This topic explains how you can triage and remediate CVEs related to SCST - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
To confirm that Supply Chain failure is related to policy enforcement:
Verify that the status of the workload is MissingValueAtPath
due to waiting on a .status.compliantArtifact
from either the SourceScan or ImageScan:
kubectl describe workload WORKLOAD-NAME -n DEVELOPER-NAMESPACE
Describe the SourceScan or ImageScan to determine what CVE(s) violated the ScanPolicy:
kubectl describe sourcescan NAME -n DEVELOPER-NAMESPACE
kubectl describe imagescan NAME -n DEVELOPER-NAMESPACE
The goal of triage is to analyze and prioritize the reported vulnerability data to discover the appropriate course of action to take at the remediation step. To remediate efficiently and appropriately, you need context on the vulnerabilities that are blocking your supply chain, the packages that are affected, and the impact they can have.
During triage, review which packages are impacted by the CVEs that violated your scan policy. Use the Supply Chain Choreographer in the Tanzu Developer Portal to visualize your supply chain, including scans, scan policy, and CVEs. You can also use the Tanzu CLI Insight plug-in to query packages, vulnerabilities, and create vulnerability analysis. See Tanzu CLI Insight plug-in.
During this stage, VMware recommends reviewing information pertaining to the CVEs from sources such as the National Vulnerability Database or the release page of a package.
After triage is complete, the next step is to remediate the blocking vulnerabilities quickly. Some common methods for CVE remediation are as follows:
Vulnerabilities that occur in older versions of a package might be resolved in later versions. Apply a patch by upgrading to a later version. You can further adopt security best practices by using your project’s package manager tools, such as go mod graph
for projects in Go, to identify transitive or indirect dependencies that can affect CVEs.
If you decide to proceed without remediating the CVE, for example, when a CVE is evaluated to be a false positive or when a fix is not available, you can amend the ScanPolicy to ignore one or more CVEs. For information about common scanner limitations, see Note on Vulnerability Scanners. For information about templates, see Writing Policy Templates.
Under RBAC, users with the app-operator-scanning
role that is part of the app-operator
aggregate role, have permission to edit the ScanPolicy. See Detailed role permissions breakdown.