Skip to content

Commit

Permalink
feat(STONEINTG-660): rename CLAIR_SCAN_RESULT>SCAN_OUTPUT
Browse files Browse the repository at this point in the history 
Signed-off-by: Jiri Sztuka <jsztuka@redhat.com>
Co-authored-by: Jiri Sztuka <jsztuka@redhat.com>

# Conflicts:
#	acceptance/samples/policy-input-golden-container.json
  • Loading branch information
@jsztuka @zregvart
jsztuka authored and zregvart committed Sep 20, 2024
1 parent b0a2f04 commit 408f4cf
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
10 changes: 5 additions & 5 deletions antora/docs/modules/ROOT/pages/release_policy.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@ This package is responsible for verifying a CVE scan was performed during the bu

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.

*Solution*: Make sure to address any CVE's related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named `CLAIR_SCAN_RESULT`.
*Solution*: Make sure to address any CVE's related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named `SCAN_OUTPUT`.

* Rule type: [rule-type-indicator failure]#FAILURE#
* FAILURE message: `Found %d CVE vulnerabilities of %s security level`
Expand All @@ -462,7 +462,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.

*Solution*: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named `CLAIR_SCAN_RESULT`.
*Solution*: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named `SCAN_OUTPUT`.

* Rule type: [rule-type-indicator failure]#FAILURE#
* FAILURE message: `Found %d unpatched CVE vulnerabilities of %s security level`
Expand All @@ -474,7 +474,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d

Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline.

*Solution*: Make sure there is a successful task in the build pipeline that runs a Clair scan and creates a task result called `CLAIR_SCAN_RESULT`.
*Solution*: Make sure there is a successful task in the build pipeline that runs a Clair scan and creates a task result called `SCAN_OUTPUT`.

* Rule type: [rule-type-indicator failure]#FAILURE#
* FAILURE message: `Clair CVE scan results were not found`
Expand All @@ -498,7 +498,7 @@ The `CLAIR_SCAN_RESULT` result name has been deprecated, and has been replaced w

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.

*Solution*: Make sure to address any CVE's related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named `CLAIR_SCAN_RESULT`.
*Solution*: Make sure to address any CVE's related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named `SCAN_OUTPUT`.

* Rule type: [rule-type-indicator warning]#WARNING#
* WARNING message: `Found %d non-blocking CVE vulnerabilities of %s security level`
Expand All @@ -510,7 +510,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.

*Solution*: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named `CLAIR_SCAN_RESULT`.
*Solution*: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named `SCAN_OUTPUT`.

* Rule type: [rule-type-indicator warning]#WARNING#
* WARNING message: `Found %d non-blocking unpatched CVE vulnerabilities of %s security level`
Expand Down
10 changes: 5 additions & 5 deletions policy/release/cve.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import data.lib
# failure_msg: Found %d non-blocking CVE vulnerabilities of %s security level
# solution: >-
# Make sure to address any CVE's related to the image. The CVEs are detected
# by the task that runs a Clair scan and emits a result named `CLAIR_SCAN_RESULT`.
# by the task that runs a Clair scan and emits a result named `SCAN_OUTPUT`.
# collections:
# - minimal
# - redhat
Expand All @@ -51,7 +51,7 @@ warn contains result if {
# solution: >-
# CVEs without a known fix can only be remediated by either removing the impacted dependency, or
# by waiting for a fix to be available. The CVEs are detected by the task that emits a result
# named `CLAIR_SCAN_RESULT`.
# named `SCAN_OUTPUT`.
# collections:
# - minimal
# - redhat
Expand Down Expand Up @@ -98,7 +98,7 @@ warn contains result if {
# failure_msg: Found %d CVE vulnerabilities of %s security level
# solution: >-
# Make sure to address any CVE's related to the image. The CVEs are detected
# by the task that runs a Clair scan and emits a result named `CLAIR_SCAN_RESULT`.
# by the task that runs a Clair scan and emits a result named `SCAN_OUTPUT`.
# collections:
# - minimal
# - redhat
Expand All @@ -124,7 +124,7 @@ deny contains result if {
# solution: >-
# CVEs without a known fix can only be remediated by either removing the impacted dependency, or
# by waiting for a fix to be available. The CVEs are detected by the task that emits a result
# named `CLAIR_SCAN_RESULT`.
# named `SCAN_OUTPUT`.
# collections:
# - minimal
# - redhat
Expand All @@ -146,7 +146,7 @@ deny contains result if {
# failure_msg: Clair CVE scan results were not found
# solution: >-
# Make sure there is a successful task in the build pipeline that runs a
# Clair scan and creates a task result called `CLAIR_SCAN_RESULT`.
# Clair scan and creates a task result called `SCAN_OUTPUT`.
# collections:
# - minimal
# - redhat
Expand Down

0 comments on commit 408f4cf

Please sign in to comment.