FAQ
| This is a
LIVE
service |
Changelog
Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Docker Images
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Information Services
DevOps
Infrastructure
Docker Images
Commits
6966c926
Commit
6966c926
authored
5 months ago
by
Dmitrii Unterov
Browse files
Options
Downloads
Patches
Plain Diff
chore: comments in vulnerability-allowlist.yml and info in README.md
parent
18009bea
No related branches found
No related tags found
1 merge request
!148
chore: comments in vulnerability-allowlist.yml and info in README.md
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
README.md
+32
-0
32 additions, 0 deletions
README.md
vulnerability-allowlist.yml
+2
-0
2 additions, 0 deletions
vulnerability-allowlist.yml
with
34 additions
and
0 deletions
README.md
+
32
−
0
View file @
6966c926
...
...
@@ -96,3 +96,35 @@ be pushed to a `test` subfolder of the
You can force dynamic CI pipeline jobs to run by setting
`FORCE_DYNAMIC_JOBS`
when running the
pipeline.
### Adding known vulnerabilities to allowlist file
This project has
**container-scanning**
job enabled for all images. As a result, this project has detailed
[
Vulnerability report
](
https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/-/security/vulnerability_report
)
with information about all detected vulnerabilities. Periodically, the Cloud Team triage those findings and some of
them could be count as false positive or known issues. To exclude such issues from the final report, the issues must be
added to the
`vulnerability-allowlist.yml`
file in the root of this project. The syntax is described in
[
GitLab docs
](
https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
)
.
```
yaml
generalallowlist
:
# https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/-/issues/80
CVE-2023-6879
:
libaom
images
:
registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/ucam-mellon-proxy
:
# https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/-/issues/81
CVE-2023-45853
:
zlib1g
```
On the example above:
*
CVE-2023-6879: allowed for every image where it is detected in
`libaom`
package;
*
CVE-2023-6879: allowed for image
`registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/ucam-mellon-proxy`
,
`zlib1g`
package;
The GitLab issue reference must be added as a comment.
This file is also being used for "container-scanning" job in
[
CI Templates
](
https://gitlab.developers.cam.ac.uk/uis/devops/continuous-delivery/ci-templates
)
project.
The job downloads latest version of this file and use it as a source of information about allowed
vulnerabilities. Project's own
`vulnerability-allowlist.yml`
file has priority over the one in this repository.
This diff is collapsed.
Click to expand it.
vulnerability-allowlist.yml
+
2
−
0
View file @
6966c926
generalallowlist
:
# https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/-/issues/80
CVE-2023-6879
:
libaom
images
:
registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/ucam-mellon-proxy
:
# https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/-/issues/81
CVE-2023-45853
:
zlib1g
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
