Tanzu Application Catalog and CISA recommendations

The Cybersecurity and Infrastructure Security Agency (CISA) is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. CISA dictates certain requirements and principles for manufacturers, software vendors, and organizations of different industries to help them strengthen their security posture and facilitate managing cybersecurity risks.

Tanzu Application Catalog delivers VEX documents in CSAF format for its Photon OS based container images (Photon OS 4 onwards) that are built by following the CISA recommendations referred to in the use case “3.2.3 Single Product, Single Version, Multiple Vulnerabilities, Multiple Statuses”. This document is available through the Tanzu Application Catalog UI or can be retrieved via CLI as explained in this tutorial.

How Tanzu Application Catalog meets CISA recommendations for VEX documents

CISA Requirement

The company makes statements about each version of its product in a different VEX document. For a given version of a given product, a particular vulnerability instance can only have a single status. However, other instances of the same or different vulnerabilities may have different statuses.

How Tanzu Application Catalog meets that requirement

Tanzu Application Catalog provides VEX documents for each of its Photon OS based container images that contain information about the vulnerabilities that may affect or not affect the specific version of an application –single product, single version– with a single status: “affected / know not affected”. These documents also include context about those CVEs by providing CVE details, vendor resolution and, in some cases, instructions for remediation.