Merge "Updated CVSS v3.x"

2023-06-26 21:19:17 +00:00 · 2023-06-26 21:19:17 +00:00 · 1bdfec3baa
commit 1bdfec3baa
parent 21b69819af 13a03e6cd2
2 changed files with 41 additions and 72 deletions
--- a/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
+++ b/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
@ -2,14 +2,3 @@
 .. begin-CVE
 .. end-CVE

-.. CentOS-begin
-.. CentOS-end
-
-.. CVE-visibility-begin
-.. CVE-visibility-end
-
-.. Debian-begin
-.. Debian-end
-
-.. CVE-visibility-1-begin
-.. CVE-visibility-1-end
--- a/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
+++ b/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
@ -4,81 +4,61 @@
 CVE Maintenance
 ===============

-On a monthly basis, the master development branch of |prod| is scanned for
-|CVE|'s and the reports that are generated are reviewed by the Security team.
-
 .. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
-      :start-after: begin-CVE
-      :end-before: end-CVE
+       :start-after: begin-CVE
+       :end-before: end-CVE

 .. only:: starlingx
+   
+   On a monthly basis, the master development branch of StarlingX is scanned
+   for CVEs using the third party tool ``Vulscan`` to provide an unbiased view
+   of vulnerabilities. The generated reports are reviewed by the Security team.
+   For |CVE|'s which meet StarlingX's CVE Fix Criteria Policy as documented
+   below, fixes are provided in the StarlingX master branch.

-   For |CVE|'s which meet StarlingX's ``CVE Fix Criteria Policy`` as documented
-   below, fixes are provided for the |CVE| in the StarlingX master branch.
+   .. note::
+      
+      There are no scans executed or |CVE| fixes implemeneted on the released
+      versions / branches on StarlingX.

-For Debian-based versions of |prod| |deb-release-ver|:
+   For the current Debian-based versions of StarlingX:
+   
+   -  |CVSS| v3.x base scores and base metrics are used in the |CVE| fix criteria

-.. only:: partner
+   -  The |CVE| ``Fix Criteria Policy`` is:

-   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
-      :start-after: Debian-begin
-      :end-before: Debian-end
+      -  Main Fix Criteria

-  The third party tool ``Vulscan`` is used to scan for |CVE|'s to provide an
-   unbiased view of vulnerabilities
+         -  |CVSS| v3.x Base score >= 7.0
+         -  Base Metrics has the following:

-  |CVSS| v3 base scores and base metrics are used in the |CVE| fix criteria
+            -  Attack Vector: Network
+            -  Attack Complexity: Low
+            -  Privileges Required: None or Low
+            -  Availability Impact: High or Low
+            -  User Interaction: None
+         -  A correction is available upstream

-  The |CVE| ``Fix Criteria Policy`` is:
+      -  OR, visibility is HIGH and a correction is available upstream

-   -  Main Fix Criteria
+   In the past, for older CentOS-based versions of StarlingX:
+   
+   -  |CVSS| v2 base scores and base vectors were used in the |CVE| fix criteria
+   
+   -  The |CVE| ``Fix Criteria Policy`` was:

-      -  |CVSS| v3 Base score >= 7.0
-      -  Base Metrics has the following:
+      -  Main Fix Criteria

-         -  Attack Vector: Network
-         -  Attack Complexity: Low
-         -  Privileges Required: None or Low
-         -  Availability Impact: High or Low
-         -  User Interaction: None
-      -  A correction is available upstream
+         -  |CVSS| v2 Base score >= 7.0
+         -  Base Vector has the following:

-   -  OR, visibility is HIGH and a correction is available upstream
+            -  Access Vector: Network
+            -  Access Complexity: Low
+            -  Authentication: None or Single
+            -  Availability Impact: Partial/Complete
+         
+         -  A correction was available upstream

-.. only:: partner
-
-   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
-      :start-after: CVE-visibility-1-begin
-      :end-before: CVE-visibility-1-end
-
-For older CentOS-based versions of |prod|:
-
-.. only:: partner
-
-   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
-      :start-after: CentOS-begin
-      :end-before: CentOS-end
-
-  |CVSS| v2 base scores and base vectors are used in the |CVE| fix criteria
-  The |CVE| ``Fix Criteria Policy`` is:
-
-   -  Main Fix Criteria
-
-      -  |CVSS| v2 Base score >= 7.0
-      -  Base Vector has the following:
-
-         -  Access Vector: Network
-         -  Access Complexity: Low
-         -  Authentication: None or Single
-         -  Availability Impact: Partial/Complete
-      -  A correction is available upstream
-
-   -  OR, visibility is HIGH and a correction is available upstream
-
-.. only:: partner
-
-   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
-      :start-after: CVE-visibility-begin
-      :end-before: CVE-visibility-end
+      -  OR, visibility was HIGH and a correction was available upstream