.. _cve-maintenance-723cd9dd54b3:

===============
CVE Maintenance
===============

On a monthly basis, the master development branch of |prod| is scanned for
|CVE|'s and the reports that are generated are reviewed by the Security team.

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
      :start-after: begin-CVE
      :end-before: end-CVE

.. only:: starlingx

   For |CVE|'s which meet StarlingX's ``CVE Fix Criteria Policy`` as documented
   below, fixes are provided for the |CVE| in the StarlingX master branch.

For Debian-based versions of |prod| |deb-release-ver|:

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
      :start-after: Debian-begin
      :end-before: Debian-end

-  The third party tool ``Vulscan`` is used to scan for |CVE|'s to provide an
   unbiased view of vulnerabilities

-  |CVSS| v3 base scores and base metrics are used in the |CVE| fix criteria

-  The |CVE| ``Fix Criteria Policy`` is:

   -  Main Fix Criteria

      -  |CVSS| v3 Base score >= 7.0
      -  Base Metrics has the following:

         -  Attack Vector: Network
         -  Attack Complexity: Low
         -  Privileges Required: None or Low
         -  Availability Impact: High or Low
         -  User Interaction: None
      -  A correction is available upstream

   -  OR, visibility is HIGH and a correction is available upstream

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
      :start-after: CVE-visibility-1-begin
      :end-before: CVE-visibility-1-end

For older CentOS-based versions of |prod|:

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
      :start-after: CentOS-begin
      :end-before: CentOS-end

-  |CVSS| v2 base scores and base vectors are used in the |CVE| fix criteria
-  The |CVE| ``Fix Criteria Policy`` is:

   -  Main Fix Criteria

      -  |CVSS| v2 Base score >= 7.0
      -  Base Vector has the following:

         -  Access Vector: Network
         -  Access Complexity: Low
         -  Authentication: None or Single
         -  Availability Impact: Partial/Complete
      -  A correction is available upstream

   -  OR, visibility is HIGH and a correction is available upstream

.. only:: partner

   .. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
      :start-after: CVE-visibility-begin
      :end-before: CVE-visibility-end