.. _cve-maintenance-723cd9dd54b3:

===============
CVE Maintenance
===============

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
       :start-after: begin-CVE
       :end-before: end-CVE

.. only:: starlingx
   
   On a monthly basis, the master development branch of StarlingX is scanned
   for CVEs using the third party tool ``Vulscan`` to provide an unbiased view
   of vulnerabilities. The generated reports are reviewed by the Security team.
   For |CVE|'s which meet StarlingX's CVE Fix Criteria Policy as documented
   below, fixes are provided in the StarlingX master branch.

   .. note::
      
      There are no scans executed or |CVE| fixes implemeneted on the released
      versions / branches on StarlingX.

   For the current Debian-based versions of StarlingX:
   
   -  |CVSS| v3.x base scores and base metrics are used in the |CVE| fix criteria

   -  The |CVE| ``Fix Criteria Policy`` is:

      -  Main Fix Criteria

         -  |CVSS| v3.x Base score >= 7.0
         -  Base Metrics has the following:

            -  Attack Vector: Network
            -  Attack Complexity: Low
            -  Privileges Required: None or Low
            -  Availability Impact: High or Low
            -  User Interaction: None
         -  A correction is available upstream

      -  OR, visibility is HIGH and a correction is available upstream

   In the past, for older CentOS-based versions of StarlingX:
   
   -  |CVSS| v2 base scores and base vectors were used in the |CVE| fix criteria
   
   -  The |CVE| ``Fix Criteria Policy`` was:

      -  Main Fix Criteria

         -  |CVSS| v2 Base score >= 7.0
         -  Base Vector has the following:

            -  Access Vector: Network
            -  Access Complexity: Low
            -  Authentication: None or Single
            -  Availability Impact: Partial/Complete
         
         -  A correction was available upstream

      -  OR, visibility was HIGH and a correction was available upstream