From d66fc5b4dab6d4d35800bd581cf39d814d4a610f Mon Sep 17 00:00:00 2001
From: Juanita-Balaraj <juanita.balaraj@windriver.com>
Date: Tue, 1 Nov 2022 23:46:02 -0400
Subject: [PATCH] CVSS v3 Adoption for OS

Addressed Patch 5 comments
Addressed Patch 4 comments
Fixed typo
Added a note to indicate CentOS is not being scanned as the master branch has Debian which is being scanned
Updated Index
Added Abbreviations
Added Includes File / Index
Fixed merge conflicts

Change-Id: I17a3c3d6e5b545e24f1530dbb3fdec8adc30b26a
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
---
 .../cve-maintenance-0eaf7f8697bc.rest         | 15 ++++
 .../cve-maintenance-723cd9dd54b3.rst          | 84 +++++++++++++++++++
 .../index-security-kub-81153c1254c3.rst       | 10 +++
 doc/source/shared/abbrevs.txt                 |  2 +
 4 files changed, 111 insertions(+)
 create mode 100644 doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
 create mode 100644 doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst

diff --git a/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest b/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
new file mode 100644
index 000000000..0a9accd91
--- /dev/null
+++ b/doc/source/_includes/cve-maintenance-0eaf7f8697bc.rest
@@ -0,0 +1,15 @@
+
+.. begin-CVE
+.. end-CVE
+
+.. CentOS-begin
+.. CentOS-end
+
+.. CVE-visibility-begin
+.. CVE-visibility-end
+
+.. Debian-begin
+.. Debian-end
+
+.. CVE-visibility-1-begin
+.. CVE-visibility-1-end
diff --git a/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst b/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
new file mode 100644
index 000000000..558d07cff
--- /dev/null
+++ b/doc/source/security/kubernetes/cve-maintenance-723cd9dd54b3.rst
@@ -0,0 +1,84 @@
+.. _cve-maintenance-723cd9dd54b3:
+
+===============
+CVE Maintenance
+===============
+
+On a monthly basis, the master development branch of |prod| is scanned for
+|CVE|'s and the reports that are generated are reviewed by the Security team.
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: begin-CVE
+      :end-before: end-CVE
+
+.. only:: starlingx
+
+   For |CVE|'s which meet StarlingX's ``CVE Fix Criteria Policy`` as documented
+   below, fixes are provided for the |CVE| in the StarlingX master branch.
+
+For Debian-based versions of |prod| |deb-release-ver|:
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: Debian-begin
+      :end-before: Debian-end
+
+-  The third party tool ``Vulscan`` is used to scan for |CVE|'s to provide an
+   unbiased view of vulnerabilities
+
+-  |CVSS| v3 base scores and base metrics are used in the |CVE| fix criteria
+
+-  The |CVE| ``Fix Criteria Policy`` is:
+
+   -  Main Fix Criteria
+
+      -  |CVSS| v3 Base score >= 7.0
+      -  Base Metrics has the following:
+
+         -  Attack Vector: Network
+         -  Attack Complexity: Low
+         -  Privileges Required: None or Low
+         -  Availability Impact: High or Low
+         -  User Interaction: None
+      -  A correction is available upstream
+
+   -  OR, visibility is HIGH and a correction is available upstream
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CVE-visibility-1-begin
+      :end-before: CVE-visibility-1-end
+
+For older CentOS-based versions of |prod|:
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CentOS-begin
+      :end-before: CentOS-end
+
+-  |CVSS| v2 base scores and base vectors are used in the |CVE| fix criteria
+-  The |CVE| ``Fix Criteria Policy`` is:
+
+   -  Main Fix Criteria
+
+      -  |CVSS| v2 Base score >= 7.0
+      -  Base Vector has the following:
+
+         -  Access Vector: Network
+         -  Access Complexity: Low
+         -  Authentication: None or Single
+         -  Availability Impact: Partial/Complete
+      -  A correction is available upstream
+
+   -  OR, visibility is HIGH and a correction is available upstream
+
+.. only:: partner
+
+   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
+      :start-after: CVE-visibility-begin
+      :end-before: CVE-visibility-end
diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
index e90b43307..d2bed92bd 100644
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@@ -217,6 +217,16 @@ Authentication of Software Delivery
 
    authentication-of-software-delivery
 
+***************
+CVE Maintenance
+***************
+
+.. toctree::
+   :maxdepth: 1
+
+   cve-maintenance-723cd9dd54b3
+
+
 *******************************************************
 Security Feature Configuration for Spectre and Meltdown
 *******************************************************
diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt
index 72a8e11cd..24e0ff3e5 100755
--- a/doc/source/shared/abbrevs.txt
+++ b/doc/source/shared/abbrevs.txt
@@ -35,6 +35,7 @@
 .. |CSK| replace:: :abbr:`CSK (Code Signing Key)`
 .. |CSKs| replace:: :abbr:`CSKs (Code Signing Keys)`
 .. |CVE| replace:: :abbr:`CVE (Common Vulnerabilities and Exposures)`
+.. |CVSS| replace:: :abbr:`CVSS (Common Vulnerability Scoring System)`
 .. |DAD| replace:: :abbr:`DAD (Duplicate Address Detection)`
 .. |DC| replace:: :abbr:`DC (Distributed Cloud)`
 .. |DOR| replace:: :abbr:`DOR (Dead Office Recovery)`
@@ -187,3 +188,4 @@
 .. |WAD| replace:: :abbr:`WAD (Windows Active Directory)`
 .. |XML| replace:: :abbr:`XML (eXtensible Markup Language)`
 .. |YAML| replace:: :abbr:`YAML (YAML Ain't Markup Language)`
+