... | ... | @@ -60,20 +60,24 @@ There needs to be a process/tool that the security team can |
|
|
|
|
|
### Big Bang Packages + Iron Bank ABCs
|
|
|
|
|
|
* With the shift to IronBank ABCs, only Big Bang core packages will come with Ironbank reviewed Justifications
|
|
|
* With the shift to IronBank ABCs, some IronBank images will not come with justifications for the vulnerabilities that were idtentified. The images that don't have justifications will be marked as `non-compliant` but still available on IronBank. The justifications provided to BigBang images will not only be necessary, but also reviewed by IronBank security personell, which may provide additional insight/context on the justifications for the end user ISO to use in their determination.
|
|
|
|
|
|
* By providing a standard VEX file to the BigBang package, we could provide a mechanism for Third Party Big Bang package owners to provide justifications for the vulnerabilities in their images that could be used by platform teams as a baseline for jumpstarting their acceptance in systems consuming them.
|
|
|
* IronBank could provide, as an attestation on the image, the justifications in a standardized format for transfer into third party systems via Zarf.
|
|
|
|
|
|
* Its important to tie the VEX justifications to specific SBOMs since justifications are specific to how certain components use dependencies.
|
|
|
|
|
|
|
|
|
### Relationship to other Items
|
|
|
|
|
|
* Pipelines as Product - when we can ship pre-built pipelines that work out of the box, a stage that uploads this would be ideal.
|
|
|
* Pipelines as Product - when we can ship pre-built pipelines that work out of the box, a stage that generates these for new containers and uploads these for IronBank/external images would need to be part of the product.
|
|
|
* CLI tools - Given a product we choose for the System Vulnerability Review, a CLI tool to properly consume scan results from Anchore/Twistlock/Etc and upload to the chosen tool, and then attach the VEX to the associated vulnerability for each tool would be important for workflows.
|
|
|
|
|
|
|
|
|
### Toosl that may work
|
|
|
|
|
|
- Open Source the VAT.
|
|
|
- https://dependencytrack.org/
|
|
|
- Looks to not be a way to ingest a VEX file onto a component, but its open source and could be contributed to.
|
|
|
- https://nucleussec.com/
|
|
|
- https://www.defectdojo.org/
|
|
|
|
... | ... | |