CVSS v3 Adoption for OS

Addressed Patch 5 comments Addressed Patch 4 comments Fixed typo Added a note to indicate CentOS is not being scanned as the master branch has Debian which is being scanned Updated Index Added Abbreviations Added Includes File / Index Fixed merge conflicts Change-Id: I17a3c3d6e5b545e24f1530dbb3fdec8adc30b26a Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2022-11-01 23:46:02 -04:00
parent cf755b146c
commit d66fc5b4da
4 changed files with 111 additions and 0 deletions
--- a/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
+++ b/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
@@ -0,0 +1,15 @@
+
+.. begin-CVE
+.. end-CVE
+
+.. CentOS-begin
+.. CentOS-end
+
+.. CVE-visibility-begin
+.. CVE-visibility-end
+
+.. Debian-begin
+.. Debian-end
+
+.. CVE-visibility-1-begin
+.. CVE-visibility-1-end
--- a/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
+++ b/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
@@ -0,0 +1,84 @@
+.. _cve-maintenance-723cd9dd54b3:
+
+===============
+CVE Maintenance
+===============
+
+On a monthly basis, the master development branch of |prod| is scanned for
+|CVE|'s and the reports that are generated are reviewed by the Security team.
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: begin-CVE
+      :end-before: end-CVE
+
+.. only:: starlingx
+
+   For |CVE|'s which meet StarlingX's ``CVE Fix Criteria Policy`` as documented
+   below, fixes are provided for the |CVE| in the StarlingX master branch.
+
+For Debian-based versions of |prod| |deb-release-ver|:
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: Debian-begin
+      :end-before: Debian-end
+
+-  The third party tool ``Vulscan`` is used to scan for |CVE|'s to provide an
+   unbiased view of vulnerabilities
+
+-  |CVSS| v3 base scores and base metrics are used in the |CVE| fix criteria
+
+-  The |CVE| ``Fix Criteria Policy`` is:
+
+   -  Main Fix Criteria
+
+      -  |CVSS| v3 Base score >= 7.0
+      -  Base Metrics has the following:
+
+         -  Attack Vector: Network
+         -  Attack Complexity: Low
+         -  Privileges Required: None or Low
+         -  Availability Impact: High or Low
+         -  User Interaction: None
+      -  A correction is available upstream
+
+   -  OR, visibility is HIGH and a correction is available upstream
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CVE-visibility-1-begin
+      :end-before: CVE-visibility-1-end
+
+For older CentOS-based versions of |prod|:
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CentOS-begin
+      :end-before: CentOS-end
+
+-  |CVSS| v2 base scores and base vectors are used in the |CVE| fix criteria
+-  The |CVE| ``Fix Criteria Policy`` is:
+
+   -  Main Fix Criteria
+
+      -  |CVSS| v2 Base score >= 7.0
+      -  Base Vector has the following:
+
+         -  Access Vector: Network
+         -  Access Complexity: Low
+         -  Authentication: None or Single
+         -  Availability Impact: Partial/Complete
+      -  A correction is available upstream
+
+   -  OR, visibility is HIGH and a correction is available upstream
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CVE-visibility-begin
+      :end-before: CVE-visibility-end
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@@ -217,6 +217,16 @@ Authentication of Software Delivery

   authentication-of-software-delivery

+***************
+CVE Maintenance
+***************
+
+.. toctree::
+   :maxdepth: 1
+
+   cve-maintenance-723cd9dd54b3
+
+
 *******************************************************
 Security Feature Configuration for Spectre and Meltdown
 *******************************************************
--- a/doc/source/shared/abbrevs.txt
+++ b/doc/source/shared/abbrevs.txt
@@ -35,6 +35,7 @@
 .. |CSK| replace:: :abbr:`CSK (Code Signing Key)`
 .. |CSKs| replace:: :abbr:`CSKs (Code Signing Keys)`
 .. |CVE| replace:: :abbr:`CVE (Common Vulnerabilities and Exposures)`
+.. |CVSS| replace:: :abbr:`CVSS (Common Vulnerability Scoring System)`
 .. |DAD| replace:: :abbr:`DAD (Duplicate Address Detection)`
 .. |DC| replace:: :abbr:`DC (Distributed Cloud)`
 .. |DOR| replace:: :abbr:`DOR (Dead Office Recovery)`
@@ -187,3 +188,4 @@
 .. |WAD| replace:: :abbr:`WAD (Windows Active Directory)`
 .. |XML| replace:: :abbr:`XML (eXtensible Markup Language)`
 .. |YAML| replace:: :abbr:`YAML (YAML Ain't Markup Language)`
+