@@ -60,20 +60,24 @@ There needs to be a process/tool that the security team can
...
@@ -60,20 +60,24 @@ There needs to be a process/tool that the security team can
### Big Bang Packages + Iron Bank ABCs
### Big Bang Packages + Iron Bank ABCs
* With the shift to IronBank ABCs, only Big Bang core packages will come with Ironbank reviewed Justifications
* With the shift to IronBank ABCs, some IronBank images will not come with justifications for the vulnerabilities that were idtentified. The images that don't have justifications will be marked as `non-compliant` but still available on IronBank. The justifications provided to BigBang images will not only be necessary, but also reviewed by IronBank security personell, which may provide additional insight/context on the justifications for the end user ISO to use in their determination.
* By providing a standard VEX file to the BigBang package, we could provide a mechanism for Third Party Big Bang package owners to provide justifications for the vulnerabilities in their images that could be used by platform teams as a baseline for jumpstarting their acceptance in systems consuming them.
* IronBank could provide, as an attestation on the image, the justifications in a standardized format for transfer into third party systems via Zarf.
* Its important to tie the VEX justifications to specific SBOMs since justifications are specific to how certain components use dependencies.
### Relationship to other Items
### Relationship to other Items
* Pipelines as Product - when we can ship pre-built pipelines that work out of the box, a stage that uploads this would be ideal.
* Pipelines as Product - when we can ship pre-built pipelines that work out of the box, a stage that generates these for new containers and uploads these for IronBank/external images would need to be part of the product.
* CLI tools - Given a product we choose for the System Vulnerability Review, a CLI tool to properly consume scan results from Anchore/Twistlock/Etc and upload to the chosen tool, and then attach the VEX to the associated vulnerability for each tool would be important for workflows.
* CLI tools - Given a product we choose for the System Vulnerability Review, a CLI tool to properly consume scan results from Anchore/Twistlock/Etc and upload to the chosen tool, and then attach the VEX to the associated vulnerability for each tool would be important for workflows.
### Toosl that may work
### Toosl that may work
- Open Source the VAT.
- https://dependencytrack.org/
- https://dependencytrack.org/
- Looks to not be a way to ingest a VEX file onto a component, but its open source and could be contributed to.
