1. Documentation
    2. history bug_report picture_as_pdf
×

Viewing and addressing vulnerabilities

Viewing vulnerabilities

Historically, RHACS provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. The dashboard is deprecated in RHACS 4.5 and will be removed in a future release. For more information about the dashboard, see Using the vulnerability management dashboard.

The Vulnerability ManagementWorkload CVEs page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The Workload CVEs page provides advanced filtering capabilities, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source.

Viewing workload CVEs

The Vulnerability ManagementWorkload CVEs page provides information about vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments. The Workload CVEs page provides more advanced filtering capabilities than the dashboard, including the ability to view images and deployments with vulnerabilities and filter by image, deployment, namespace, cluster, CVE, component, and component source.

Procedure

  1. To show all CVEs across all images, select Image vulnerabilities from the View image vulnerabilities list.

  2. From the View image vulnerabilities list, select how you want to view the images. The following options are provided:

    • Image vulnerabilities: Displays images and deployments in which RHACS has discovered CVEs.

    • Images without vulnerabilities: Displays images that meet at least one of the following conditions:

      • Images that do not have CVEs

      • Images that report a scanner error that may result in a false negative of no CVEs

        An image that actually contains vulnerabilities can appear in this list inadvertently. For example, if Scanner was able to scan the image and it is known to RHACS, but the scan was not successfully completed, vulnerabilities cannot be detected. This scenario occurs if an image has an operating system that is not supported by the RHACS scanner. Scan errors are displayed when you hover over an image in the image list or click the image name for more information.

  3. To filter CVEs by entity, select the appropriate filters and attributes.

    To select multiple entities and attributes, click the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object.

    The filter entities and attributes are listed in the following table.

    Table 1. CVE filtering
    Entity Attributes

    Image

    • Name: The name of the image.

    • Operating system: The operating system of the image.

    • Tag: The tag for the image.

    • Label: The label for the image.

    • Registry: The registry where the image is located.

    CVE

    • Name: The name of the CVE.

    • Discovered time: The date when RHACS discovered the CVE.

    • CVSS: The severity level for the CVE. You can select from the following options for the severity level:

      • is greater than

      • is greater than or equal to

      • is equal to

      • is less than or equal to

      • is less than

    Image Component

    • Name: The name of the image component, for example, activerecord-sql-server-adapter

    • Source:

      • OS

      • Python

      • Java

      • Ruby

      • Node.js

      • Go

      • Dotnet Core Runtime

      • Infrastructure

    • Version: Version of the image component; for example, 3.4.21. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

    Deployment

    • Name: Name of the deployment.

    • Label: Label for the deployment.

    • Annotation: The annotation for the deployment.

    Namespace

    • Name: The name of the namespace.

    • Label: The label for the namespace.

    • Annotation: The annotation for the namespace.

    Cluster

    • Name: The name of the cluster.

    • Label: The label for the cluster.

    • Type: The cluster type, for example, OCP.

    • Platform type: The platform type, for example, OpenShift 4 cluster.

  4. You can select the following options to refine the list of results:

    • Prioritize by namespace view: Displays a list of namespaces sorted according to the risk priority. You can use this view to quickly identify and address the most critical areas. In this view, click <number> deployments in a table row to return to the workload CVE list view, with filters applied to show only deployments, images and CVEs for the selected namespace.

    • Default filters: You can select filters for CVE severity and CVE status that are automatically applied when you visit the Workload CVEs page. These filters only apply to this page, and are applied when you visit the page from another section of the RHACS web portal or from a bookmarked URL. They are saved in the local storage of your browser.

    • CVE severity: You can select one or more levels.

    • CVE status: You can select Fixable or Not fixable.

The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them.

In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information:

  • Whether a CVE is fixable

  • Whether an image is active

  • The Dockerfile line in the image that contains the CVE

  • External links to information about the CVE in Red Hat and other CVE databases

Search example

The following graphic shows an example of search criteria for a cluster called staging-secured-cluster to view CVEs of critical and important severity with a fixable status in that cluster.

Workload CVE showing a search on the `staging-secured-cluster` for CVEs with critical and important severity and fixable status

Viewing Node CVEs

You can identify vulnerabilities in your nodes by using RHACS. The vulnerabilities that are identified include the following:

  • Vulnerabilities in core Kubernetes components

  • Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd

For more information about operating systems that RHACS can scan, see "Supported operating systems".

Procedure

  1. In the RHACS portal, click Vulnerability ManagementNode CVEs.

  2. To view the data, do any of the following tasks:

    • To view a list of all the CVEs affecting all of your nodes, select <number> CVEs.

    • To view a list of nodes that contain CVEs, select <number> Nodes.

  3. Optional: To filter CVEs according to entity, select the appropriate filters and attributes. To add more filtering criteria, follow these steps:

    1. Select the entity or attribute from the list.

    2. Depending on your choices, enter the appropriate information such as text, or select a date or object.

    3. Click the right arrow icon.

    4. Optional: Select additional entities and attributes, and then click the right arrow icon to add them. The filter entities and attributes are listed in the following table.

      Table 2. CVE filtering
      Entity Attributes

      Node

      • Name: The name of the node.

      • Operating system: The operating system of the node, for example, Red Hat Enterprise Linux (RHEL).

      • Label: The label of the node.

      • Annotation: The annotation for the node.

      • Scan time: The scan date of the node.

      CVE

      • Name: The name of the CVE.

      • Discovered time: The date when RHACS discovered the CVE.

      • CVSS: The severity level for the CVE. You can select from the following options for the severity level:

        • is greater than

        • is greater than or equal to

        • is equal to

        • is less than or equal to

        • is less than

      Node Component

      • Name: The name of the component.

      • Version: The version of the component, for example, 4.15.0-2024. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

      Cluster

      • Name: The name of the cluster.

      • Label: The label for the cluster.

      • Type: The type of cluster, for example, OCP.

      • Platform type: The type of platform, for example, OpenShift 4 cluster.

  4. Optional: To refine the list of results, do any of the following tasks:

    • Click CVE severity, and then select one or more levels.

    • Click CVE status, and then select Fixable or Not fixable.

  5. Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes.

Disabling identifying vulnerabilities in nodes

Identifying vulnerabilities in nodes is enabled by default. You can disable it from the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Under Image Integrations, select StackRox Scanner.

  3. From the list of scanners, select StackRox Scanner to view its details.

  4. Click Edit.

  5. To use only the image scanner and not the node scanner, click Image Scanner.

  6. Click Save.

Additional resources

Viewing platform CVEs

The platform CVEs page provides information about vulnerabilities in clusters in your system.

Procedure

  1. Click Vulnerability ManagementPlatform CVEs.

  2. You can filter CVEs by entity by selecting the appropriate filters and attributes. You can select multiple entities and attributes by clicking the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object. The filter entities and attributes are listed in the following table.

    Table 3. CVE filtering
    Entity Attributes

    Cluster

    • Name: The name of the cluster.

    • Label: The label for the cluster.

    • Type: The cluster type, for example, OCP.

    • Platform type: The platform type, for example, OpenShift 4 cluster.

    CVE

    • Name: The name of the CVE.

    • Discovered time: The date when RHACS discovered the CVE.

    • CVSS: The severity level for the CVE. You can select from the following options for the severity level:

      • is greater than

      • is greater than or equal to

      • is equal to

      • is less than or equal to

      • is less than

    • Type: The type of CVE:

      • Kubernetes CVE

      • Istio CVE

      • OpenShift CVE

  3. To filter by CVE status, click CVE status and select Fixable or Not fixable.

The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them.

In the list of results, click a CVE to view more information about the item. For example, you can view the following information if it is populated:

  • Documentation for the CVE

  • External links to information about the CVE in Red Hat and other CVE databases

  • Whether the CVE is fixable or unfixable

  • A list of affected clusters

Excluding CVEs

You can exclude or ignore CVEs in RHACS by snoozing node and platform CVEs and deferring or marking node, platform, and image CVEs as false positives. You might want to exclude CVEs if you know that the CVE is a false positive or you have already taken steps to mitigate the CVE. Snoozed CVEs do not appear in vulnerability reports or trigger policy violations.

You can snooze a CVE to ignore it globally for a specified period of time. Snoozing a CVE does not require approval.

Snoozing node and platform CVEs requires that the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable is set to true.

Deferring or marking a CVE as a false positive is done through the exception management workflow. This workflow provides the ability to view pending, approved, and denied deferral and false positive requests. You can scope the CVE exception to a single image, all tags for a single image, or globally for all images.

When approving or denying a request, you must add a comment. A CVE remains in the observed status until the exception request is approved. A pending request for deferral that is denied by another user is still visible in reports, policy violations, and other places in the system, but is indicated by a Pending exception label next to the CVE when visiting Vulnerability ManagementWorkload CVEs.

An approved exception for a deferral or false positive has the following effects:

  • Removes the CVE from the Observed tab in Vulnerability ManagementWorkflow CVEs to either the Deferred or False positive tab

  • Prevents the CVE from triggering policy violations that are related to the CVE

  • Prevents the CVE from showing up in automatically generated vulnerability reports

Snoozing platform and node CVEs

You can snooze platform and node CVEs that do not relate to your infrastructure. You can snooze CVEs for 1 day, 1 week, 2 weeks, 1 month, or indefinitely, until you unsnooze them. Snoozing a CVE takes effect immediately and does not require an additional approval step.

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.
Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view platform CVEs, click Vulnerability ManagementPlatform CVEs.

    • To view node CVEs, click Vulnerability ManagementNode CVEs.

  2. Select one or more CVEs.

  3. Select the appropriate method to snooze the CVE:

    • If you selected a single CVE, click the overflow menu, kebab, and then select Snooze CVE.

    • If you selected multiple CVEs, click Bulk actionsSnooze CVEs.

  4. Select the duration of time to snooze.

  5. Click Snooze CVEs.

    You receive a confirmation that you have requested to snooze the CVEs.

Unsnoozing platform and node CVEs

You can unsnooze platform and node CVEs that you have previously snoozed.

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.
Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view the list of platform CVEs, click Vulnerability ManagementPlatform CVEs.

    • To view the list of node CVEs, click Vulnerability ManagementNode CVEs.

  2. To view the list of snoozed CVEs, click Show snoozed CVEs in the header view.

  3. Select one or more CVEs from the list of snoozed CVEs.

  4. Select the appropriate method to unsnooze the CVE:

    • If you selected a single CVE, click the overflow menu, kebab, and then select Unsnooze CVE.

    • If you selected multiple CVEs, click Bulk actionsUnsnooze CVEs.

  5. Click Unsnooze CVEs again.

    You receive a confirmation that you have requested to unsnooze the CVEs.

Viewing snoozed CVEs

You can view a list of platform and node CVEs that have been snoozed.

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.
Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view the list of platform CVEs, click Vulnerability ManagementPlatform CVEs.

    • To view the list of node CVEs, click Vulnerability ManagementNode CVEs.

  2. Click Show snoozed CVEs to view the list.

Marking a vulnerability as a false positive globally

You can create an exception for a vulnerability by marking it as a false positive globally, or across all images. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Choose the appropriate method to mark the CVEs:

    • If you want to mark a single CVE, perform the following steps:

      1. Find the row which contains the CVE that you want to take action on.

      2. Click the overflow menu, kebab, for the CVE that you identified, and then select Mark as false positive.

    • If you want to mark multiple CVEs, perform the following steps:

      1. Select each CVE.

      2. From the Bulk actions drop-down list, select Mark as false positives.

  3. Enter a rationale for requesting the exception.

  4. Optional: To review the CVEs that are included in the exception request, click CVE selections.

  5. Click Submit request.

    You receive a confirmation that you have requested an exception.

  6. Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.

  7. Click Close.

Marking a vulnerability as a false positive for an image or image tag

To create an exception for a vulnerability, you can mark it as a false positive for a single image, or across all tags associated with an image. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. To view the list of images, click <number> Images.

  3. Find the row that lists the image that you want to mark as a false positive, and click the image name.

  4. Choose the appropriate method to mark the CVEs:

    • If you want to mark a single CVE, perform the following steps:

      1. Find the row which contains the CVE that you want to take action on.

      2. Click the overflow menu, kebab, for the CVE that you identified, and then select Mark as false positive.

    • If you want to mark multiple CVEs, perform the following steps:

      1. Select each CVE.

      2. From the Bulk actions drop-down list, select Mark as false positives.

  5. Select the scope. You can select either all tags associated with the image or only the image.

  6. Enter a rationale for requesting the exception.

  7. Optional: To review the CVEs that are included in the exception request, click CVE selections.

  8. Click Submit request.

    You receive a confirmation that you have requested an exception.

  9. Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.

  10. Click Close.

Viewing deferred and false positive CVEs

You can view the CVEs that have been deferred or marked as false positives by using the Workload CVEs page.

Procedure

  1. To see CVEs that have been deferred or marked as false positives, with the exceptions approved by an approver, click Vulnerability ManagementWorkload CVEs. Complete any of the following actions:

    • To see CVEs that have been deferred, click the Deferred tab.

    • To see CVEs that have been marked as false positives, click the False positives tab.

      To approve, deny, or change deferred or false positive CVEs, click Vulnerability ManagementException Management.

  2. Optional: To view additional information about the deferral or false positive, click View in the Request details column. The Exception Management page is displayed.

Deferring CVEs

You can accept risk with or without mitigation and defer CVEs. You must get deferral requests approved in the exception management workflow.

Prerequisites

  • You have write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Choose the appropriate method to defer a CVE:

    • If you want to defer a single CVE, perfom the following steps:

      1. Find the row which contains the CVE that you want to mark as a false positive.

      2. Click the overflow menu, kebab, for the CVE that you identified, and then click Defer CVE.

    • If you want to defer multiple CVEs, perform the following steps:

      1. Select each CVE.

      2. Click Bulk actionsDefer CVEs.

  3. Select the time period for the deferral.

  4. Enter a rationale for requesting the exception.

  5. Optional: To review the CVEs that are included in the exception menu, click CVE selections.

  6. Click Submit request.

    You receive a confirmation that you have requested a deferral.

  7. Optional: To copy the approval link to share it with your organization’s exception approver, click the copy icon.

  8. Click Close.

Configuring vulnerability exception expiration periods

You can configure the time periods available for vulnerability management exceptions. These options are available when users request to defer a CVE.

Prerequisites

  • You have write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationException Configuration.

  2. You can configure expiration times that users can select when they request to defer a CVE. Enabling a time period makes it available to users and disabling it removes it from the user interface.

Reviewing and managing an exception request to defer or mark a CVE as false positive

You can review, update, approve, or deny an exception requests for deferring and marking CVEs as false positives.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. To view the list of pending requests, do any of the following tasks:

    • Paste the approval link into your browser.

    • Click Vulnerability ManagementException Management, and then click the request name in the Pending requests tab.

  2. Review the scope of the vulnerability and decide whether or not to approve it.

  3. Choose the appropriate option to manage a pending request:

    • If you want to deny the request and return the CVE to observed status, click Deny request.

      Enter a rationale for the denial, and click Deny.

    • If you want to approve the request, click Approve request.

      Enter a rationale for the approval, and click Approve.

  4. To cancel a request that you have created and return the CVE to observed status, click Cancel request. You can only cancel requests that you have created.

  5. To update the deferral time period or rationale for a request that you have created, click Update request. You can only update requests that you have created.

    After you make changes, click Submit request.

    You receive a confirmation that you have submitted a request.

Identifying Dockerfile lines in images that introduced components with CVEs

You can identify specific Dockerfile lines in an image that introduced components with CVEs.

Procedure

To view a problematic line:

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Click the tab to view the type of CVEs. The following tabs are available:

    • Observed

    • Deferred

    • False positives

  3. In the list of CVEs, click the CVE name to open the page containing the CVE details. The Affected components column lists the components that include the CVE.

  4. Expand the CVE to display additional information, including the Dockerfile line that introduced the component.

Finding a new component version

The following procedure finds a new component version to upgrade to.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Click <number> Images and select an image.

  3. To view additional information, locate the CVE and click the expand icon.

    The additional information includes the component that the CVE is in and the version in which the CVE is fixed, if it is fixable.

  4. Update your image to a later version.

Exporting workload vulnerabilities by using the API

You can export workload vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes by using the API.

For these examples, workloads are composed of deployments and their associated images. The export uses the /v1/export/vuln-mgmt/workloads streaming API. It allows the combined export of deployments and images. The images payload contains the full vulnerability information. The output is streamed and has the following schema:

{"result": {"deployment": {...}, "images": [...]}}
...
{"result": {"deployment": {...}, "images": [...]}}

The following examples assume that these environment variables have been set:

  • ROX_API_TOKEN: API token with view permissions for the Deployment and Image resources

  • ROX_ENDPOINT: Endpoint under which Central’s API is available

  • To export all workloads, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads

  • To export all workloads with a query timeout of 60 seconds, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?timeout=60

  • To export all workloads matching the query Deployment:app Namespace:default, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Aapp%2BNamespace%3Adefault
Additional resources

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementWorkload CVEs.

  2. Click Manage watched images.

  3. In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest.

  4. Click Add image to watch list.

  5. Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.

    In the RHACS portal, click Platform ConfigurationSystem Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  6. Click Close to return to the Workload CVEs page.