Common Vulnerabilities and Exposures¶
For additional information, read CVE and Compliance Best Practices.
What if I see duplicated CVE's?¶
First, verify that the suspected duplicate is indeed a duplicate and not just the same CVE found in two different packages.
For example, in the image below, CVE-2013-4235 appears twice in Scan Lab but exists in two separate packages. If this is the case, the CVE is not a duplicate and needs to be addressed for both packages.
If this is not the case and the same CVE appears in one package, submit a Support Ticket and our team will address the issue.
What should we do if there is a critical or high vulnerability, and a fix isn’t available?¶
Critical and high vulnerabilities without fixes must be investigated to determine if there is a way to remediate them. If no remediation is found, a justification must be provided, such as, “We explored ways to fix this issue, but determined no resolution is available. This package is critical to the functionality of our app, and we plan to update as soon as a fix becomes available.” Please consider the GW Acceptance Baseline Criteria Policy below, which outlines the maximum thresholds for critical and high vulnerabilities per container, as well as expected remediation timelines.
What should we do about findings that are in the parent, Iron-Bank image?¶
The 2F Security team will perform a review of the Iron Bank base image vulnerability scans and inherit vulnerabilities found on those scans if the Iron Bank image is unmodified. If you think that a vulnerability is supposed to be Inherited from base image, please notify the 2F team. They will conduct a review of the vulnerability. For further questions about Iron Bank images, refer to Iron Bank Guidance for Use in Game Warden.
What do we do if we can’t upgrade a 3rd-party package that has findings in it? ¶
You will need to justify these findings by explaining why you require this package. You should also note if/when this package will be updated. Your justification will be reviewed by the government ISSM for ‘Critical’ & ‘High’ vulnerabilities, and evaluated by the 2F Cybersecurity Director for Medium and Low vulnerabilities.
How do we track down/locate where these vulnerabilities come from?¶
In Scan Lab, when you click on each vulnerability, a side window will pop up containing information “About CVE …” which will contain a link to more information by clicking “More about this CVE →”. This window also includes the Affected Package, which may help you determine whether or not this vulnerability can be fixed. You can also download the artifacts from your pipeline which contains your csv file of CVEs, as well as a Software Bill of Materials (SBOM) tab to help you pinpoint which package contains the CVE in question.
What is the expectation for medium and low vulnerabilities? Can they wait until we upgrade in a future release?¶
Medium and low vulnerabilities should be remediated as much as possible (such as implementing a known fix available by updating the package version).
What is the timeline expectation to address/justify vulnerabilities from continuous scanning, for a container image that has already been deployed?¶
2F is working to finalize our continuous monitoring tools, but assuming you are pushing new versions of your application regularly, that will help identify and new available known fixes to previously deployed versions of your application that contained vulnerabilities. Specific timelines for a vulnerability identified in runtime would depend on the severity of the vulnerability and how it is impacted or could be manipulated in our environment.
Are container scan reports confidential, proprietary, or are any restrictions imposed on sharing scan contents?¶
You can share scan results with trusted partners, but they need to treat that information as confidential and ensure their POCs do not send to anyone else.
From a sensitivity standpoint, these scans show the exact attack vectors to the applications. In the wrong hands, it is clear to see how that could be risky since the your applications are processing sensitive government data.
From a legal standpoint, our Anchore license indicates that as the end user, customers can access and use the read-only scan results. As long as the information is kept close-hold - for example, you directly share it with your technical POC and the access is controlled so it is not shared with anyone else - you are free to do so.
What is the difference between the Common Vulnerability and Exposure (CVE) date of detection and discovery/publish date?¶
Date of detection is when our team finds the vulnerability in your app. Discovery/Publish Date refers to when the CVE was first found "in the wild" and documented.