You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/con-vuln-sources.adoc
+6-3Lines changed: 6 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -32,12 +32,15 @@ This product uses the NVD API but is not endorsed or certified by the NVD.
32
32
33
33
Scanner V4 uses the following vulnerability sources:
34
34
35
-
link:https://security.access.redhat.com/data/csaf/v2/vex/[Red{nbsp}Hat VEX]:: Used with release 4.6 and later. This source provides vulnerability data in link:https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex[Vulnerability Exploitability eXchange(VEX)] format. {product-title-short} takes advantage of VEX benefits to significantly decrease the time needed for the initial loading of vulnerability data, and the space needed to store vulnerability data.
35
+
link:https://security.access.redhat.com/data/csaf/v2/vex/[Red{nbsp}Hat VEX]:: This source is used with release 4.6 and later. This source provides vulnerability data in link:https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex[Vulnerability Exploitability eXchange(VEX)] format. {product-title-short} takes advantage of VEX benefits to significantly decrease the time needed for the initial loading of vulnerability data, and the space needed to store vulnerability data. VEX also provides improved accuracy over OVAL.
36
36
+
37
37
{product-title-short} might list a different number of vulnerabilities when you are scanning with a {product-title-short} version that uses OVAL, such as {product-title-short} version 4.5, and a version that uses VEX, such as version 4.6. For example, {product-title-short} no longer displays vulnerabilities with a status of "under investigation," while these vulnerabilities were included with previous versions that used OVAL data.
38
38
+
39
-
For more information about Red Hat security data, including information about the use of OVAL, Common Security Advisory Framework Version 2.0 (CSAF), and VEX, see link:https://www.redhat.com/en/blog/future-red-hat-security-data[The future of Red Hat security data].
40
-
https://access.redhat.com/security/data/metrics/cvemap.xml[Red{nbsp}Hat CVE Map]:: This is used in addition with VEX data for images which appear in the link:https://catalog.redhat.com/software/containers/explore[Red{nbsp}Hat Container Catalog].
39
+
For containers from or built on top of containers from the Red{nbsp}Hat Ecosystem Catalog, {product-title-short} provides an option to show only vulnerabilities from Red{nbsp}Hat's VEX data. VEX data for Red{nbsp}Hat images is the most accurate because the Red{nbsp}Hat security team vets the vulnerabilities in those images and reports the results in VEX. Other vulnerability sources such as OSV can report vulnerabilities that Red{nbsp}Hat has determined are not applicable to the image. This can cause false positives in vulnerability results. Enabling the setting to use only VEX data for Red{nbsp}Hat images minimizes these false positives.
40
+
+
41
+
The option to use VEX data for Red{nbsp}Hat containers is disabled by default. To enable this option, in Scanner V4 Matcher, set the environment variable `ROX_SCANNER_V4_RED_HAT_LAYERS_RED_HAT_VULNS_ONLY` to `true`. Be aware that in rare instances, using this option can cause valid vulnerabilities to not appear in scan results, or false negatives. For example, Red{nbsp}Hat does not track vulnerabilities for products that have reached end of life. Also be aware that Red{nbsp}Hat's VEX data is missing link:https://access.redhat.com/security/middleware_security_scanning_problem[accurate security data for many Middleware products].
42
+
+
43
+
For more information about Red{nbsp}Hat security data, including information about the use of OVAL, Common Security Advisory Framework Version 2.0 (CSAF), and VEX, see link:https://www.redhat.com/en/blog/future-red-hat-security-data[The future of Red{nbsp}Hat security data].
41
44
link:https://osv.dev/[OSV]:: This is used for language-related vulnerabilities, such as Go, Java, JavaScript, Python, and Ruby. This source might provide
42
45
vulnerability IDs other than CVE IDs for vulnerabilities, such as a GitHub Security Advisory (GHSA) ID.
Copy file name to clipboardExpand all lines: operating/manage-vulnerabilities/common-vuln-management-tasks.adoc
+2Lines changed: 2 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,8 @@ toc::[]
9
9
[role="_abstract"]
10
10
The *Vulnerability Management* functions provide methods to view and manage vulnerabilities discovered by {product-title-short}. Common vulnerability management tasks involve identifying and prioritizing vulnerabilities, remedying them, and monitoring for new threats.
11
11
12
+
For information about the sources used for identifying vulnerabilities, see xref:../../architecture/acs-architecture.adoc#con-vuln-sources_acs-architecture[Vulnerability data sources].
13
+
12
14
//Keep older dashboard info until removed
13
15
14
16
Historically, {product-title-short} provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. The dashboard is deprecated in {product-title-short} 4.5 and will be removed in a future release.
0 commit comments