13a03e6cd2
Updated patchset 5 comments Indented Text only Updated patchset 3 comments Removed Partner information and only retained information specific to StarlingX Change-Id: Ibc8da0d9772422ee09fb46759730ada2c1ac12b2 Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2.0 KiB
2.0 KiB
CVE Maintenance
partner
starlingx
On a monthly basis, the master development branch of StarlingX is
scanned for CVEs using the third party tool Vulscan to
provide an unbiased view of vulnerabilities. The generated reports are
reviewed by the Security team. For 's which meet StarlingX's CVE Fix
Criteria Policy as documented below, fixes are provided in the StarlingX
master branch.
Note
There are no scans executed or fixes implemeneted on the released versions / branches on StarlingX.
For the current Debian-based versions of StarlingX:
- v3.x base scores and base metrics are used in the fix criteria
- The
Fix Criteria Policyis:- Main Fix Criteria
- v3.x Base score >= 7.0
- Base Metrics has the following:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None or Low
- Availability Impact: High or Low
- User Interaction: None
- A correction is available upstream
- OR, visibility is HIGH and a correction is available upstream
- Main Fix Criteria
In the past, for older CentOS-based versions of StarlingX:
- v2 base scores and base vectors were used in the fix criteria
- The
Fix Criteria Policywas:- Main Fix Criteria
- v2 Base score >= 7.0
- Base Vector has the following:
- Access Vector: Network
- Access Complexity: Low
- Authentication: None or Single
- Availability Impact: Partial/Complete
- A correction was available upstream
- OR, visibility was HIGH and a correction was available upstream
- Main Fix Criteria