Juanita-Balaraj d66fc5b4da CVSS v3 Adoption for OS

Addressed Patch 5 comments
Addressed Patch 4 comments
Fixed typo
Added a note to indicate CentOS is not being scanned as the master branch has Debian which is being scanned
Updated Index
Added Abbreviations
Added Includes File / Index
Fixed merge conflicts

Change-Id: I17a3c3d6e5b545e24f1530dbb3fdec8adc30b26a
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>

2022-12-18 00:06:52 -05:00

2.4 KiB

Raw Blame History

CVE Maintenance

On a monthly basis, the master development branch of is scanned for 's and the reports that are generated are reviewed by the Security team.

partner

starlingx

For 's which meet StarlingX's CVE Fix Criteria Policy as documented below, fixes are provided for the in the StarlingX master branch.

For Debian-based versions of :

partner

The third party tool Vulscan is used to scan for 's to provide an unbiased view of vulnerabilities
v3 base scores and base metrics are used in the fix criteria
The Fix Criteria Policy is:
- Main Fix Criteria
  - v3 Base score >= 7.0
  - Base Metrics has the following:
    - Attack Vector: Network
    - Attack Complexity: Low
    - Privileges Required: None or Low
    - Availability Impact: High or Low
    - User Interaction: None
  - A correction is available upstream
- OR, visibility is HIGH and a correction is available upstream

partner

For older CentOS-based versions of :

partner

v2 base scores and base vectors are used in the fix criteria
The Fix Criteria Policy is:
- Main Fix Criteria
  - v2 Base score >= 7.0
  - Base Vector has the following:
    - Access Vector: Network
    - Access Complexity: Low
    - Authentication: None or Single
    - Availability Impact: Partial/Complete
  - A correction is available upstream
- OR, visibility is HIGH and a correction is available upstream

partner

2.4 KiB Raw Blame History

CVE Maintenance

2.4 KiB

Raw Blame History