Meeting the Certification Requirements
Last updated
Last updated
In the next few sections we will review the process of leveraging the Red Hat OVAL v2 streams to accurately determine which CVEs affect Red Hat products and packages present in a container image.
Before we get started lets review the certification requirements and how they align with the process we will discuss next.
Requirement
Details
Base vulnerability scan results on Red Hat OVAL v2 security data feed
Accurately determine Red Hat package versions to detect Red Hat security fixes backporting
The implementation is up to the Partner
Leverage RPM if necessary to identify files and packages are associated with a Red Hat package
Integrate Red Hat four point scale severity rating in scan results
Key step: Determine correct Product-Version (CPE)
For additional details see
Clearly indicate Red Hat patched vulnerabilities where applicable.
Either suppress the vulnerability or show the fix and RHSA
definition class="patch" or =”vulnerability” in OVAL
As part of the certification process partner product generated scan results (for the certification test harness images) will be compared with Clair v4 (open source container vulnerability scanner) scan results; for handful of pre-identified use cases.
Hence, in the next few sections, in some instances we will provide links to Clair v4 implementation details under resources section as a reference.
Consume , and OVAL v2 Product Streams
For additional details see section
For additional details see and sections
Critical, Important, Moderate, Low -
section
section
definitions
See section