This topic tells you how to add vulnerability analysis associated with a workload in the Supply Chain Security Tools (SCST) - Store. This is an experimental feature, and the API is prone to changes in subsequent releases.
ImportantThe capability to triage scan results in SCST - Store is in the alpha stage, which means that it is still in early development and is subject to change at any point. You might encounter unexpected behavior from it.
Vulnerability analysis, or triage is the process of evaluating a reported vulnerability to decide on an effective remediation plan. Triage helps application teams generate useful insights about the vulnerabilities in their software so that they can make the right decisions about when and how to mitigate them. The current implementation of triage follows CycloneDX’s Vulnerability Exploitability eXchange (VEX) specification, and is designed specifically to work with Tanzu workloads.
For information about this feature, see Data models and concepts for SCST - Store.
Before you begin vulnerability analysis, you must:
tanzu insight image add
command or by installing the SCST - Scan. For more information, see Add data and Supply Chain Security Tools - Scan.A vulnerability analysis contains the following data:
For more information about the supported values for each of these fields, see the Tanzu CLI Command Reference documentation.
For example, if you are interested in a vulnerability affecting a specific image in your workload, and are investigating its impact, you can add this information to the SCST - Store:
tanzu insight triage update \
--cveid $CVEID \
--pkg-name $PKG-NAME \
--pkg-version $PKG-VERSION \
--img-digest $IMG-DIGEST \
--artifact-group-uid $ARTIFACT-GROUP-UID \
--state in_triage
Where:
CVEID
is the unique identifier of the vulnerabilityPKG-NAME
and PKG-VERSION
are the name and version of the Application and OS package affected by the vulnerabilityIMG-DIGEST
is the digest of the image that contains the affected Application and OS packageARTIFACT-GROUP-UID
is the unique identifier for the workload that contains the image. If your workload was deployed with Tanzu CLI, you can find its unique identifier with the following command:
kubectl get workload $MY_WORKLOAD_NAME --namespace $MY_WORKLOAD_NAMESPACE --output jsonpath='{.metadata.uid}'
NoteIf your affected package is linked to a source instead of an image, you can use
--src-commit
instead of--img-digest
As you continue to investigate the vulnerability, you can update your analysis with the latest findings by using the tanzu insight triage update
command as many times as needed.
To view all the existing analysis in SCST - Store, run:
tanzu insight triage list
The results are paginated by default. You can switch the current page or the number of results returned by providing the --page
or --limit
flags respectively. You can also filter the results by image or source. For more information, use the --help
flag or see the Tanzu CLI Command Reference documentation.
Sometimes, you might run into scenarios where an existing analysis might be shared between multiple images, for example, when a new version of an existing image is deployed by your workload and it contains the same vulnerability as the previous version, or when you create an analysis for an image that is shared between multiple workloads.
To speed up triage in those cases, you can use the copy
subcommand:
tanzu insight triage copy \
--triage-uid-to-copy $TRIAGE-UID \
--img-digest $TARGET-IMAGE
Where:
TRIAGE-UID
is the uid of an existing analysisTARGET-IMAGE
is the digest of an image you want to copy the analysis toThe following conditions are required for this action:
artifact-group-uid
is specified, it must contain the image or source associated with the existing analysis.NoteThe responsibility of assessing a vulnerability’s impact is up to the person in charge of triage. Images and sources with the same package and version might use the package differently and might not have the same analysis values.
When you carry out vulnerability analysis on a workload image, you might want to carry this forward after the workload source code is updated and a new image is built and deployed. This process is called rebase, and you can run it with the following command:
tanzu insight triage rebase \
--img-digest $TARGET-IMAGE
--artifact-group-uid $ARTIFACT-GROUP-UID
Where:
TARGET-IMAGE
is the digest of the image you want to rebase the analysis intoARTIFACT-GROUP-UID
is the unique identifier for the workload that contains the image, and where existing analysis will be searched forThis command returns a list of existing analyses that can be automatically rebased into your target image. Each analysis on the list meets all the following criteria:
In this context, image A is considered to be a previous version of image B when they have the same name, different digests and image A was created before image B. This will be bound on the workload’s context, using the provided --artifact-group-uid
.