspected CI test results
  • Unit test and regression tests added
  • Evaluated and added CHANGELOG entry if required
  • Determined and documented upgrade steps
  • Documented user facing changes (create PR based on stackrox/openshift-docs and merge into rhacs-docs)

Testing Performed

None

@ghost
Copy link
Copy Markdown

ghost commented Mar 11, 2022

Tag for build #299020 is 3.69.x-65-g0f7fcc7872.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.69.x-65-g0f7fcc7872'

📦 You can also generate an installation bundle with:

docker run -i --rm stackrox/main:3.69.x-65-g0f7fcc7872 central generate interactive > bundle.zip

🕹️ A roxctl binary artifact can be downloaded from CircleCI.

@parametalol
Copy link
Copy Markdown
Contributor

parametalol commented Mar 11, 2022

There is a conceptually conflicting PR #839, which tries to avoid the reported vulnerabilities by switching to ubi8-micro base image.
If we continue adding exceptions to the found vulnerabilities, we need to initiate a recurring activity (another step of the release procedure?) to review the list.

misberner
misberner approved these changes Mar 11, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@misberner misberner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems fine. I don't think we can migrate all containers to ubi-micro so it's not conceptually conflicting. It's also highly unlikely that these will become real vulns as they have been fixed for a while.

Should there ever be vulnerabilities we are not super confident about, I think the right move would be to add an expires field here, such that a suppression is only respected if the current time is earlier than expires. This would mimic the "CVE snoozing" feature in the product.

@rukletsov rukletsov merged commit 0fb72f4 into master Mar 11, 2022
@rukletsov rukletsov deleted the alexr/moar-allowed-vulns branch March 11, 2022 14:55
@janisz janisz mentioned this pull request Mar 25, 2022
Merged
5 tasks
janisz added a commit that referenced this pull request Mar 26, 2022
@janisz
Revert "Ignore false fixable vulnerabilities (#906)"
e70510d 
This reverts commit 0fb72f4.
RTann pushed a commit that referenced this pull request Apr 6, 2022
@rukletsov
Ignore false fixable vulnerabilities (#906)
bc69828 
(cherry picked from commit 8781d51) (#847)

Co-authored-by: Michaël <michael@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parametalol parametalol Awaiting requested review from parametalol

1 more reviewer

@misberner misberner misberner approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rukletsov @parametalol @misberner