Update Check CVE Stage to Match Finding Status in VAT
Currently the Check CVE Stage only compares the CVE number of approved findings in VAT and the pipeline's CVE numbers from the Scanning stage jobs. This should be updated to not only compare CVE numbers, but also the scan source and package version. If Anchore finds for e.g. CVE-2019-25013 and it gets approved, then a few days later Twistlock finds the same CVE our current code would whitelist both the Anchore and Twistlock findings, and allow the pipeline to continue. At the same time the VAT would have one approved finding for Anchore and one unapproved finding for Twistlock.
An example is https://repo1.dso.mil/dsop/redhat/ubi/ubi8-minimal/-/jobs/1394253
Tasks:
-
Output justifications in json format in the check cves stage
Edited by gavin.scallon