-
Name: The name of the image.
-
Operating system: The operating system of the image.
-
Tag: The tag for the image.
-
Label: The label for the image.
-
Registry: The registry where the image is located.
Common vulnerability management tasks involve identifying and prioritizing vulnerabilities, remedying them, and monitoring for new threats.
Historically, RHACS provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. The dashboard is deprecated in RHACS 4.5 and will be removed in a future release. For more information about the dashboard, see Using the vulnerability management dashboard.
The Vulnerability Management → Workload CVEs page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The Workload CVEs page provides advanced filtering capabilities, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source.
The Vulnerability Management → Workload CVEs page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The Workload CVEs page provides more advanced filtering capabilities than the dashboard, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source.
To show all CVEs across all images, select Image vulnerabilities from the View image vulnerabilities list.
From the View image vulnerabilities list, select how you want to view the images. The following options are provided:
Image vulnerabilities: Displays images and deployments in which RHACS has discovered CVEs.
Images without vulnerabilities: Displays images that meet at least one of the following conditions:
Images that do not have CVEs
Images that report a scanner error that may result in a false negative of no CVEs
An image that actually contains vulnerabilities can appear in this list inadvertently. For example, if Scanner was able to scan the image and it is known to RHACS, but the scan was not successfully completed, vulnerabilities cannot be detected. This scenario occurs if an image has an operating system that is not supported by the RHACS scanner. Scan errors are displayed when you hover over an image in the image list or click the image name for more information. |
To filter CVEs by entity, select the appropriate filters and attributes.
To select multiple entities and attributes, click the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object.
The filter entities and attributes are listed in the following table.
Entity | Attributes |
---|---|
Image |
|
CVE |
|
Image Component |
|
deployment |
|
Namespace |
|
Cluster |
|
You can select the following options to refine the list of results:
Prioritize by namespace view: Displays a list of namespaces sorted according to the risk priority. You can use this view to quickly identify and address the most critical areas. In this view, click <number> deployments in a table row to return to the workload CVE list view, with filters applied to show only deployments, images and CVEs for the selected namespace.
Default filters: You can select filters for CVE severity and CVE status that are automatically applied when you visit the Workload CVEs page. These filters only apply to this page, and are applied when you visit the page from another section of the RHACS web portal or from a bookmarked URL. They are saved in the local storage of your browser.
CVE severity: You can select one or more levels.
CVE status: You can select Fixable or Not fixable.
The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them. |
In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information:
Whether a CVE is fixable
Whether an image is active
The Dockerfile line in the image that contains the CVE
External links to information about the CVE in Red Hat and other CVE databases
The following graphic shows an example of search criteria for a cluster called staging-secured-cluster
to view CVEs of critical and important severity with a fixable status in that cluster.
You can identify vulnerabilities in your nodes by using RHACS. The vulnerabilities that are identified include the following:
Vulnerabilities in core Kubernetes components
Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd
For more information about operating systems that RHACS can scan, see "Supported operating systems".
In the RHACS portal, click Vulnerability Management → Node CVEs.
To view the data, do any of the following tasks:
To view a list of all the CVEs affecting all of your nodes, select <number> CVEs.
To view a list of nodes that contain CVEs, select <number> Nodes.
Optional: To filter CVEs according to entity, select the appropriate filters and attributes. To add more filtering criteria, follow these steps:
Select the entity or attribute from the list.
Depending on your choices, enter the appropriate information such as text, or select a date or object.
Click the right arrow icon.
Optional: Select additional entities and attributes, and then click the right arrow icon to add them. The filter entities and attributes are listed in the following table.
Entity | Attributes |
---|---|
Node |
|
CVE |
|
Node Component |
|
Cluster |
|
Optional: To refine the list of results, do any of the following tasks:
Click CVE severity, and then select one or more levels.
Click CVE status, and then select Fixable or Not fixable.
Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes.
Identifying vulnerabilities in nodes is enabled by default. You can disable it from the RHACS portal.
In the RHACS portal, go to Platform Configuration → Integrations.
Under Image Integrations, select StackRox Scanner.
From the list of scanners, select StackRox Scanner to view its details.
Click Edit.
To use only the image scanner and not the node scanner, click Image Scanner.
Click Save.
The platform CVEs page provides information about vulnerabilities in clusters in your system.
Click Vulnerability Management → Platform CVEs.
You can filter CVEs by entity by selecting the appropriate filters and attributes. You can select multiple entities and attributes by clicking the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object. The filter entities and attributes are listed in the following table.
Entity | Attributes |
---|---|
Cluster |
|
CVE |
|
To filter by CVE status, click CVE status and select Fixable or Not fixable.
The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them. |
In the list of results, click a CVE to view more information about the item. For example, you can view the following information if it is populated:
Documentation for the CVE
External links to information about the CVE in Red Hat and other CVE databases
Whether the CVE is fixable or unfixable
A list of affected clusters
You can exclude or ignore CVEs in RHACS by snoozing node and platform CVEs and deferring or marking node, platform, and image CVEs as false positives. You might want to exclude CVEs if you know that the CVE is a false positive or you have already taken steps to mitigate the CVE. Snoozed CVEs do not appear in vulnerability reports or trigger policy violations.
You can snooze a CVE to ignore it globally for a specified period of time. Snoozing a CVE does not require approval.
Snoozing node and platform CVEs requires that the |
Deferring or marking a CVE as a false positive is done through the exception management workflow. This workflow provides the ability to view pending, approved, and denied deferral and false positive requests. You can scope the CVE exception to a single image, all tags for a single image, or globally for all images.
When approving or denying a request, you must add a comment. A CVE remains in the observed status until the exception request is approved. A pending request for deferral that is denied by another user is still visible in reports, policy violations, and other places in the system, but is indicated by a Pending exception label next to the CVE when visiting Vulnerability Management → Workload CVEs.
An approved exception for a deferral or false positive has the following effects:
Removes the CVE from the Observed tab in Vulnerability Management → Workflow CVEs to either the Deferred or False positive tab
Prevents the CVE from triggering policy violations that are related to the CVE
Prevents the CVE from showing up in automatically generated vulnerability reports
You can snooze platform and node CVEs that do not relate to your infrastructure. You can snooze CVEs for 1 day, 1 week, 2 weeks, 1 month, or indefinitely, until you unsnooze them. Snoozing a CVE takes effect immediately and does not require an additional approval step.
The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable |
In the RHACS portal, do any of the following tasks:
To view platform CVEs, click Vulnerability Management → Platform CVEs.
To view node CVEs, click Vulnerability Management → Node CVEs.
Select one or more CVEs.
Select the appropriate method to snooze the CVE:
If you selected a single CVE, click the overflow menu, , and then select Snooze CVE.
If you selected multiple CVEs, click Bulk actions → Snooze CVEs.
Select the duration of time to snooze.
Click Snooze CVEs.
You receive a confirmation that you have requested to snooze the CVEs.
You can unsnooze platform and node CVEs that you have previously snoozed.
The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable |
In the RHACS portal, do any of the following tasks:
To view the list of platform CVEs, click Vulnerability Management → Platform CVEs.
To view the list of node CVEs, click Vulnerability Management → Node CVEs.
To view the list of snoozed CVEs, click Show snoozed CVEs in the header view.
Select one or more CVEs from the list of snoozed CVEs.
Select the appropriate method to unsnooze the CVE:
If you selected a single CVE, click the overflow menu, , and then select Unsnooze CVE.
If you selected multiple CVEs, click Bulk actions → Unsnooze CVEs.
Click Unsnooze CVEs again.
You receive a confirmation that you have requested to unsnooze the CVEs.
You can view a list of platform and node CVEs that have been snoozed.
The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable |
In the RHACS portal, do any of the following tasks:
To view the list of platform CVEs, click Vulnerability Management → Platform CVEs.
To view the list of node CVEs, click Vulnerability Management → Node CVEs.
Click Show snoozed CVEs to view the list.
You can create an exception for a vulnerability by marking it as a false positive globally, or across all images. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.
You have the write
permission for the VulnerabilityManagementRequests
resource.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Choose the appropriate method to mark the CVEs:
If you want to mark a single CVE, perform the following steps:
Find the row which contains the CVE that you want to take action on.
Click the overflow menu, , for the CVE that you identified, and then select Mark as false positive.
If you want to mark multiple CVEs, perform the following steps:
Select each CVE.
From the Bulk actions drop-down list, select Mark as false positives.
Enter a rationale for requesting the exception.
Optional: To review the CVEs that are included in the exception request, click CVE selections.
Click Submit request.
You receive a confirmation that you have requested an exception.
Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.
Click Close.
To create an exception for a vulnerability, you can mark it as a false positive for a single image, or across all tags associated with an image. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.
You have the write
permission for the VulnerabilityManagementRequests
resource.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
To view the list of images, click <number> Images.
Find the row that lists the image that you want to mark as a false positive, and click the image name.
Choose the appropriate method to mark the CVEs:
If you want to mark a single CVE, perform the following steps:
Find the row which contains the CVE that you want to take action on.
Click the overflow menu, , for the CVE that you identified, and then select Mark as false positive.
If you want to mark multiple CVEs, perform the following steps:
Select each CVE.
From the Bulk actions drop-down list, select Mark as false positives.
Select the scope. You can select either all tags associated with the image or only the image.
Enter a rationale for requesting the exception.
Optional: To review the CVEs that are included in the exception request, click CVE selections.
Click Submit request.
You receive a confirmation that you have requested an exception.
Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.
Click Close.
You can view the CVEs that have been deferred or marked as false positives by using the Workload CVEs page.
To see CVEs that have been deferred or marked as false positives, with the exceptions approved by an approver, click Vulnerability Management → Workload CVEs. Complete any of the following actions:
To see CVEs that have been deferred, click the Deferred tab.
To see CVEs that have been marked as false positives, click the False positives tab.
To approve, deny, or change deferred or false positive CVEs, click Vulnerability Management → Exception Management. |
Optional: To view additional information about the deferral or false positive, click View in the Request details column. The Exception Management page is displayed.
You can accept risk with or without mitigation and defer CVEs. You must get deferral requests approved in the exception management workflow.
You have write
permission for the VulnerabilityManagementRequests
resource.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Choose the appropriate method to defer a CVE:
If you want to defer a single CVE, perfom the following steps:
Find the row which contains the CVE that you want to mark as a false positive.
Click the overflow menu, , for the CVE that you identified, and then click Defer CVE.
If you want to defer multiple CVEs, perform the following steps:
Select each CVE.
Click Bulk actions → Defer CVEs.
Select the time period for the deferral.
Enter a rationale for requesting the exception.
Optional: To review the CVEs that are included in the exception menu, click CVE selections.
Click Submit request.
You receive a confirmation that you have requested a deferral.
Optional: To copy the approval link to share it with your organization’s exception approver, click the copy icon.
Click Close.
You can configure the time periods available for vulnerability management exceptions. These options are available when users request to defer a CVE.
You have write
permission for the VulnerabilityManagementRequests
resource.
In the RHACS portal, go to Platform Configuration → Exception Configuration.
You can configure expiration times that users can select when they request to defer a CVE. Enabling a time period makes it available to users and disabling it removes it from the user interface.
You can review, update, approve, or deny an exception requests for deferring and marking CVEs as false positives.
You have the write
permission for the VulnerabilityManagementRequests
resource.
To view the list of pending requests, do any of the following tasks:
Paste the approval link into your browser.
Click Vulnerability Management → Exception Management, and then click the request name in the Pending requests tab.
Review the scope of the vulnerability and decide whether or not to approve it.
Choose the appropriate option to manage a pending request:
If you want to deny the request and return the CVE to observed status, click Deny request.
Enter a rationale for the denial, and click Deny.
If you want to approve the request, click Approve request.
Enter a rationale for the approval, and click Approve.
To cancel a request that you have created and return the CVE to observed status, click Cancel request. You can only cancel requests that you have created.
To update the deferral time period or rationale for a request that you have created, click Update request. You can only update requests that you have created.
After you make changes, click Submit request.
You receive a confirmation that you have submitted a request.
You can identify specific Dockerfile lines in an image that introduced components with CVEs.
To view a problematic line:
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Click the tab to view the type of CVEs. The following tabs are available:
Observed
Deferred
False positives
In the list of CVEs, click the CVE name to open the page containing the CVE details. The Affected components column lists the components that include the CVE.
Expand the CVE to display additional information, including the Dockerfile line that introduced the component.
The following procedure finds a new component version to upgrade to.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Click <number> Images and select an image.
To view additional information, locate the CVE and click the expand icon.
The additional information includes the component that the CVE is in and the version in which the CVE is fixed, if it is fixable.
Update your image to a later version.
You can export workload vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes by using the API.
For these examples, workloads are composed of deployments and their associated images. The export uses the /v1/export/vuln-mgmt/workloads
streaming API. It allows the combined export of deployments and images. The images
payload contains the full vulnerability information. The output is streamed and has the following schema:
{"result": {"deployment": {...}, "images": [...]}}
...
{"result": {"deployment": {...}, "images": [...]}}
The following examples assume that these environment variables have been set:
ROX_API_TOKEN
: API token with view
permissions for the deployment
and Image
resources
ROX_ENDPOINT
: Endpoint under which Central’s API is available
To export all workloads, enter the following command:
$ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads
To export all workloads with a query timeout of 60 seconds, enter the following command:
$ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?timeout=60
To export all workloads matching the query deployment:app Namespace:default
, enter the following command:
$ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=deployment%3Aapp%2BNamespace%3Adefault
Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.
You can also configure RHACS to scan inactive (not deployed) images automatically.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Click Manage watched images.
In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest
.
Click Add image to watch list.
Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.
In the RHACS portal, click Platform Configuration → System Configuration to view the data retention configuration. All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over. |
Click Close to return to the Workload CVEs page.