docs/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b...

2.0 KiB

CVE Maintenance

partner

starlingx

On a monthly basis, the master development branch of StarlingX is scanned for CVEs using the third party tool Vulscan to provide an unbiased view of vulnerabilities. The generated reports are reviewed by the Security team. For 's which meet StarlingX's CVE Fix Criteria Policy as documented below, fixes are provided in the StarlingX master branch.

Note

There are no scans executed or fixes implemeneted on the released versions / branches on StarlingX.

For the current Debian-based versions of StarlingX:

  • v3.x base scores and base metrics are used in the fix criteria
  • The Fix Criteria Policy is:
    • Main Fix Criteria
      • v3.x Base score >= 7.0
      • Base Metrics has the following:
        • Attack Vector: Network
        • Attack Complexity: Low
        • Privileges Required: None or Low
        • Availability Impact: High or Low
        • User Interaction: None
      • A correction is available upstream
    • OR, visibility is HIGH and a correction is available upstream

In the past, for older CentOS-based versions of StarlingX:

  • v2 base scores and base vectors were used in the fix criteria
  • The Fix Criteria Policy was:
    • Main Fix Criteria
      • v2 Base score >= 7.0
      • Base Vector has the following:
        • Access Vector: Network
        • Access Complexity: Low
        • Authentication: None or Single
        • Availability Impact: Partial/Complete
      • A correction was available upstream
    • OR, visibility was HIGH and a correction was available upstream