Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

research(OS_Scan): Research on how to handle component version in policy violation based scanners #246

Open
2 of 3 tasks
lolaapenna opened this issue Sep 24, 2024 · 2 comments · May be fixed by #293
Open
2 of 3 tasks

research(OS_Scan): Research on how to handle component version in policy violation based scanners #246

lolaapenna opened this issue Sep 24, 2024 · 2 comments · May be fixed by #293
Assignees
@drochow @MR2011 @maxwellL21
Milestone
Basic Openstack L...

Comments

@lolaapenna
Copy link
Collaborator

lolaapenna commented Sep 24, 2024
edited
Loading

Task Description

For the Open Stack Policy scan, we have the first policy violations instead of vulnerabilities and also new kinds of components. This comes with the question of whether the same schema needs/should be applied.

Currently, we do have components that can have multiple versions and those versions can have instances:

erDiagram
    ComponentInstance       }o--|| ComponentVersion: "is an instance of" 
    ComponentVersion        }|--|| Component: "is a version of"
Loading

For an OpenStack Entity such as a Security Group the question now arises if we want to store and represent data in a similar format.

Possible options could be:

  • Do not use components and component versions and create component instances/issue matches directly
  • Do use the same schema but enhance component versions with context information, and use a hash sum of the context as a version identifier
  • Other...

Acceptance Criteria:

  • Have decision drivers worked out
  • ADR created with multiple options evaluated
  • Informed decision taken
@lolaapenna
Copy link
Collaborator Author

A meeting will be scheduled to sync further (David, Michael and Max).

@drochow drochow closed this as completed Oct 7, 2024
@drochow
Copy link
Collaborator

drochow commented Oct 7, 2024

We did have a sync and did a preliminary decision! ADR follows

@drochow drochow reopened this Oct 7, 2024
maxwellL21 pushed a commit that referenced this issue Oct 16, 2024
doc(adr): Added component versioning ADR for policy scanning (#246)
ad04bca
maxwellL21 added a commit that referenced this issue Oct 16, 2024
@maxwellL21
doc(adr): fixed broken url for image (#246)
d275f8d
@maxwellL21 maxwellL21 linked a pull request Oct 16, 2024 that will close this issue
Open
26 tasks
maxwellL21 added a commit that referenced this issue Oct 24, 2024
@maxwellL21
doc(adr): replaced images with diagram as code (#246)
a519742
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@drochow drochow

@MR2011 MR2011

@maxwellL21 maxwellL21

Labels
None yet
Projects
None yet
Milestone
Basic Openstack Landscape Compliance ...
Development

Successfully merging a pull request may close this issue.

ADR - Handling component version in policy violation based scanners cloudoperators/heureka
5 participants
@drochow @MR2011 @BlakePatterson @maxwellL21 @lolaapenna