This topic explains how you can triage and remediate common vulnerabilities and exposures (CVEs) related to Supply Chain Security Tools (SCST) - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
To confirm that the Supply Chain failure is related to policy enforcement:
Verify that the status of the workload is MissingValueAtPath
, because of waiting for a .status.compliantArtifact
from either the SourceScan
or ImageScan
, by running:
kubectl describe workload WORKLOAD-NAME -n DEVELOPER-NAMESPACE
Describe the SourceScan
or ImageScan
to determine what CVEs violated the ScanPolicy
by running:
kubectl describe sourcescan NAME -n DEVELOPER-NAMESPACE
kubectl describe imagescan NAME -n DEVELOPER-NAMESPACE
The goal of triage is to analyze and prioritize the reported vulnerability data to discover the appropriate course of action to take at the remediation step. To remediate efficiently and appropriately, you need context for the vulnerabilities that are blocking your supply chain, the packages that are affected, and the impact they can have.
During triage, review which packages are impacted by the CVEs that violated your scan policy. Use Supply Chain Choreographer in Tanzu Developer Portal to examine your supply chain, including scans, scan policy, and CVEs.
During this stage, VMware recommends that you review information pertaining to the CVEs from sources such as the National Vulnerability Database and the release page of a package.
After triage is complete, the next step is to remediate the blocking vulnerabilities quickly. Some common methods for CVE remediation are as follows:
Vulnerabilities that occur in older versions of a package might be resolved in later versions. Apply a patch by upgrading to a later version. You can further adopt security best practices by using your project’s package manager tools, such as go mod graph
for projects in Go, to identify transitive or indirect dependencies that can affect CVEs.
If you decide to proceed without remediating the CVE, such as when a CVE is actually a false positive or when a fix is not available, you can amend the ScanPolicy
to ignore one or more CVEs. For information about common scanner limitations, see Vulnerability Scanner limitations. For information about templates, see Writing a policy template.
Under role-based access control (RBAC), users with the app-operator-scanning
role that is part of the app-operator
aggregate role, have permission to edit the ScanPolicy
. For more information, see the Detailed role permissions breakdown.