diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 0ebf0375a0ca..2d825291e49c 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -229,10 +229,14 @@ Topics: - Name: Managing vulnerabilities Dir: manage-vulnerabilities Topics: - - Name: Vulnerability management + - Name: Vulnerability management overview File: vulnerability-management - - Name: Common tasks + - Name: Viewing and addressing vulnerabilities File: common-vuln-management-tasks + - Name: Reporting vulnerabilities + File: vulnerability-reporting + - Name: Using the vulnerability management dashboard (deprecated) + File: vulnerability-management-dashboard - Name: Scanning RHCOS node hosts File: scan-rhcos-node-host - Name: Responding to violations diff --git a/images/workload-cve-search.png b/images/workload-cve-search.png new file mode 100644 index 000000000000..1a7b7b1b4aa8 Binary files /dev/null and b/images/workload-cve-search.png differ diff --git a/modules/create-policies-to-block-specific-cves.adoc b/modules/create-policies-to-block-specific-cves.adoc index 72ba8d019438..9fb02bbf70fb 100644 --- a/modules/create-policies-to-block-specific-cves.adoc +++ b/modules/create-policies-to-block-specific-cves.adoc @@ -1,9 +1,10 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="create-policies-to-block-specific-cves_{context}"] -= Creating policies to block specific CVEs += Creating policies to block specific CVEs by using the dashboard You can create new policies or add specific CVEs to an existing policy from the *Vulnerability Management* view. diff --git a/modules/disable-identify-vulnerabilities-in-nodes.adoc b/modules/disable-identify-vulnerabilities-in-nodes.adoc index b1ddfae83b98..a0be70ababfe 100644 --- a/modules/disable-identify-vulnerabilities-in-nodes.adoc +++ b/modules/disable-identify-vulnerabilities-in-nodes.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + :_mod-docs-content-type: PROCEDURE [id="disable-identify-vulnerabilities-in-nodes_{context}"] = Disabling identifying vulnerabilities in nodes @@ -12,5 +13,6 @@ Identifying vulnerabilities in nodes is enabled by default. You can disable it f . In the {product-title-short} portal, go to *Platform Configuration* -> *Integrations*. . Under *Image Integrations*, select *StackRox Scanner*. . From the list of scanners, select *StackRox Scanner* to view its details. -. Remove the *Node Scanner* option from *Types*. -. Select *Save*. +. Click *Edit*. +. To use only the image scanner and not the node scanner, click *Image Scanner*. +. Click *Save*. diff --git a/modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc b/modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc index c4a11be3ef86..ccdfd8aa0e1e 100644 --- a/modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc +++ b/modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc @@ -1,19 +1,18 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc :_mod-docs-content-type: PROCEDURE [id="find-clusters-with-most-kubernetes-and-istio-vulnerabilities_{context}"] -= Finding clusters with most Kubernetes and Istio vulnerabilities += Finding clusters with most Kubernetes and Istio vulnerabilities by using the dashboard [role="_abstract"] -Use the *Vulnerability Management (1.0)* view for identifying the clusters with most Kubernetes, {osp}, and Istio vulnerabilities (deprecated) in your environment. - -The *Clusters with most orchestrator and Istio vulnerabilities* widget shows a list of clusters, ranked by the number of Kubernetes, {osp}, and Istio vulnerabilities (deprecated) in each cluster. -The cluster on top of the list is the cluster with the highest number of vulnerabilities. +You can identify the clusters with most Kubernetes, {osp}, and Istio vulnerabilities (deprecated) in your environment by using the vulnerability management dashboard. .Procedure +. In the {product-title-short} portal, click *Vulnerability Management*-> *Dashboard*. The *Clusters with most orchestrator and Istio vulnerabilities* widget shows a list of clusters, ranked by the number of Kubernetes, {osp}, and Istio vulnerabilities (deprecated) in each cluster. +The cluster on top of the list is the cluster with the highest number of vulnerabilities. . Click on one of the clusters from the list to view details about the cluster. The *Cluster* view includes: ** *Cluster Summary* section, which shows cluster details and metadata, top risky objects (deployments, namespaces, and images), recently detected vulnerabilities, riskiest images, and deployments with the most severe policy violations. diff --git a/modules/find-critical-cves-impacting-your-infrastructure.adoc b/modules/find-critical-cves-impacting-your-infrastructure.adoc deleted file mode 100644 index caa0eaf2f173..000000000000 --- a/modules/find-critical-cves-impacting-your-infrastructure.adoc +++ /dev/null @@ -1,15 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="find-critical-cves-impacting-your-infrastructure_{context}"] -= Finding critical CVEs impacting your infrastructure - -[role="_abstract"] -Use the *Vulnerability Management* view for identifying CVEs that are impacting your platform the most. - -.Procedure - -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. -. Select CVEs on the *Vulnerability Management* view header. -. In the *CVEs* view, select the *Env Impact* column header to arrange the CVEs in descending order (highest first) based on the environment impact. diff --git a/modules/find-the-most-vulnerable-image-components.adoc b/modules/find-the-most-vulnerable-image-components.adoc index ab9ed102c49a..3f0e60db11fb 100644 --- a/modules/find-the-most-vulnerable-image-components.adoc +++ b/modules/find-the-most-vulnerable-image-components.adoc @@ -1,15 +1,16 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc :_mod-docs-content-type: PROCEDURE + [id="find-the-most-vulnerable-image-components_{context}"] -= Finding the most vulnerable image components += Finding the most vulnerable image components by using the dashboard [role="_abstract"] Use the *Vulnerability Management* view for identifying highly vulnerable image components. .Procedure -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. -. From the *Vulnerability Management* view header, select *Application & Infrastructure* -> *Components*. -. In the *Components* view, select the *CVEs* column header to arrange the components in descending order (highest first) based on the CVEs count. +. Go to the {product-title-short} portal and click *Vulnerability Management* -> *Dashboard* from the navigation menu. +. From the *Vulnerability Management* view header, select *Application & Infrastructure* -> *Image Components*. +. In the *Image Components* view, select the *Image CVEs* column header to arrange the components in descending order (highest first) based on the CVEs count. diff --git a/modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc b/modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc index 3ac85a426139..884d0139001a 100644 --- a/modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc +++ b/modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc @@ -1,19 +1,17 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc -// * operating/examine-images-for-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="identify-container-image-layer-that-introduces-vulnerabilities_{context}"] -= Identifying the container image layer that introduces vulnerabilities += Identifying the container image layer that introduces vulnerabilities by using the dashboard [role="_abstract"] -Use the *Vulnerability Management* view to identify vulnerable components and the image layer they appear in. +You can use the *Vulnerability Management* dashboard to identify vulnerable components and the image layer they appear in. .Procedure -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. -. Select an image from either the *Top Riskiest Images* widget or click the *Images* button at the top of the Dashboard and select an image. +. Go to the {product-title-short} portal and click *Vulnerability Management* -> *Dashboard* from the navigation menu. +. Select an image from either the *Top Riskiest Images* widget or click the *Images* button at the top of the dashboard and select an image. . In the *Image* details view, next to *Dockerfile*, select the expand icon to see a summary of image components. . Select the expand icon for specific components to get more details about the CVEs affecting the selected component. - -You can also view this information by navigating to *Vulnerability Management (2.0)* -> *Workload CVEs*. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information. diff --git a/modules/identify-deployments-with-most-severe-policy-violations.adoc b/modules/identify-deployments-with-most-severe-policy-violations.adoc deleted file mode 100644 index fbd6c8f3b3b8..000000000000 --- a/modules/identify-deployments-with-most-severe-policy-violations.adoc +++ /dev/null @@ -1,16 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: CONCEPT -[id="identify-deployments-with-most-severe-policy-violations_{context}"] -= Identifying deployments with most severe policy violations - -The *Deployments with most severe policy violations* widget on the *Vulnerability Management* view shows a list of deployments and severity of vulnerabilities affecting that deployment. - -* When you hover over a deployment in the list, you see an overview of the deployment, which includes the deployment name, the name of the cluster and the namespace in which the deployment exists, and the number of failing policies and their severity. -* When you select a deployment, the *Deployment* view opens for the selected deployment. -The *Deployment* view shows in-depth details of the deployment and includes information about policy violations, common vulnerabilities, CVEs, and riskiest images for that deployment. -* Select *View All* on the *Most Common Vulnerabilities* widget header to view a list of all the CVEs in your infrastructure. -You can also filter the list of CVEs. -//TODO: Add link to local page filtering -To export the CVEs as a CSV file, select *Export* -> *Download CVES as CSV*. diff --git a/modules/identify-dockerfile-line-component-cve.adoc b/modules/identify-dockerfile-line-component-cve.adoc index 401718d8bb66..e309dc0175b7 100644 --- a/modules/identify-dockerfile-line-component-cve.adoc +++ b/modules/identify-dockerfile-line-component-cve.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc -// * operating/examine-images-for-vulnerabilities.adoc +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + :_mod-docs-content-type: PROCEDURE [id="identify-dockerfile-line-component-cve_{context}"] = Identifying Dockerfile lines in images that introduced components with CVEs @@ -13,12 +13,12 @@ You can identify specific Dockerfile lines in an image that introduced component To view a problematic line: -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. -. Select an image from either the *Top Riskiest Images* widget or click the *Images* button at the top of the Dashboard and select an image. -. In the *Image* details view, under *Image Findings*, CVEs are listed in the *Observed CVEs*, *Deferred CVEs*, and *False positive CVEs* tabs. -. Locate the CVE you want to examine further. In the *Affected Components* column, click on the * Components* link to view a list of components affected by the CVE. You can perform the following actions in this window: -* Click the expand icon next to a specific component to view the Dockerfile line in the image that introduced the CVE. To address the CVE, you need to change this line in the Dockerfile; for example, you can upgrade the component. -* Click the name of the component to go to the *Component Summary* page and view more information about the component. +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. Click the tab to view the type of CVEs. The following tabs are available: +* *Observed* +* *Deferred* +* *False positives* +. In the list of CVEs, click the CVE name to open the page containing the CVE details. The *Affected components* column lists the components that include the CVE. +. Expand the CVE to display additional information, including the Dockerfile line that introduced the component. -You can also view this information by navigating to *Vulnerability Management (2.0)* -> *Workload CVEs*. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information. diff --git a/modules/identify-operating-system-of-the-base-image.adoc b/modules/identify-operating-system-of-the-base-image.adoc index 61a3c7b6925a..2845b027f6b6 100644 --- a/modules/identify-operating-system-of-the-base-image.adoc +++ b/modules/identify-operating-system-of-the-base-image.adoc @@ -1,17 +1,17 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc -// * operating/examine-images-for-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="identify-operating-system-of-the-base-image_{context}"] -= Identifying the operating system of the base image += Identifying the operating system of the base image by using the dashboard [role="_abstract"] Use the *Vulnerability Management* view to identify the operating system of the base image. .Procedure -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. +. Go to the {product-title-short} portal and click *Vulnerability Management* -> *Dashboard* from the navigation menu. . From the *Vulnerability Management* view header, select *Images*. . View the base operating system (OS) and OS version for all images under the *Image OS* column. //TODO: Add link to local page filtering @@ -27,5 +27,3 @@ The base operating system is also available under the *Image Summary* -> *Detail Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information. ==== - -You can also view this information by navigating to *Vulnerability Management (2.0)* -> *Workload CVEs*. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information. \ No newline at end of file diff --git a/modules/identify-top-risky-objects.adoc b/modules/identify-top-risky-objects.adoc index dc9de778d5a6..82385a09b547 100644 --- a/modules/identify-top-risky-objects.adoc +++ b/modules/identify-top-risky-objects.adoc @@ -1,9 +1,10 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="top-risky-objects_{context}"] -= Identifying top risky objects += Identifying top risky objects by using the dashboard Use the *Vulnerability Management* view for identifying the top risky objects in your environment. The *Top Risky* widget displays information about the top risky images, deployments, clusters, and namespaces in your environment. @@ -11,7 +12,7 @@ The risk is determined based on the number of vulnerabilities and their CVSS sco .Procedure -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. +. Go to the {product-title-short} portal and click *Vulnerability Management* -> *Dashboard* from the navigation menu. . Select the *Top Risky* widget header to choose between riskiest images, deployments, clusters, and namespaces. + The small circles on the chart represent the chosen object (image, deployment, cluster, namespace). diff --git a/modules/identify-vulnerabilities-in-nodes-vm20.adoc b/modules/identify-vulnerabilities-in-nodes-vm20.adoc new file mode 100644 index 000000000000..b6c96779463d --- /dev/null +++ b/modules/identify-vulnerabilities-in-nodes-vm20.adoc @@ -0,0 +1,65 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="identify-vulnerabilities-in-nodes-vm20_{context}"] += Viewing Node CVEs + +You can identify vulnerabilities in your nodes by using {product-title-short}. The vulnerabilities that are identified include the following: + +* Vulnerabilities in core Kubernetes components +* Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd + +For more information about operating systems that {product-title-short} can scan, see "Supported operating systems". + +.Procedure +. In the {product-title-short} portal, click *Vulnerability Management* -> *Node CVEs*. +. To view the data, do any of the following tasks: +* To view a list of all the CVEs affecting all of your nodes, select * CVEs*. +* To view a list of nodes that contain CVEs, select * Nodes*. +. Optional: You can filter CVEs according to entity by using the appropriate filters and attributes. To add more filtering criteria, follow these steps: +.. Select the entity or attribute from the list. +.. Depending on your choices, enter the appropriate information such as text, or select a date or object. +.. Click the right arrow icon. +.. Optional: Select additional entities and attributes, and then click the right arrow icon to add them. +The filter entities and attributes are listed in the following table. ++ +.CVE filtering +[cols="2",options="header"] +|=== +|Entity|Attributes + +|Node +a| +* *Name*: The name of the node. +* *Operating system*: The operating system of the node, for example, {op-system-base-full}. +* *Label*: The label of the node. +* *Annotation*: The annotation for the node. +* *Scan time*: The scan date of the node. +|CVE +a| +* *Name*: The name of the CVE. +* *Discovered time*: The date when the CVE was discovered by {product-title-short}. +* *CVSS*: The severity level for the CVE. You can select from the following options for the severity level: +** *is greater than* +** *is greater than or equal to* +** *is equal to* +** *is less than or equal to* +** *is less than* +|Node Component +a| +* *Name*: The name of the component. +* *Version*: The version of the component, for example, `4.15.0-2024`. You can use this to search for a specific version of a component, for example, in conjunction with a component name. +|Cluster +a| +* *Name*: The name of the cluster. +* *Label*: The label for the cluster. +* *Type*: The type of cluster, for example, OCP. +* *Platform type*: The type of platform, for example, OpenShift 4 cluster. +|=== +. Optional: To refine the list of results, do any of the following tasks: +* Click *CVE severity*, and then select one or more levels. +* Click *CVE status*, and then select *Fixable* or *Not fixable*. +. Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes. + diff --git a/modules/identify-vulnerabilities-in-nodes.adoc b/modules/identify-vulnerabilities-in-nodes.adoc index 02b177effdad..e8a580fc8885 100644 --- a/modules/identify-vulnerabilities-in-nodes.adoc +++ b/modules/identify-vulnerabilities-in-nodes.adoc @@ -1,31 +1,17 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="identify-vulnerabilities-in-nodes_{context}"] -= Identifying vulnerabilities in nodes += Identifying vulnerabilities in nodes by using the dashboard You can use the *Vulnerability Management* view to identify vulnerabilities in your nodes. -The identified vulnerabilities include vulnerabilities in: - -* Core Kubernetes components. -* Container runtimes (Docker, CRI-O, runC, and containerd). -+ -[NOTE] -==== -* {product-title} can identify vulnerabilities in the following operating systems: -** Amazon Linux 2 -** CentOS -** Debian -** Garden Linux (Debian 11) -** {op-system-first} -** {op-system-base-full} -** Ubuntu (AWS, Microsoft Azure, GCP, and GKE specific versions) -==== +The identified vulnerabilities include vulnerabilities in core Kubernetes components and container runtimes such as Docker, CRI-O, runC, and containerd. For more information on operating systems that {product-title-short} can scan, see "Supported operating systems". .Procedure . In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. -. Select *Nodes* on the *Dashboard* view header to view a list of all the CVEs affecting your nodes. +. Select *Nodes* on the header to view a list of all the CVEs affecting your nodes. . Select a node from the list to view details of all CVEs affecting that node. .. When you select a node, the *Node* details panel opens for the selected node. The *Node* view shows in-depth details of the node and includes information about CVEs by CVSS score and fixable CVEs for that node. diff --git a/modules/navigate-vulnerability-management-view.adoc b/modules/navigate-vulnerability-management-view.adoc deleted file mode 100644 index d30b17148e7c..000000000000 --- a/modules/navigate-vulnerability-management-view.adoc +++ /dev/null @@ -1,31 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="navigate-vulnerability-management-view_{context}"] -= Navigating the Vulnerability Management view - -Use the following instructions to understand various user interface components of the *Vulnerability Management* view and their usage. - -.Procedure - -. Go to the {product-title-short} portal and click *Vulnerability Management* from the navigation menu. -. Click *View All* for the *Top Risky Deployments by CVE Count and CVSS score* widget to open the *Deployments* view. -This view lists detailed information about all deployments in your infrastructure. -The *Deployments* view header includes options to export and switch between different entity views. -You can also filter the list of deployments. -//TODO: Add link to local page filtering topic. -. On the *Deployments* view, click on a deployment row from the list to open the *Deployment* details panel. -The *Deployment* details panel includes deployment *Summary* and *Findings* sections, and the *Related entities* sidebar. - ** The *Summary* section shows detailed information about the deployment in multiple interactive widgets. - ** The *Findings* section shows failing policies and fixable CVEs for the deployment. - ** The *Related entities* sidebar shows the number of related entities under *Matches* and *Contains* sections. -For deployment details, it shows the number of policies, images, components, and CVEs for the selected deployment. -. Under the *Deployment Findings* section, click the *Fixable CVEs* tab to view the list of all the fixable CVEs for the selected deployment. -. Click on a CVE from the fixable CVEs list to view the *CVE Summary*. -CVE summary opens in the same panel. -. Click *Components* in the *Related entities* sidebar to view a list of components affected by the selected CVE. Notice the panel header, it shows a list of all panels you viewed as breadcrumbs. -. You can click on the *Back* icon to go back to the previous panel. -Click on the *Deployment* name from the panel header breadcrumbs to open the *Deployment* details panel. -. Click on the *Open view* icon in the panel header (near the close panel icon) to open the *Deployment* details view. -You can then select different tabs to view information about images, components, policies, and CVEs for the selected deployment. diff --git a/modules/scan-inactive-images.adoc b/modules/scan-inactive-images.adoc index 49e76d5caf66..82f0fb4122ae 100644 --- a/modules/scan-inactive-images.adoc +++ b/modules/scan-inactive-images.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc -// * operating/examine-images-for-vulnerabilities.adoc +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + :_mod-docs-content-type: PROCEDURE [id="scan-inactive-images_{context}"] = Scanning inactive images @@ -13,11 +13,11 @@ You can also configure {product-title-short} to scan inactive (not deployed) ima .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management (2.0) -> Workload CVEs (Tech preview)*. -. Click * Images* to display a list of images and locate the image you want to watch. -. Click the overflow menu, {kebab}, and then select *Watch image*. {product-title-short} then scans the image and shows an error or success message. -. (Optional) To remove a watched image, click the overflow menu, {kebab}, and then select *Unwatch image*. -. (Optional) You can view the list of all watched images and add additional images to watch by clicking *Manage watched images* in the page header. +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. Click *Manage watched images*. +. In the *Image name* field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, `docker.io/library/nginx:latest`. +. Click *Add image to watch list*. +. Optional: To remove a watched image, locate the image in the *Manage watched images* window, and click *Remove watch*. + [IMPORTANT] ==== diff --git a/modules/snooze-cves-vm20.adoc b/modules/snooze-cves-vm20.adoc new file mode 100644 index 000000000000..b82505c69839 --- /dev/null +++ b/modules/snooze-cves-vm20.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc +:_mod-docs-content-type: PROCEDURE + +[id="snooze-cves-vm20_{context}"] += Snoozing platform and node CVEs + +[role="_abstract"] +You can snooze platform and node CVEs that do not relate to your infrastructure. You can snooze CVEs for 1 day, 1 week, 2 weeks, 1 month, or indefinitely, until you unsnooze them. Snoozing a CVE takes effect immediately and does not require an additional approval step. + +[NOTE] +==== +The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable `ROX_VULN_MGMT_LEGACY_SNOOZE` to `true`. +==== + +.Procedure + +. In the {product-title-short} portal, do any of the following tasks: +* To view platform CVEs, click *Vulnerability Management* -> *Platform CVEs*. +* To view node CVEs, click *Vulnerability Management* -> *Node CVEs*. +. Select one or more CVEs. +. Select the appropriate method to snooze the CVE: +* If you selected a single CVE, click the overflow menu, {kebab}, and then select *Snooze CVE*. +* If you selected multiple CVEs, click *Bulk actions* -> *Snooze CVEs*. +. Select the duration of time to snooze. +. Click *Snooze CVEs*. ++ +You receive a confirmation that you have requested to snooze the CVEs. diff --git a/modules/snooze-cves.adoc b/modules/snooze-cves.adoc deleted file mode 100644 index 17e770557501..000000000000 --- a/modules/snooze-cves.adoc +++ /dev/null @@ -1,15 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="snooze-cves_{context}"] -= Snoozing CVEs - -[role="_abstract"] -Use the *Vulnerability Management* view to snooze CVEs that do not relate to your infrastructure. You can snooze CVEs for a day, a week, two weeks, a month, or indefinitely (until you unsnooze). - -.Procedure - -. From the *Vulnerability Management* view header, select *CVEs*. -. You can select the checkboxes for one or more CVEs, and then select *Snooze CVE* (*`bell`* icon) or move the mouse over a CVE in the list and select the *Bell* icon -. Select the time such as a day, a week, two weeks, a month, or indefinitely (until you unsnooze). diff --git a/modules/top-risky-images-components.adoc b/modules/top-risky-images-components.adoc index a688bf656cdb..5730d1415ffb 100644 --- a/modules/top-risky-images-components.adoc +++ b/modules/top-risky-images-components.adoc @@ -1,9 +1,10 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="top-risky-images-components_{context}"] -= Identifying top riskiest images and components += Identifying top riskiest images and components by using the dashboard Similar to the *Top Risky*, the *Top Riskiest* widget lists the names of the top riskiest images and components. This widget also includes the total number of CVEs and the number of fixable CVEs in the listed images. diff --git a/modules/understanding-vulnerability-scores.adoc b/modules/understanding-vulnerability-scores.adoc index 5dc34ab7afed..165c1bce2ebd 100644 --- a/modules/understanding-vulnerability-scores.adoc +++ b/modules/understanding-vulnerability-scores.adoc @@ -1,12 +1,13 @@ // Module included in the following assemblies: // // * operating/examine-images-for-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="understanding-understanding-vulnerability-scores_{context}"] -= Understanding vulnerability scores += Understanding vulnerability scores in the dashboard [role="_abstract"] -The {product-title} portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. +The vulnerability management dashboard in the {product-title} portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. {product-title-short} shows the CVSS score based on the following criteria: * If a CVSS v3 score is available, {product-title-short} shows the score and lists `v3` along with it. diff --git a/modules/unsnooze-cves-vm20.adoc b/modules/unsnooze-cves-vm20.adoc new file mode 100644 index 000000000000..d00bba95038a --- /dev/null +++ b/modules/unsnooze-cves-vm20.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="unsnooze-cves-vm20_{context}"] += Unsnoozing platform and node CVEs + +[role="_abstract"] +You can unsnooze platform and node CVEs that you have previously snoozed. + +[NOTE] +==== +The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable `ROX_VULN_MGMT_LEGACY_SNOOZE` to `true`. +==== + +.Procedure + +. In the {product-title-short} portal, do any of the following tasks: +* To view the list of platform CVEs, click *Vulnerability Management* -> *Platform CVEs*. +* To view the list of node CVEs, click *Vulnerability Management* -> *Node CVEs*. +. To view the list of snoozed CVEs, click *Show snoozed CVEs* in the header view. +. Select one or more CVEs from the list of snoozed CVEs. +. Select the appropriate method to unsnooze the CVE: +* If you selected a single CVE, click the overflow menu, {kebab}, and then select *Unsnooze CVE*. +* If you selected multiple CVEs, click *Bulk actions* -> *Unsnooze CVEs*. +. Click *Unsnooze CVEs* again. ++ +You receive a confirmation that you have requested to unsnooze the CVEs. diff --git a/modules/unsnooze-cves.adoc b/modules/unsnooze-cves.adoc deleted file mode 100644 index 3882c6f7472d..000000000000 --- a/modules/unsnooze-cves.adoc +++ /dev/null @@ -1,16 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="unsnooze-cves_{context}"] -= Unsnoozing CVEs - -[role="_abstract"] -Use the *Vulnerability Management* view to unsnooze CVEs that you have previously snoozed. - -.Procedure - -. From the *Vulnerability Management* view header, click *CVEs*. -. On the *CVEs* view, click the *View Snoozed CVEs* icon. -. You can select the checkboxes for one or more CVEs, and then select *Unsnooze CVE* (*`bell`* icon) or move the mouse over a CVE in the list, and then select the *Bell* icon. - diff --git a/modules/view-details-only-for-fixable-cves.adoc b/modules/view-details-only-for-fixable-cves.adoc index 6225bea75afa..09f58590c48d 100644 --- a/modules/view-details-only-for-fixable-cves.adoc +++ b/modules/view-details-only-for-fixable-cves.adoc @@ -1,14 +1,15 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="view-details-only-for-fixable-cves_{context}"] -= Viewing details only for fixable CVEs += Viewing details only for fixable CVEs by using the dashboard [role="_abstract"] Use the *Vulnerability Management* view to filter and show only the fixable CVEs. .Procedure - In the {product-title-short} portal, go to *Vulnerability Management*. -. From the *Vulnerability Management* view header, select *Filter CVEs* -> *Fixable*. \ No newline at end of file +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. +. From the *Vulnerability Management* view header, under *Filter CVEs*, click *Fixable*. \ No newline at end of file diff --git a/modules/view-dockerfile-for-image.adoc b/modules/view-dockerfile-for-image.adoc index e0ecf49a589d..5f9fa3ffa7c4 100644 --- a/modules/view-dockerfile-for-image.adoc +++ b/modules/view-dockerfile-for-image.adoc @@ -1,10 +1,10 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc -// * operating/examine-images-for-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="viewing-dockerfile-for-image_{context}"] -= Viewing the Dockerfile for an image += Viewing the Dockerfile for an image by using the dashboard Use the *Vulnerability Management* view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command. @@ -21,14 +21,7 @@ If there are any CVEs in those components, you can select the expand icon for an .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management*. -. Select an image from either the *Top Riskiest Images* widget or click the *Images* button at the top of the Dashboard and select an image. +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. +. Select an image from either the *Top Riskiest Images* widget or click the *Images* button at the top of the dashboard and select an image. . In the *Image* details view, next to *Dockerfile*, select the expand icon to see a summary of instructions, values, creation date, and components. -. Select the expand icon for an individual component to view more information. - -You can also view this information by navigating to *Vulnerability Management (2.0)* -> *Workload CVEs*. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information. - -//[role="_additional-resources"] -//.Additional resources -// -//TODO: Add link for Dockerfile panel \ No newline at end of file +. Select the expand icon for an individual component to view more information. \ No newline at end of file diff --git a/modules/view-freq-violated-policies.adoc b/modules/view-freq-violated-policies.adoc deleted file mode 100644 index 353b64d1b115..000000000000 --- a/modules/view-freq-violated-policies.adoc +++ /dev/null @@ -1,20 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="viewing-frequently-violated-policies_{context}"] -= Viewing frequently violated policies - -Use the *Frequently Violated Policies* widget on the *Vulnerability Management* view to identify the most frequently violated policies in your clusters. - -.Procedure - -. In the {product-title-short} portal, go to *Vulnerability Management*. -. Hover over the policies listed in the *Frequently Violated Policies* widget to see an overview of the policy. -The overview includes policy name, policy category, policy description, and date and time when the policy was last violated. -. Select *View All* on the widget header to open the *Policies* view, which lists all policies in your infrastructure. -It includes information about policy description, policy status, last updated date and time, latest violation date and time, severity, deployments, policy life-cycle, and enforcement. -. In the *Policies* view, select a policy to view additional details about a specific policy, including policy scope, excluded images and deployment for the policy, and list of all deployments where this policy is failing. -This information appears in the *Policy* details panel on the right. -. In the *Policy* details panel, select a deployment under the *Policy Findings* section. -Deployment details open in the same panel for the selected deployment. diff --git a/modules/view-images-in-your-environment.adoc b/modules/view-images-in-your-environment.adoc deleted file mode 100644 index 6bb773736d62..000000000000 --- a/modules/view-images-in-your-environment.adoc +++ /dev/null @@ -1,16 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/examine-images-for-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="view-images-in-your-environment_{context}"] -= Viewing images in your environment - -[role="_abstract"] -With {product-title-short}, you can view the details for all container images in your clusters. - -.Procedure -. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. -. To view details for all the images in your cluster, in the *Vulnerability Management* view header, click *Images*. - -You can also view this information by navigating to *Vulnerability Management (2.0)* -> *Workload CVEs*. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information. - diff --git a/modules/view-most-common-vulnerabilities.adoc b/modules/view-most-common-vulnerabilities.adoc index 0c80e8d6e2f4..e8ec0b529e8f 100644 --- a/modules/view-most-common-vulnerabilities.adoc +++ b/modules/view-most-common-vulnerabilities.adoc @@ -1,11 +1,12 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="view-most-common-vulnerabilities_{context}"] -= Viewing the most common vulnerabilities += Viewing the most common vulnerabilities by using the dashboard -The *Most Common Vulnerabilities* widget on the *Vulnerability Management* view shows a list of vulnerabilities that affect the largest number of deployments and images arranged by their CVSS score. +The *Most Common Vulnerabilities* widget on the *Vulnerability Management* -> *Dashboard* view shows a list of vulnerabilities that affect the largest number of deployments and images arranged by their CVSS score. * When you hover over a CVE in the list, you see an overview of the CVE which includes, scan time, CVSS score, description, impact, and whether it is scored by using CVSS v2 or v3. * When you select a CVE, the *CVE* details view opens for the selected CVE. diff --git a/modules/view-recently-detected-vulnerabilities.adoc b/modules/view-recently-detected-vulnerabilities.adoc index 58e04b66fcac..eb1f5e2d7f84 100644 --- a/modules/view-recently-detected-vulnerabilities.adoc +++ b/modules/view-recently-detected-vulnerabilities.adoc @@ -1,11 +1,12 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: CONCEPT [id="view-recently-detected-vulnerabilities_{context}"] -= Viewing recently detected vulnerabilities += Viewing recently detected vulnerabilities by using the dashboard -The *Recently Detected Vulnerabilities* widget on the *Vulnerability Management* view shows a list of recently discovered vulnerabilities in your scanned images, based on the scan time and CVSS score. +The *Recently Detected Vulnerabilities* widget on the *Vulnerability Management* -> *Dashboard* view shows a list of recently discovered vulnerabilities in your scanned images, based on the scan time and CVSS score. It also includes information about the number of images affected by the CVE and its impact (percentage) on your environment. * When you hover over a CVE in the list, you see an overview of the CVE, which includes scan time, CVSS score, description, impact, and whether it's scored by using CVSS v2 or v3. diff --git a/modules/view-snoozed-cves.adoc b/modules/view-snoozed-cves.adoc deleted file mode 100644 index 7aa7af46d48e..000000000000 --- a/modules/view-snoozed-cves.adoc +++ /dev/null @@ -1,14 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: PROCEDURE -[id="view-snoozed-cves_{context}"] -= Viewing snoozed CVEs - -[role="_abstract"] -Use the *Vulnerability Management* view to see the list of all snoozed CVEs. - -.Procedure - -. From the *Vulnerability Management* view header, click *CVEs*. -. On the *CVEs* view, click the *View Snoozed CVEs* icon. \ No newline at end of file diff --git a/modules/viewing-snoozed-cves.adoc b/modules/viewing-snoozed-cves.adoc new file mode 100644 index 000000000000..2d33bb859305 --- /dev/null +++ b/modules/viewing-snoozed-cves.adoc @@ -0,0 +1,22 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc +:_mod-docs-content-type: PROCEDURE +[id="viewing-snoozed-cves_{context}"] += Viewing snoozed CVEs + +[role="_abstract"] +You can view a list of platform and node CVEs that have been snoozed. + +[NOTE] +==== +The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable `ROX_VULN_MGMT_LEGACY_SNOOZE` to `true`. +==== + +.Procedure + +. In the {product-title-short} portal, do any of the following tasks: +* To view the list of platform CVEs, click *Vulnerability Management* -> *Platform CVEs*. +* To view the list of node CVEs, click *Vulnerability Management* -> *Node CVEs*. +. Click *Show snoozed CVEs* to view the list. + diff --git a/modules/vulnerability-management-accept-deferrals-false-positives.adoc b/modules/vulnerability-management-accept-deferrals-false-positives.adoc new file mode 100644 index 000000000000..6d6ff99c24a4 --- /dev/null +++ b/modules/vulnerability-management-accept-deferrals-false-positives.adoc @@ -0,0 +1,30 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="vulnerability-management-review-accept-deferrals-false-positives_{context}"] += Reviewing and managing an exception request to defer or mark a CVE as false positive + +[role="_abstract"] +You can review, update, approve, or deny an exception requests for deferring and marking CVEs as false positives. + +.Prerequisites +* You have the `write` permission for the `VulnerabilityManagementRequests` resource. + +.Procedure +. To view the list of pending requests, do any of the following tasks: +* Paste the approval link into your browser. +* Click *Vulnerability Management* -> *Exception Management*, and then click the request name in the *Pending requests* tab. +. Review the scope of the vulnerability and decide whether or not to approve it. +. Choose the appropriate option to manage a pending request: +* If you want to deny the request and return the CVE to observed status, click *Deny request*. ++ +Enter a rationale for the denial, and click *Deny*. +* If you want to approve the request, click *Approve request*. ++ +Enter a rationale for the approval, and click *Approve*. +. To cancel a request that you have created and return the CVE to observed status, click *Cancel request*. You can only cancel requests that you have created. +. To update the deferral time period or rationale for a request that you have created, click *Update request*. You can only update requests that you have created. ++ +After you make changes, click *Submit request*. diff --git a/modules/vulnerability-management-accept-risks.adoc b/modules/vulnerability-management-accept-risks.adoc index deb0b031ca73..328c3dd41427 100644 --- a/modules/vulnerability-management-accept-risks.adoc +++ b/modules/vulnerability-management-accept-risks.adoc @@ -1,27 +1,32 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-accept-risks_{context}"] -= Accepting risks += Deferring CVEs [role="_abstract"] -Follow the instructions in this section to accept the risks in {product-title}. +You can accept risk with or without mitigation and defer CVEs. You must get deferral requests approved in the exception management workflow. .Prerequisites -* You must have `write` permission for the `VulnerabilityManagementRequests` resource. - -To accept risk with or without mitigation: +* You have `write` permission for the `VulnerabilityManagementRequests` resource. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. -. On the *Dashboard* view header, select *Images*. -. From the list of images, select the image you already assessed. -. Find the row which lists the CVE you would like to take action on. -. Click the overflow menu, {kebab}, for the CVE you identified. -. Click *Defer CVE*. -. Select the date and time till you want to defer the CVE. -. Select if you want to defer the CVE for the selected image tag or all tags for this image. -. Enter the reason for the deferral. -. Click *Request approval*. -Select the blue information icon on the right of the CVE and copy the approval link to share with your organization's deferral approver. +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. Choose the appropriate method to defer a CVE: +* If you want to defer a single CVE, perfom the following steps: +.. Find the row which contains the CVE that you want to mark as a false positive. +.. Click the overflow menu, {kebab}, for the CVE that you identified, and then click *Defer CVE*. +* If you want to defer multiple CVEs, perform the following steps: +.. Select each CVE. +.. Click *Bulk actions* -> *Defer CVEs*. +. Select the time period for the deferral. +. Enter a rationale for requesting the exception. +. Optional: To review the CVEs that are included in the exception menu, click *CVE selections*. +. Click *Submit request*. ++ +You receive a confirmation that you have requested a deferral. +. Optional: To copy the approval link to share it with your organization's exception approver, click the copy icon. +. Click *Close*. + diff --git a/modules/vulnerability-management-assess-exposure.adoc b/modules/vulnerability-management-assess-exposure.adoc index 2c581f8a6f15..5f63cb4eb321 100644 --- a/modules/vulnerability-management-assess-exposure.adoc +++ b/modules/vulnerability-management-assess-exposure.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-assess-exposure_{context}"] = Assessing the exposure diff --git a/modules/vulnerability-management-asset-assessment.adoc b/modules/vulnerability-management-asset-assessment.adoc index d834bf626dee..8afda33f16f5 100644 --- a/modules/vulnerability-management-asset-assessment.adoc +++ b/modules/vulnerability-management-asset-assessment.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-asset-assessment_{context}"] = Performing asset assessment @@ -17,13 +18,13 @@ When you install {product-title} on your Kubernetes or {ocp} cluster, it first a Important assets that should be monitored by the organization's vulnerability management process using {product-title-short} include: * *Components*: Components are software packages that may be used as part of an image or run on a node. Components are the lowest level where vulnerabilities are present. Therefore, organizations must upgrade, modify or remove software components in some way to remediate vulnerabilities. -* *Image*: A collection of software components and code that create an environment to run an executable portion of code. Images are where you upgrade components to fix vulnerabilities. +* *Images*: A collection of software components and code that create an environment to run an executable portion of code. Images are where you upgrade components to fix vulnerabilities. * *Nodes*: A server used to manage and run applications using OpenShift or Kubernetes and the components that make up the {ocp} or Kubernetes service. -{product-title} groups these assets into the following structures: +{product-title-short} groups these assets into the following structures: * *Deployment*: A definition of an application in Kubernetes that may run pods with containers based on one or many images. * *Namespace*: A grouping of resources such as Deployments that support and isolate an application. * *Cluster*: A group of nodes used to run applications using OpenShift or Kubernetes. -{product-title} scans the assets for known vulnerabilities and uses the Common Vulnerabilities and Exposures (CVE) data to assess the impact of a known vulnerability. +{product-title-short} scans the assets for known vulnerabilities and uses the Common Vulnerabilities and Exposures (CVE) data to assess the impact of a known vulnerability. diff --git a/modules/vulnerability-management-exception-time-config.adoc b/modules/vulnerability-management-exception-time-config.adoc new file mode 100644 index 000000000000..0e15f2d21819 --- /dev/null +++ b/modules/vulnerability-management-exception-time-config.adoc @@ -0,0 +1,17 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="vulnerability-management-exception-time-config_{context}"] += Configuring vulnerability exception expiration periods + +[role="_abstract"] +You can configure the time periods available for vulnerability management exceptions. These options are available when users request to defer a CVE. + +.Prerequisites +* You have `write` permission for the `VulnerabilityManagementRequests` resource. + +.Procedure +. In the {product-title-short} portal, go to *Platform Configuration* -> *Exception Configuration*. +. You can configure expiration times that users can select when they request to defer a CVE. Enabling a time period makes it available to users and disabling it removes it from the user interface. diff --git a/modules/vulnerability-management-export-workloads.adoc b/modules/vulnerability-management-export-workloads.adoc index 6121c4b9e8a6..a1cff975f92c 100644 --- a/modules/vulnerability-management-export-workloads.adoc +++ b/modules/vulnerability-management-export-workloads.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-export-workloads_{context}"] = Exporting workload vulnerabilities by using the API @@ -41,6 +42,3 @@ $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mg $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Aapp%2BNamespace%3Adefault ---- -[role="_additional-resources"] -.Additional resources -* xref:../../operating/search-filter.adoc#search-filter[Searching and filtering] diff --git a/modules/vulnerability-management-mark-false-positive-image.adoc b/modules/vulnerability-management-mark-false-positive-image.adoc new file mode 100644 index 000000000000..dfc18df2cee8 --- /dev/null +++ b/modules/vulnerability-management-mark-false-positive-image.adoc @@ -0,0 +1,33 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="vulnerability-management-mark-false-positive-image_{context}"] += Marking a vulnerability as a false positive for an image or image tag + +[role="_abstract"] +To create an exception for a vulnerability, you can mark it as a false positive for a single image, or across all tags associated with an image. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow. + +.Prerequisites +* You have the `write` permission for the `VulnerabilityManagementRequests` resource. + +.Procedure +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. To view the list of images, click * Images*. +. Find the row that lists the image that you want to mark as a false positive, and click the image name. +. Choose the appropriate method to mark the CVEs: +* If you want to mark a single CVE, perform the following steps: +.. Find the row which contains the CVE that you want to take action on. +.. Click the overflow menu, {kebab}, for the CVE that you identified, and then select *Mark as false positive*. +* If you want to mark multiple CVEs, perform the following steps: +.. Select each CVE. +.. From the *Bulk actions* drop-down list, select *Mark as false positives*. +. Select the scope. You can select either all tags associated with the image or only the image. +. Enter a rationale for requesting the exception. +. Optional: To review the CVEs that are included in the exception request, click *CVE selections*. +. Click *Submit request*. ++ +You receive a confirmation that you have requested an exception. +. Optional: To copy the approval link and share it with your organization's exception approver, click the copy icon. +. Click *Close*. \ No newline at end of file diff --git a/modules/vulnerability-management-mark-false-positive.adoc b/modules/vulnerability-management-mark-false-positive.adoc index d3c7fd1bc4d0..7ed88e1dcfc5 100644 --- a/modules/vulnerability-management-mark-false-positive.adoc +++ b/modules/vulnerability-management-mark-false-positive.adoc @@ -1,24 +1,30 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-mark-false-positive_{context}"] -= Marking vulnerabilities as false positive += Marking a vulnerability as a false positive globally [role="_abstract"] -The following procedure marks a vulnerability as a false positive. +You can create an exception for a vulnerability by marking it as a false positive globally, or across all images. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow. .Prerequisites -* You must have the `write` permission for the `VulnerabilityManagementRequests` resource. +* You have the `write` permission for the `VulnerabilityManagementRequests` resource. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. -. On the *Dashboard* view header, select *Images*. -. From the list of images, select the image you already assessed. -. Find the row which lists the CVE you would like to take action on. -. Click the {kebab} on the right for the CVE you identified and click *Defer CVE*. -. Select the date and time you want to defer the CVE. -. Select if you want to defer the CVE for the selected image tag or all tags for this image. -. Enter the reason for the deferral. -. Click *Request approval*. -. Select the blue information icon on the right of the CVE and copy the approval link to share with your organization's deferral approver. +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. Choose the appropriate method to mark the CVEs: +* If you want to mark a single CVE, perform the following steps: +.. Find the row which contains the CVE that you want to take action on. +.. Click the overflow menu, {kebab}, for the CVE that you identified, and then select *Mark as false positive*. +* If you want to mark multiple CVEs, perform the following steps: +.. Select each CVE. +.. From the *Bulk actions* drop-down list, select *Mark as false positives*. +. Enter a rationale for requesting the exception. +. Optional: To review the CVEs that are included in the exception request, click *CVE selections*. +. Click *Submit request*. ++ +You receive a confirmation that you have requested an exception. +. Optional: To copy the approval link and share it with your organization's exception approver, click the copy icon. +. Click *Close*. \ No newline at end of file diff --git a/modules/vulnerability-management-migration.adoc b/modules/vulnerability-management-migration.adoc deleted file mode 100644 index f80cd45d4b36..000000000000 --- a/modules/vulnerability-management-migration.adoc +++ /dev/null @@ -1,25 +0,0 @@ -// Module included in the following assemblies: -// -// * operating/manage-vulnerabilities.adoc -:_mod-docs-content-type: CONCEPT -[id="vulnerability-management-migration_{context}"] -= Migration of vulnerability reports when upgrading to RHACS version 4.3 and later - -[role="_abstract"] -{rh-rhacs-first} version 4.3 includes an automatic migration of vulnerability report configurations that were created in previous versions of {product-title-short} in the *Vulnerability Management 1.0* -> *Reporting* page. You can access migrated report configurations by clicking *Vulnerability Management (2.0)* -> *Vulnerability Reporting*. The previous versions of the report configurations are no longer available in the {product-title-short} web portal or by using the API. -//We can probably remove this section at some point, like after 4.2 and earlier versions are EOL. - -{product-title-short} performs the following actions during the migration: - -* Report configurations are copied to create a new version of the report that you can access by clicking *Vulnerability Management (2.0)* -> *Vulnerability Reporting*. -* The original name for the report is used when migrating reports to the new location. -* Report configurations created in the *Vulnerability Management 2.0 (Tech preview)* -> *Reporting* page are not affected by upgrading to {product-title-short} version 4.3 or later. The menu item to access these report configurations was renamed *Vulnerability Management (2.0)* and the page was renamed *Vulnerability Reporting*. -* If a report configuration previously created by using the *Vulnerability Management 1.0* page is not migrated because the notifier attached to it no longer exists, then the details of that configuration are added to the logs generated by the Central pod. You can use details from the log to re-create the report configuration by clicking *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and adding a new report. -* For each report configuration that was previously created by using the *Vulnerability Management 1.0* page, the most recent successful scheduled report job is migrated to the *All Report jobs* section of the report configuration. To view the report configuration, click *Vulnerability Management (2.0)* -> *Vulnerability Reporting*, and then click the report configuration. - -If you need to roll back to {product-title-short} 4.2 from a later version, the following actions occur: - -* The report configurations that became defunct with migration now become functional again and are available by clicking *Vulnerability Management 1.0* -> *Reporting*. -* The report configurations created by the migration remain functional and are available by clicking *Vulnerability Reporting 2.0 (Tech Preview)*. You can manually delete unwanted report configurations created in either the 1.0 or 2.0 reporting version. -* If a report configuration in the *Vulnerability Management 1.0* -> *Reporting* page is updated after rolling back to {product-title-short} 4.2 or earlier, those updates might not be applied to the migrated report configuration when the system is upgraded again. If this happens, the details of the report configuration are added to the logs generated by the Central pod. You can manually update the report configuration by clicking *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and using the details from the log. -* Any new report configurations created in the *Vulnerability Management 1.0* -> *Reporting* page are migrated when you upgrade again to {product-title-short} version 4.3 or later. diff --git a/modules/vulnerability-management-other-views.adoc b/modules/vulnerability-management-other-views.adoc index 4bb9bd43cfa0..4ab0bb775021 100644 --- a/modules/vulnerability-management-other-views.adoc +++ b/modules/vulnerability-management-other-views.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-other-views_{context}"] = Other views diff --git a/modules/vulnerability-management-prioritizing.adoc b/modules/vulnerability-management-prioritizing.adoc index 2de2daceb515..48f77a1680ef 100644 --- a/modules/vulnerability-management-prioritizing.adoc +++ b/modules/vulnerability-management-prioritizing.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-prioritizing_{context}"] = Prioritizing the vulnerabilities diff --git a/modules/vulnerability-management-process.adoc b/modules/vulnerability-management-process.adoc index 5b8eea8c4874..7827d4f0e596 100644 --- a/modules/vulnerability-management-process.adoc +++ b/modules/vulnerability-management-process.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-process_{context}"] = Vulnerability management process diff --git a/modules/vulnerability-management-reporting.adoc b/modules/vulnerability-management-reporting.adoc index 54730cb72e6d..384126152dec 100644 --- a/modules/vulnerability-management-reporting.adoc +++ b/modules/vulnerability-management-reporting.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-reporting_{context}"] = Reporting vulnerabilities to teams diff --git a/modules/vulnerability-management-review-deferred.adoc b/modules/vulnerability-management-review-deferred.adoc index d55157359d8b..7da290d1ef7a 100644 --- a/modules/vulnerability-management-review-deferred.adoc +++ b/modules/vulnerability-management-review-deferred.adoc @@ -1,20 +1,21 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/common-vuln-management-tasks.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-review-deferred_{context}"] -= Reviewing a false positive or deferred CVE += Viewing deferred and false positive CVEs [role="_abstract"] -Use the following procedure to review a false positive or deferred CVE. - -.Prerequisites -* You must have the `write` permission for the `VulnerabilityManagementApprovals` resource. - -You can review a false positive or deferred CVE: +You can use the *Workload CVEs* page to view CVEs that have been deferred or marked as false positives. .Procedure -. Open the approval link in your browser or in the {product-title-short} portal. -. Go to *Vulnerability Management* -> *Risk Acceptance* and search for the CVE. -. Review the vulnerabilities scope and action to decide if you would like to approve it. -. Click on the {kebab} at the far right of the CVE and approve or deny the request for approval. +. To see CVEs that have been deferred or marked as false positives, click *Vulnerability Management* -> *Workload CVEs*. Complete any of the following actions: +* To see CVEs that have been deferred, click the *Deferred* tab. +* To see CVEs that have been marked as false positives, click the *False positives* tab. ++ +[NOTE] +==== +To approve, deny, or change deferred or false positive CVEs, click *Vulnerability Management* -> *Exception Management*. +==== +. Optional: To view additional information about the deferral or false positive, click *View* under *Request details*. The *Exception Management* page is displayed. diff --git a/modules/vulnerability-management-take-action.adoc b/modules/vulnerability-management-take-action.adoc index 6c8d1929bd18..0641e454931a 100644 --- a/modules/vulnerability-management-take-action.adoc +++ b/modules/vulnerability-management-take-action.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-take-action_{context}"] = Taking action @@ -16,4 +17,4 @@ Once you have decided to take action on a vulnerability, you can take one of the You can remediate vulnerabilities by performing one of the following actions: * Remove a software package -* Update a software package to a non-vulnerable version. +* Update a software package to a non-vulnerable version diff --git a/modules/vulnerability-management-upgrade-component.adoc b/modules/vulnerability-management-upgrade-component.adoc index 1bb72df1b534..022c233a718e 100644 --- a/modules/vulnerability-management-upgrade-component.adoc +++ b/modules/vulnerability-management-upgrade-component.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-upgrade-component{context}"] = Finding a new component version @@ -9,9 +10,10 @@ The following procedure finds a new component version to upgrade to. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. -. On the *Dashboard* view header, select *Images*. -. From the list of images, select the image you already assessed. -. Under the *Image findings* section, select the CVE. -. Select the affected components of the CVE you want to take action on. -. Review the version of the component that the CVE is fixed in and update your image. + +. In the {product-title-short} portal, click *Vulnerability Management* -> *Workload CVEs*. +. Click * Images* and select an image. +. To view additional information, locate the CVE and click the expand icon. ++ +The additional information includes the component that the CVE is in and the version in which the CVE is fixed, if it is fixable. +. Update your image to a later version. diff --git a/modules/vulnerability-management-view-applications-vulnerability.adoc b/modules/vulnerability-management-view-applications-vulnerability.adoc index 456b3f3b0f97..f122d426f070 100644 --- a/modules/vulnerability-management-view-applications-vulnerability.adoc +++ b/modules/vulnerability-management-view-applications-vulnerability.adoc @@ -1,16 +1,17 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-view-applications-vulnerability_{context}"] -= Viewing application vulnerabilities += Viewing application vulnerabilities by using the dashboard [role="_abstract"] -You can view application vulnerabilities in {product-title}. +You can view application vulnerabilities in {product-title} by using the dashboard. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. . On the *Dashboard* view header, select *Application & Infrastructure* -> *Namespaces* or *Deployments*. . From the list, search for and select the *Namespace* or *Deployment* you want to review. . To get more information about the application, select an entity from *Related entities* on the right. diff --git a/modules/vulnerability-management-view-image-vulnerability.adoc b/modules/vulnerability-management-view-image-vulnerability-dashboard.adoc similarity index 69% rename from modules/vulnerability-management-view-image-vulnerability.adoc rename to modules/vulnerability-management-view-image-vulnerability-dashboard.adoc index eb9d2e015838..df7e034ba80e 100644 --- a/modules/vulnerability-management-view-image-vulnerability.adoc +++ b/modules/vulnerability-management-view-image-vulnerability-dashboard.adoc @@ -1,16 +1,17 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE -[id="vulnerability-management-view-image-vulnerability_{context}"] -= Viewing image vulnerabilities +[id="vulnerability-management-view-image-vulnerability-dashboard_{context}"] += Viewing image vulnerabilities by using the dashboard [role="_abstract"] -You can view image vulnerabilities in {product-title}. +You can view image vulnerabilities in {product-title} by using the dashboard. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. -. On the *Dashboard* view header, select *Images*. +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. +. On the *Dashboard* view header, select * Images*. . From the list of images, select the image you want to investigate. You can also filter the list by performing one of the following steps: .. Enter *Image* in the search bar and then select the *Image* attribute. .. Enter the image name in the search bar. diff --git a/modules/vulnerability-management-view-infrastructure-vulnerability.adoc b/modules/vulnerability-management-view-infrastructure-vulnerability.adoc index 85c8120971d8..8030947d9aab 100644 --- a/modules/vulnerability-management-view-infrastructure-vulnerability.adoc +++ b/modules/vulnerability-management-view-infrastructure-vulnerability.adoc @@ -1,15 +1,16 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-view-infrastructure-vulnerability_{context}"] -= Viewing infrastructure vulnerabilities += Viewing cluster vulnerabilities by using the dashboard [role="_abstract"] -You can view vulnerabilities in nodes by using {product-title}. +You can view vulnerabilities in clusters by using {product-title}. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. -. On the *Dashboard* view header, select *Application & Infrastructure* -> *Cluster*. +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. +. On the *Dashboard* view header, select *Application & Infrastructure* -> *Clusters*. . From the list of clusters, select the cluster you want to investigate. -. Review the clusters vulnerabilities and prioritize taking action on the impacted nodes on the cluster. +. Review the cluster's vulnerabilities and prioritize taking action on the impacted nodes on the cluster. diff --git a/modules/vulnerability-management-view-node-vulnerability.adoc b/modules/vulnerability-management-view-node-vulnerability.adoc index c2d9cfafab55..be2f467732a7 100644 --- a/modules/vulnerability-management-view-node-vulnerability.adoc +++ b/modules/vulnerability-management-view-node-vulnerability.adoc @@ -1,14 +1,15 @@ // Module included in the following assemblies: // -// * operating/manage-vulnerabilities.adoc +// * operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management-view-node-vulnerability_{context}"] -= Viewing node vulnerabilities += Viewing node vulnerabilities by using the dashboard You can view vulnerabilities in specific nodes by using {product-title}. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. +. In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. . On the *Dashboard* view header, select *Nodes*. . From the list of nodes, select the node you want to investigate. . Review vulnerabilities for the selected node and prioritize taking action. diff --git a/modules/vulnerability-management-view.adoc b/modules/vulnerability-management-view.adoc index 3645cf74426b..d89e326443ee 100644 --- a/modules/vulnerability-management-view.adoc +++ b/modules/vulnerability-management-view.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management-view_{context}"] = Vulnerability Management view @@ -11,7 +12,7 @@ For example, you can identify the riskiest deployments in your infrastructure fr To open the *Vulnerability Management* view: -* In the {product-title-short} portal, go to *Vulnerability Management 1.0* -> *Dashboard*. +* In the {product-title-short} portal, go to *Vulnerability Management* -> *Dashboard*. The *Vulnerability Management* view presents information in multiple interactive widgets. diff --git a/modules/vulnerability-management20-clone-reports.adoc b/modules/vulnerability-management20-clone-reports.adoc index acc126091d52..250d60da0ad8 100644 --- a/modules/vulnerability-management20-clone-reports.adoc +++ b/modules/vulnerability-management20-clone-reports.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-clone-reports_{context}"] = Cloning vulnerability report configurations @@ -9,7 +10,8 @@ You can make copies of vulnerability report configurations by cloning them. This is useful when you want to reuse report configurations with minor changes, such as reporting vulnerabilities in different deployments or namespaces. .Procedure -. In the {product-title-short} web portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and locate the report configuration that you want to clone in the list of report configurations. +. In the {product-title-short} web portal, click *Vulnerability Management* -> *Vulnerability Reporting*. +. Locate the report configuration that you want to clone in the list of report configurations. . Click *Clone report*. . Make any changes that you want to the report parameters and delivery destinations. . Click *Create*. \ No newline at end of file diff --git a/modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc b/modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc index ca7f21d93335..5ab5ad1bdec5 100644 --- a/modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc +++ b/modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-configure-report-delivery-destinations-schedule_{context}"] = Configuring delivery destinations and scheduling diff --git a/modules/vulnerability-management20-creating-report.adoc b/modules/vulnerability-management20-creating-report.adoc index f38696a0d14b..863d7c53392e 100644 --- a/modules/vulnerability-management20-creating-report.adoc +++ b/modules/vulnerability-management20-creating-report.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-creating-report_{context}"] = Creating vulnerability management report configurations @@ -9,16 +10,16 @@ {product-title-short} guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting*. +. In the {product-title-short} portal, click *Vulnerability Management* -> *Vulnerability Reporting*. . Click *Create report*. . Enter a name for your report configuration in the *Report name* field. -. Optional: Enter text describing the report configuration in the *Description* field. +. Optional: Enter text describing the report configuration in the *Report description* field. . In the *CVE severity* field, select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration. . Select the *CVE status*. You can select *Fixable*, *Unfixable*, or both. . In the *Image type* field, select whether you want to include CVEs from deployed images, watched images, or both. . In the *CVEs discovered since* field, select the time period for which you want CVEs to be included in the report configuration. -. In the *Configure report scope* field, you can perform the following actions: -* Select an existing collection and click *View* to view the collection information, edit the collection, and get a preview of collection results. When viewing the collection, entering text in the field searches for collections matching that text string. +. In the *Configure collection included* field, you must configure at least one collection. Complete any of the following actions: +* Select an existing collection to include. To view the collection information, edit the collection, and get a preview of collection results, click *View*. When viewing the collection, entering text in the field searches for collections matching that text string. * Click *Create collection* to create a new collection. + [NOTE] diff --git a/modules/vulnerability-management20-delete-reports.adoc b/modules/vulnerability-management20-delete-reports.adoc index 027fde5db35a..88c094683f87 100644 --- a/modules/vulnerability-management20-delete-reports.adoc +++ b/modules/vulnerability-management20-delete-reports.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-delete-reports_{context}"] = Deleting vulnerability report configurations @@ -9,5 +10,6 @@ Deleting a report configuration deletes the configuration and any reports that were previously run using this configuration. .Procedure -. In the {product-title-short} web portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and locate the report configuration that you want to delete in the list of reports. +. In the {product-title-short} web portal, click *Vulnerability Management* -> *Vulnerability Reporting*. +. Locate the report configuration that you want to delete in the list of reports. . Click the overflow menu, {kebab}, and then select *Delete report*. diff --git a/modules/vulnerability-management20-download-reports.adoc b/modules/vulnerability-management20-download-reports.adoc index 4184f522bb52..a2fedfa9c5cd 100644 --- a/modules/vulnerability-management20-download-reports.adoc +++ b/modules/vulnerability-management20-download-reports.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-download-reports_{context}"] = Downloading vulnerability reports @@ -14,7 +15,8 @@ You can only download reports that you have generated; you cannot download repor ==== .Procedure -. In the {product-title-short} web portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and, in the list of report configurations, locate the report configuration that you want to use to create the downloadable report. +. In the {product-title-short} web portal, click *Vulnerability Management* -> *Vulnerability Reporting*. +. In the list of report configurations, locate the report configuration that you want to use to create the downloadable report. . Generate the vulnerability report by using one of the following methods: * To generate the report from the list: .. Click the overflow menu, {kebab}, and then select *Generate download*. The *My active job status* column displays the status of your report creation. After the *Processing* status goes away, you can download the report. @@ -22,5 +24,5 @@ You can only download reports that you have generated; you cannot download repor .. Click the report configuration name to open the configuration detail window. .. Click *Actions* and select *Generate download*. . To download the report, if you are viewing the list of report configurations, click the report configuration name to open it. -. Click *All report jobs*. +. Click *All report jobs* from the menu on the header. . If the report is completed, click the *Ready for download* link in the *Status* column. The report is in `.csv` format and is compressed into a `.zip` file for download. \ No newline at end of file diff --git a/modules/vulnerability-management20-edit-reports.adoc b/modules/vulnerability-management20-edit-reports.adoc index 61ecbbd40b47..8b888af5f5ec 100644 --- a/modules/vulnerability-management20-edit-reports.adoc +++ b/modules/vulnerability-management20-edit-reports.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-edit-reports_{context}"] = Editing vulnerability report configurations @@ -9,7 +10,8 @@ You can edit existing vulnerability report configurations from the list of report configurations, or by selecting an individual report configuration first. .Procedure -. To edit an existing vulnerability report configuration, in the {product-title-short} web portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and choose one of the following methods: +. In the {product-title-short} web portal, click *Vulnerability Management* -> *Vulnerability Reporting*. +. To edit an existing vulnerability report configuration, complete any of the following actions: * Locate the report configuration that you want to edit in the list of report configurations. Click the overflow menu, {kebab}, and then select *Edit report*. * Click the report configuration name in the list of report configurations. Then, click *Actions* and select *Edit report*. . Make changes to the report configuration and save. \ No newline at end of file diff --git a/modules/vulnerability-management20-permissions.adoc b/modules/vulnerability-management20-permissions.adoc index 59f72b9f943d..3c0c27da79f1 100644 --- a/modules/vulnerability-management20-permissions.adoc +++ b/modules/vulnerability-management20-permissions.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: CONCEPT [id="vulnerability-management20-permissions_{context}"] = Vulnerability report permissions diff --git a/modules/vulnerability-management20-report-review-create.adoc b/modules/vulnerability-management20-report-review-create.adoc index 63f21f387573..158cda1968ab 100644 --- a/modules/vulnerability-management20-report-review-create.adoc +++ b/modules/vulnerability-management20-report-review-create.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-report-review-create_{context}"] = Reviewing and creating the report configuration diff --git a/modules/vulnerability-management20-retention-settings.adoc b/modules/vulnerability-management20-retention-settings.adoc index 498b087c7659..abaf39880473 100644 --- a/modules/vulnerability-management20-retention-settings.adoc +++ b/modules/vulnerability-management20-retention-settings.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-retention-settings_{context}"] = Configuring vulnerability management report job retention settings @@ -21,11 +22,11 @@ These settings do not affect the following vulnerability report jobs: .Procedure . In the {product-title-short} web portal, go to *Platform Configuration* -> *System Configuration*. You can configure the following settings for vulnerability report jobs: -* *Vulnerability report run history retention*: The number of days that a record is kept of vulnerability report jobs that have been run. This setting controls how many days that report jobs are listed in the *All report jobs* tab under *Vulnerability Management (2.0)* -> *Vulnerability Reporting* when a report configuration is selected. All report history beyond the cutoff date is pruned except for the following jobs: +* *Vulnerability report run history retention*: The number of days that a record is kept of vulnerability report jobs that have been run. This setting controls how many days that report jobs are listed in the *All report jobs* tab under *Vulnerability Management* -> *Vulnerability Reporting* when a report configuration is selected. The entire report history after the exclusion date is deleted, with the exception of the following jobs: ** Unfinished jobs. ** Jobs for which prepared downloadable reports still exist in the system. ** The last successful report job for each job type (scheduled email, on-demand email, or download). This ensures users have information about the last run job for each type. -* *Prepared downloadable vulnerability reports retention days*: The number of days that created on-demand downloadable vulnerability report jobs are available for download in the *All report jobs* tab under *Vulnerability Management (2.0)* -> *Vulnerability Reporting* when a report configuration is selected. +* *Prepared downloadable vulnerability reports retention days*: The number of days that prepared, on-demand downloadable vulnerability report jobs are available for download on the *All report jobs* tab under *Vulnerability Management* -> *Vulnerability Reporting* when a report configuration is selected. * *Prepared downloadable vulnerability reports limit*: The limit, in MB, of space allocated to prepared downloadable vulnerability report jobs. After the limit is reached, the oldest report job in the download queue is removed. . To change these values, click *Edit*, make your changes, and then click *Save*. diff --git a/modules/vulnerability-management20-send-reports.adoc b/modules/vulnerability-management20-send-reports.adoc index 3fd85d0b14d8..126f0eead6f3 100644 --- a/modules/vulnerability-management20-send-reports.adoc +++ b/modules/vulnerability-management20-send-reports.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-send-reports_{context}"] = Sending vulnerability reports on-demand @@ -9,5 +10,6 @@ You can send vulnerability reports immediately, rather than waiting for the scheduled send time. .Procedure -. In the {product-title-short} web portal, go to *Vulnerability Management (2.0)* -> *Vulnerability Reporting* and, in the list of report configurations, locate the report configuration for the report that you want to send. +. In the {product-title-short} web portal, click *Vulnerability Management* -> *Vulnerability Reporting*. +. In the list of report configurations, locate the report configuration for the report that you want to send. . Click the overflow menu, {kebab}, and then select *Send report now*. diff --git a/modules/vulnerability-management20-view-cve.adoc b/modules/vulnerability-management20-view-cve.adoc index 718c0eed7b95..524cd6118cd9 100644 --- a/modules/vulnerability-management20-view-cve.adoc +++ b/modules/vulnerability-management20-view-cve.adoc @@ -1,32 +1,101 @@ // Module included in the following assemblies: // // * operating/manage-vulnerabilities/vulnerability-management.adoc + :_mod-docs-content-type: PROCEDURE [id="vulnerability-management20-view-workload-cve_{context}"] -= Viewing workload CVEs in Vulnerability Management (2.0) += Viewing workload CVEs [role="_abstract"] -You can view a comprehensive list of vulnerabilities, or CVEs, in {product-title-short} across images and deployments. You can use the search filter bar to select specific CVEs, images, deployments, namespaces, or clusters. + +The *Vulnerability Management* -> *Workload CVEs* page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The *Workload CVEs* page provides more advanced filtering capabilities than the dashboard, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source. .Procedure -. In the {product-title-short} portal, go to *Vulnerability Management (2.0)* -> *Workload CVEs*. -. From the drop-down list, select the search criteria you want to use. You can select an item type, such as a cluster, from the list, and then select the specific name of the item. You can add additional items to the filter by selecting another item from the list and selecting the specific name of the new item. For example, you can select a specific image and a specific cluster to limit results to those selections. You can filter on the following items: -* CVE -* Image -* Deployment -* Namespace -* Cluster -* Component -* Component source -. Optional: Use the *CVE severity* list to select the severities of the CVEs that you want to display. -. Click the relevant button to view a list of vulnerabilities, images, or deployments in the system. + +. To show all CVEs across all images, select *Image vulnerabilities* from the *View image vulnerabilities* list. +. From the *View image vulnerabilities* list, select how you want to view the images. The following options are provided: +* *Image vulnerabilities*: Displays images and deployments in which {product-title-short} has discovered CVEs. +* *Images without vulnerabilities*: Displays images that meet at least one of the following conditions: +** Images that do not have CVEs +** Images that report a scanner error that may result in a false negative of no CVEs + [NOTE] ==== -The *Filtered view* icon indicates that the displayed results were filtered based on the criteria that you selected. You can click *Clear filters* to remove all filters, or remove individual filters by clicking on them. +An image that actually contains vulnerabilities can appear in this list inadvertently. For example, if Scanner was able to scan the image and it is known to {product-title-short}, but the scan was not successfully completed, vulnerabilities cannot be detected. This scenario occurs if an image has an operating system that is not supported by the {product-title-short} scanner. Scan errors are displayed when you hover over an image in the image list or click the image name for more information. ==== -. In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information: +. You can filter CVEs by entity by selecting the appropriate filters and attributes. + +To select multiple entities and attributes, click the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object. ++ +The filter entities and attributes are listed in the following table. ++ +.CVE filtering +[cols="2",options="header"] +|=== +|Entity|Attributes + +|Image +a| +* *Name*: The name of the image. +* *Operating system*: The operating system of the image. +* *Tag*: The tag for the image. +* *Label*: The label for the image. +* *Registry*: The registry where the image is located. +|CVE +a| +* *Name*: The name of the CVE. +* *Discovered time*: The date when the CVE was discovered by {product-title-short}. +* *CVSS*: The severity level for the CVE. You can select from the following options for the severity level: +** *is greater than* +** *is greater than or equal to* +** *is equal to* +** *is less than or equal to* +** *is less than* +|Image Component +a| + +* *Name*: The name of the image component, for example, `activerecord-sql-server-adapter` +* *Source*: +** OS +** Python +** Java +** Ruby +** Node.js +** Go +** Dotnet Core Runtime +** Infrastructure + +* *Version*: Version of the image component; for example, `3.4.21`. You can use this to search for a specific version of a component, for example, in conjunction with a component name. +|Deployment +a| +* *Name*: Name of the deployment. +* *Label*: Label for the deployment. +* *Annotation*: The annotation for the deployment. +|Namespace +a| +* *Name*: The name of the namespace. +* *Label*: The label for the namespace. +* *Annotation*: The annotation for the namespace. +|Cluster +a| +* *Name*: The name of the cluster. +* *Label*: The label for the cluster. +* *Type*: The cluster type, for example, OCP. +* *Platform type*: The platform type, for example, OpenShift 4 cluster. +|=== +. You can select the following options to refine the list of results: +* *Prioritize by namespace view*: Displays a list of namespaces sorted according to the risk priority. You can use this view to quickly identify and address the most critical areas. In this view, click * deployments* in a table row to return to the workload CVE list view, with filters applied to show only deployments, images and CVEs for the selected namespace. +* *Default filters*: You can select filters for CVE severity and CVE status that are automatically applied when you visit the *Workload CVEs* page. These filters only apply to this page, and are applied when you visit the page from another section of the {product-title-short} web portal or from a bookmarked URL. They are saved in the local storage of your browser. +* *CVE severity*: You can select one or more levels. +* *CVE status*: You can select *Fixable* or *Not fixable*. + +[NOTE] +==== +The *Filtered view* icon indicates that the displayed results were filtered based on the criteria that you selected. You can click *Clear filters* to remove all filters, or remove individual filters by clicking on them. +==== + +In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information: + * Whether a CVE is fixable * Whether an image is active * The Dockerfile line in the image that contains the CVE @@ -34,9 +103,9 @@ The *Filtered view* icon indicates that the displayed results were filtered base .Search example -The following graphic shows an example of search criteria for a cluster called "production" to view CVEs of critical and important severity in that cluster. +The following graphic shows an example of search criteria for a cluster called `staging-secured-cluster` to view CVEs of critical and important severity with a fixable status in that cluster. -image::workload-cve.png[Workload CVE showing a search on the production cluster for CVEs with critical and important severity] +image::workload-cve-search.png[Workload CVE showing a search on the `staging-secured-cluster` for CVEs with critical and important severity and fixable status] diff --git a/modules/vulnerability-management20-view-platform-cve.adoc b/modules/vulnerability-management20-view-platform-cve.adoc new file mode 100644 index 000000000000..6f89acdda7f3 --- /dev/null +++ b/modules/vulnerability-management20-view-platform-cve.adoc @@ -0,0 +1,59 @@ +// Module included in the following assemblies: +// +// * operating/manage-vulnerabilities/vulnerability-management.adoc + +:_mod-docs-content-type: PROCEDURE +[id="vulnerability-management20-view-platform-cve_{context}"] += Viewing platform CVEs + +[role="_abstract"] + +The platform CVEs page provides information about vulnerabilities in clusters in your system. + +.Procedure + +. Click *Vulnerability Management* -> *Platform CVEs*. +. You can filter CVEs by entity by selecting the appropriate filters and attributes. You can select multiple entities and attributes by clicking the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object. The filter entities and attributes are listed in the following table. ++ +.CVE filtering +[cols="2",options="header"] +|=== +|Entity|Attributes + +|Cluster +a| +* *Name*: Name of the cluster. +* *Label*: Label for the cluster. +* *Type*: The cluster type, for example, OCP. +* *Platform type*: The platform type, for example, OpenShift 4 cluster. +|CVE +a| +* *Name*: CVE name +* *Discovered time*: Date when the CVE was discovered by {product-title-short} +* *CVSS*: Choose the values for the severity level: +** *is greater than* +** *is greater than or equal to* +** *is equal to* +** *is less than or equal to* +** *is less than* +* *Type*: The type of CVE: +** Kubernetes CVE +** Istio CVE +** OpenShift CVE +|=== +. To filter by CVE status, click *CVE status* and select *Fixable* or *Not fixable*. + +[NOTE] +==== +The *Filtered view* icon indicates that the displayed results were filtered based on the criteria that you selected. You can click *Clear filters* to remove all filters, or remove individual filters by clicking on them. +==== + +In the list of results, click a CVE to view more information about the item. For example, you can view the following information if it is populated: + +* Documentation for the CVE +* External links to information about the CVE in Red{nbsp}Hat and other CVE databases +* Whether the CVE is fixable or unfixable +* A list of affected clusters + + + diff --git a/operating/create-use-collections.adoc b/operating/create-use-collections.adoc index 8d86bb9d3369..4ee4ab2480f6 100644 --- a/operating/create-use-collections.adoc +++ b/operating/create-use-collections.adoc @@ -52,6 +52,6 @@ You can configure collections by using the `CollectionService` API object. For e .Additional resources * xref:../operating/manage-user-access/manage-role-based-access-control-3630.adoc#manage-role-based-access-control[Managing RBAC in {product-title-short}] -* xref:../operating/manage-vulnerabilities/vulnerability-management.adoc#vulnerability-reporting-vuln-mgt2[Vulnerability reporting] +* xref:../operating/manage-vulnerabilities/vulnerability-reporting.adoc#vulnerability-reporting[Vulnerability reporting] //The RH CloudForms docs use this site as a reference. Other suggestions welcome. Most of the Red{nbsp}Hat sites have a lot of info about using regex with grep, etc. that doesn't apply here. * Using regular expression: link:https://www.regular-expressions.info/[Regular-Expressions.info] diff --git a/operating/examine-images-for-vulnerabilities.adoc b/operating/examine-images-for-vulnerabilities.adoc index 6920458ecd6b..2267aee02673 100644 --- a/operating/examine-images-for-vulnerabilities.adoc +++ b/operating/examine-images-for-vulnerabilities.adoc @@ -27,7 +27,7 @@ This documentation uses the term "{product-title-short} scanner" or "Scanner" to When the {product-title-short} scanner finds any vulnerabilities, it performs the following actions: -* Shows them in the xref:../operating/manage-vulnerabilities/vulnerability-management.adoc#vulnerability-management[*Vulnerability Management*] view for detailed analysis +* Shows them in the xref:../operating/manage-vulnerabilities/common-vuln-management-tasks.adoc#common-vuln-management-tasks[*Vulnerability Management*] view for detailed analysis * Ranks vulnerabilities according to risk and highlights them in the {product-title-short} portal for risk assessment * Checks them against enabled xref:../operating/manage-security-policies.adoc#manage-security-policies[security policies] diff --git a/operating/manage-vulnerabilities/common-vuln-management-tasks.adoc b/operating/manage-vulnerabilities/common-vuln-management-tasks.adoc index 3e09a6597e69..1db1d83f35bb 100644 --- a/operating/manage-vulnerabilities/common-vuln-management-tasks.adoc +++ b/operating/manage-vulnerabilities/common-vuln-management-tasks.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: ASSEMBLY [id="common-vuln-management-tasks"] -= Common vulnerability management tasks += Viewing and addressing vulnerabilities include::modules/common-attributes.adoc[] :context: common-vuln-management-tasks @@ -8,38 +8,75 @@ toc::[] [role="_abstract"] Common vulnerability management tasks involve identifying and prioritizing vulnerabilities, remedying them, and monitoring for new threats. -Following are some common tasks you can perform from the *Vulnerability Management* -> *Dashboard* view. -include::modules/find-critical-cves-impacting-your-infrastructure.adoc[leveloffset=+1] +[id="viewing-vulnerabilities_{context}"] +== Viewing vulnerabilities -include::modules/find-the-most-vulnerable-image-components.adoc[leveloffset=+1] +Historically, {product-title-short} provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. The dashboard is deprecated in {product-title-short} 4.5 and will be removed in a future release. For more information about the dashboard, see xref:../../operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc#vulnerability-management-dashboard[Using the vulnerability management dashboard]. -include::modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc[leveloffset=+1] +The *Vulnerability Management* -> *Workload CVEs* page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The *Workload CVEs* page provides advanced filtering capabilities, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source. -include::modules/identify-dockerfile-line-component-cve.adoc[leveloffset=+1] +//Viewing CVEs +include::modules/vulnerability-management20-view-cve.adoc[leveloffset=+1] + +//Viewing vulns in nodes +include::modules/identify-vulnerabilities-in-nodes-vm20.adoc[leveloffset=+1] +include::modules/disable-identify-vulnerabilities-in-nodes.adoc[leveloffset=+2] +.Additional resources +* xref:../../operating/examine-images-for-vulnerabilities.adoc#supported-operating-systems_examine-images-for-vulnerabilities[Supported operating systems] + +//viewing vulns in platforms + +include::modules/vulnerability-management20-view-platform-cve.adoc[leveloffset=+1] + +[id="excluding-CVEs_{context}"] +== Excluding CVEs -include::modules/view-details-only-for-fixable-cves.adoc[leveloffset=+1] +You can exclude or ignore CVEs in {product-title-short} by snoozing node and platform CVEs and deferring or marking node, platform, and image CVEs as false positives. You might want to exclude CVEs if you know that the CVE is a false positive or you have already taken steps to mitigate the CVE. Snoozed CVEs do not appear in vulnerability reports or trigger policy violations. -include::modules/identify-operating-system-of-the-base-image.adoc[leveloffset=+1] +You can snooze a CVE to globally ignore it for a specified period of time. Snoozing a CVE does not require approval. -include::modules/identify-top-risky-objects.adoc[leveloffset=+1] +[NOTE] +==== +Snoozing node and platform CVEs requires enabling the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable. +==== -include::modules/top-risky-images-components.adoc[leveloffset=+1] +Deferring or marking a CVE as a false positive is done through the exception management workflow. This workflow provides the ability to view pending, approved, and denied deferral and false positive requests. You can scope the CVE exception to a single image, all tags for a single image, or globally across all images. -include::modules/view-dockerfile-for-image.adoc[leveloffset=+1] +When approving or denying a request, you must add a comment. A CVE remains in the observed status until the exception request is approved. A pending request for deferral that is denied by another user is still visible in reports, policy violations, and other places in the system, but is indicated by a *Pending exception* label next to the CVE when visiting *Vulnerability Management* -> *Workload CVEs*. -include::modules/disable-identify-vulnerabilities-in-nodes.adoc[leveloffset=+1] +An approved exception for a deferral or false positive has the following effects: -include::modules/scan-inactive-images.adoc[leveloffset=+1] +* Removes the CVE from the *Observed* tab in *Vulnerability Management* -> *Workflow CVEs* to either the *Deferred* or *False positive* tab +* Prevents the CVE from triggering policy violations that are related to the CVE +* Prevents the CVE from showing up in automatically generated vulnerability reports -include::modules/create-policies-to-block-specific-cves.adoc[leveloffset=+1] +//snoozing CVEs -include::modules/view-recently-detected-vulnerabilities.adoc[leveloffset=+1] +include::modules/snooze-cves-vm20.adoc[leveloffset=+2] +include::modules/unsnooze-cves-vm20.adoc[leveloffset=+2] +include::modules/viewing-snoozed-cves.adoc[leveloffset=+2] -include::modules/view-most-common-vulnerabilities.adoc[leveloffset=+1] +//marking as false positives +include::modules/vulnerability-management-mark-false-positive.adoc[leveloffset=+2] +include::modules/vulnerability-management-mark-false-positive-image.adoc[leveloffset=+2] -include::modules/identify-deployments-with-most-severe-policy-violations.adoc[leveloffset=+1] +//deferring -include::modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc[leveloffset=+1] +include::modules/vulnerability-management-review-deferred.adoc[leveloffset=+2] +include::modules/vulnerability-management-accept-risks.adoc[leveloffset=+2] +include::modules/vulnerability-management-exception-time-config.adoc[leveloffset=+3] + +//approving +include::modules/vulnerability-management-accept-deferrals-false-positives.adoc[leveloffset=+2] + +//other + +include::modules/identify-dockerfile-line-component-cve.adoc[leveloffset=+1] +include::modules/vulnerability-management-upgrade-component.adoc[leveloffset=+1] +include::modules/vulnerability-management-export-workloads.adoc[leveloffset=+1] +[role="_additional-resources"] +.Additional resources +* xref:../../operating/search-filter.adoc#search-filter[Searching and filtering] -include::modules/identify-vulnerabilities-in-nodes.adoc[leveloffset=+1] +include::modules/scan-inactive-images.adoc[leveloffset=+2] \ No newline at end of file diff --git a/operating/manage-vulnerabilities/scan-rhcos-node-host.adoc b/operating/manage-vulnerabilities/scan-rhcos-node-host.adoc index fbdd721d2c6e..ac62f4197ffb 100644 --- a/operating/manage-vulnerabilities/scan-rhcos-node-host.adoc +++ b/operating/manage-vulnerabilities/scan-rhcos-node-host.adoc @@ -32,3 +32,5 @@ include::modules/rhcos-match-vulnerability.adoc[leveloffset=+1] include::modules/rhcos-environment-variables.adoc[leveloffset=+1] include::modules/identify-vulnerabilities-in-nodes.adoc[leveloffset=+1] + +include::modules/identify-vulnerabilities-in-nodes-vm20.adoc[leveloffset=+1] diff --git a/operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc b/operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc new file mode 100644 index 000000000000..28bdb2f05bb5 --- /dev/null +++ b/operating/manage-vulnerabilities/vulnerability-management-dashboard.adoc @@ -0,0 +1,38 @@ +:_mod-docs-content-type: ASSEMBLY +[id="vulnerability-management-dashboard"] += Using the vulnerability management dashboard (deprecated) +include::modules/common-attributes.adoc[] +:context: vulnerability-management-dashboard + +toc::[] + +[role="_abstract"] + +Historically, {product-title-short} has provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. With the dashboard, you can view vulnerabilities by image, node, or platform. You can also view vulnerabilities by clusters, namespaces, deployments, node components, and image components. The dashboard is deprecated in {product-title-short} 4.5 and will be removed in a future release. + +[IMPORTANT] +==== +To perform actions on vulnerabilities, such as view additional information about a vulnerability, defer a vulnerability, or mark a vulnerability as a false positive, click *Vulnerability Management* -> *Workload CVEs*. To review requests for deferring and marking CVEs as false positives, click *Vulnerability Management* -> *Exception Management*. +==== + +include::modules/vulnerability-management-view-applications-vulnerability.adoc[leveloffset=+1] +include::modules/vulnerability-management-view-image-vulnerability-dashboard.adoc[leveloffset=+1] +include::modules/vulnerability-management-view-infrastructure-vulnerability.adoc[leveloffset=+1] +include::modules/vulnerability-management-view-node-vulnerability.adoc[leveloffset=+1] +include::modules/find-the-most-vulnerable-image-components.adoc[leveloffset=+1] +include::modules/view-details-only-for-fixable-cves.adoc[leveloffset=+1] +include::modules/identify-operating-system-of-the-base-image.adoc[leveloffset=+1] +include::modules/identify-top-risky-objects.adoc[leveloffset=+1] +include::modules/top-risky-images-components.adoc[leveloffset=+1] +include::modules/view-dockerfile-for-image.adoc[leveloffset=+1] +include::modules/identify-container-image-layer-that-introduces-vulnerabilities.adoc[leveloffset=+1] +include::modules/view-recently-detected-vulnerabilities.adoc[leveloffset=+1] +include::modules/view-most-common-vulnerabilities.adoc[leveloffset=+1] +include::modules/find-clusters-with-most-kubernetes-and-istio-vulnerabilities.adoc[leveloffset=+1] +include::modules/identify-vulnerabilities-in-nodes.adoc[leveloffset=+1] + +.Additional resources +* xref:../../operating/examine-images-for-vulnerabilities.adoc#supported-operating-systems_examine-images-for-vulnerabilities[Supported operating systems] + +include::modules/create-policies-to-block-specific-cves.adoc[leveloffset=+1] + diff --git a/operating/manage-vulnerabilities/vulnerability-management.adoc b/operating/manage-vulnerabilities/vulnerability-management.adoc index 0fef79a27caf..e65203e50aac 100644 --- a/operating/manage-vulnerabilities/vulnerability-management.adoc +++ b/operating/manage-vulnerabilities/vulnerability-management.adoc @@ -1,103 +1,16 @@ :_mod-docs-content-type: ASSEMBLY [id="vulnerability-management"] -= Vulnerability management += Vulnerability management overview include::modules/common-attributes.adoc[] :context: acs-operating-manage-vulnerabilities toc::[] [role="_abstract"] -Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as denial of service, remote code execution, or unauthorized access to sensitive data. -Therefore, the management of vulnerabilities is a foundational step towards a successful Kubernetes security program. +Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as carrying out a denial of service attack, executing remote code, or gaining unauthorized access to sensitive data. Therefore, the management of vulnerabilities is a foundational step towards a successful Kubernetes security program. include::modules/vulnerability-management-process.adoc[leveloffset=+1] - include::modules/vulnerability-management-asset-assessment.adoc[leveloffset=+2] - -[id="viewing-vulnerabilities"] -== Viewing vulnerabilities - -{product-title-short} provides the following methods to view vulnerabilities discovered in your system: - -* To view application vulnerabilities by namespace or deployment, or to view vulnerabilities in an image, in the {product-title-short} web portal, go to *Vulnerability Management (1.0)* -> *Dashboard*. -* To view vulnerabilities in applications running on clusters in your system, go to *Vulnerability Management (2.0)* -> *Workload CVEs*. You can filter vulnerabilities by image, deployment, namespace, and cluster. - -include::modules/vulnerability-management-view-applications-vulnerability.adoc[leveloffset=+2] - -include::modules/vulnerability-management-view-image-vulnerability.adoc[leveloffset=+2] - -[role="additional-resources"] -.Additional resources -* xref:../../operating/search-filter.adoc#use-local-page-filtering_search-filter[Using local page filtering] - -include::modules/vulnerability-management20-view-cve.adoc[leveloffset=+2] - -include::modules/vulnerability-management-view-infrastructure-vulnerability.adoc[leveloffset=+3] - -include::modules/vulnerability-management-view-node-vulnerability.adoc[leveloffset=+3] - include::modules/vulnerability-management-prioritizing.adoc[leveloffset=+2] - include::modules/vulnerability-management-assess-exposure.adoc[leveloffset=+2] - -include::modules/vulnerability-management-take-action.adoc[leveloffset=+2] - -.Additional resources -* xref:../../operating/manage-vulnerabilities/vulnerability-management.adoc#vulnerability-management-review-deferred_acs-operating-manage-vulnerabilities[Reviewing a false positive or deferred CVE] - -include::modules/vulnerability-management-upgrade-component.adoc[leveloffset=+3] - -include::modules/vulnerability-management-accept-risks.adoc[leveloffset=+2] - -include::modules/vulnerability-management-mark-false-positive.adoc[leveloffset=+3] - -include::modules/vulnerability-management-review-deferred.adoc[leveloffset=+3] - -include::modules/vulnerability-management-reporting.adoc[leveloffset=+2] - -include::modules/vulnerability-management-export-workloads.adoc[leveloffset=+2] - -[id="vulnerability-reporting-vuln-mgt2"] -== Vulnerability reporting - -You can create and download an on-demand image vulnerability report from the *Vulnerability Management (2.0)* menu in the {product-title-short} web portal. This report includes a comprehensive list of common vulnerabilities and exposures across images and deployments, called workload CVEs in {product-title-short}. You can share this report with auditors or internal stakeholders by scheduling emails in {product-title-short} or by downloading the report and sharing it by using other methods. - -//creating the report -include::modules/vulnerability-management20-creating-report.adoc[leveloffset=+2] - -//configuring destinations and scheduling -include::modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc[leveloffset=+3] - -include::modules/vulnerability-management20-report-review-create.adoc[leveloffset=+3] - -//report permissions -include::modules/vulnerability-management20-permissions.adoc[leveloffset=+2] - -//editing reports -include::modules/vulnerability-management20-edit-reports.adoc[leveloffset=+2] - -//downloading reports -include::modules/vulnerability-management20-download-reports.adoc[leveloffset=+2] - -//sending reports -include::modules/vulnerability-management20-send-reports.adoc[leveloffset=+2] - -//cloning reports -include::modules/vulnerability-management20-clone-reports.adoc[leveloffset=+2] - -//deleting reports -include::modules/vulnerability-management20-delete-reports.adoc[leveloffset=+2] - -//report settings -include::modules/vulnerability-management20-retention-settings.adoc[leveloffset=+2] - -//section for 4.2 and earlier migrations -include::modules/vulnerability-management-migration.adoc[leveloffset=+2] - -[role="_additional-resources"] -[id="additional-resources_vuln-management"] -== Additional resources - -* xref:../../operating/create-use-collections.adoc#create-use-collections[Creating and using deployment collections] -* xref:../../operating/create-use-collections.adoc#migrate-scope-collections_create-use-collections[Migration of access scopes to collections] -* xref:../../integration/integrate-with-email.adoc#configure-acs-email_integrate-with-email[Configuring the email plugin] +include::modules/vulnerability-management-take-action.adoc[leveloffset=+2] \ No newline at end of file diff --git a/operating/manage-vulnerabilities/vulnerability-reporting.adoc b/operating/manage-vulnerabilities/vulnerability-reporting.adoc new file mode 100644 index 000000000000..ae2112df3691 --- /dev/null +++ b/operating/manage-vulnerabilities/vulnerability-reporting.adoc @@ -0,0 +1,52 @@ +:_mod-docs-content-type: ASSEMBLY +[id="vulnerability-reporting"] += Vulnerability reporting +include::modules/common-attributes.adoc[] +:context: vulnerability-reporting + +toc::[] + +[role="_abstract"] + +You can create and download an on-demand image vulnerability report from the *Vulnerability Management* -> *Vulnerability Reporting* menu in the {product-title-short} web portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs in {product-title-short}. + +To share this report with auditors or internal stakeholders, you can schedule emails in {product-title-short} or download the report and share it by using other methods. + +include::modules/vulnerability-management-reporting.adoc[leveloffset=+1] + +//creating the report +include::modules/vulnerability-management20-creating-report.adoc[leveloffset=+1] + +//configuring destinations and scheduling +include::modules/vulnerability-management20-configure-report-delivery-destinations-schedule.adoc[leveloffset=+2] + +include::modules/vulnerability-management20-report-review-create.adoc[leveloffset=+2] + +//report permissions +include::modules/vulnerability-management20-permissions.adoc[leveloffset=+1] + +//editing reports +include::modules/vulnerability-management20-edit-reports.adoc[leveloffset=+1] + +//downloading reports +include::modules/vulnerability-management20-download-reports.adoc[leveloffset=+1] + +//sending reports +include::modules/vulnerability-management20-send-reports.adoc[leveloffset=+1] + +//cloning reports +include::modules/vulnerability-management20-clone-reports.adoc[leveloffset=+1] + +//deleting reports +include::modules/vulnerability-management20-delete-reports.adoc[leveloffset=+1] + +//report settings +include::modules/vulnerability-management20-retention-settings.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_vuln-reporting"] +== Additional resources + +* xref:../../operating/create-use-collections.adoc#create-use-collections[Creating and using deployment collections] +* xref:../../operating/create-use-collections.adoc#migrate-scope-collections_create-use-collections[Migration of access scopes to collections] +* xref:../../integration/integrate-with-email.adoc#configure-acs-email_integrate-with-email[Configuring the email plugin]