Welcome FAQ Inclusion Process Roadmap Security Tab Mitigation Notes JFrog Container Registry Inclusion from Source

Security Mitigation Notes

Security Mitigation Notes are a way for you as the chart maintainer to add notes on our UI that users can read to understand the status of vulnerabilities. Your high severity vulnerabilities are hidden by default to give you time to mitigate.

Opt-in to show high severity vulnerabilities

Once you add mitigation notes to any high severity vulnerability using the security-mitigation.yaml (outlined below), you are opting-in for us to make all of your vulnerability information available on the UI.

Mitigation

You can use the spec below to fill out the security-mitigation.yaml file to get these notes on the security tab of your chart on ChartCenter. Once we’ve received the filled out security-mitigation.yaml, you will receieve a confirmation and your mitigation summary and indvidiual CVE notes will be available on the UI for everyone.

Please note that high severity vulnerabilities are hidden on the UI be default, but once you include your security-migitation.yaml with any high CVE tagged, your high vulnerabiliteis will be activated and we will publish details of high vulnerabilities on the security tab as well.

Once you add a single CVE note on a high vulnerability and send us the file, you are opting in for us to activate details for all high vulnerabilities.

This spec will walk you through how to the should be filled out.

Here is the Spec:

You can get a copy of the security-mitigation.yaml file here.

Example

Security mitigation provides the ability for producers to specify mitigation notes for security issues associated with their Helm chart with their consumers.

These mitigation notes will appear on the security tab of your Helm chart on ChartCenter.

The security mitigation spec supports 3 use cases:

Here are the fields:

Field Description Type    
summary Overall mitigation summary that applies to all chart versions text    
securityAdvisoryUrl Link pointing to a mitigation information hosted externally such as wiki, web page, etc. url    
useMitigationExternalFile true means security-mitigation.yaml is hosted somewhere else. false means the content of the current file represents security mitigation information. Default value: false true/false    
mitigationExternalFileUrl If useMitigationExternalFile is set to true, then this parameter points to a url of externally hosted security-mitigation.yaml url    
mitigations: cves List of CVEs for which mitigation notes are being provided. CVE-YYYY-NNNN    
mitigations: cves: affectedPackageUri Indicates package Uri for which the security mitigation is provided. Currently we support only two package uri: Docker docker://docker.io/bitnami/postgres Helm helm://artifactory uri    
mitigations: cves: affectedVersions SemVer Constraint from Masterminds/semver as used on Chart.yaml for kubeVersion specifying which versions should use the mitigation information. Example: “> 1.2.x   < 2.5.8”
mitigations: cves: description Mitigation notes at CVE level. text description    

Examples

Example 1: Ability for producers to provide overall and/or CVE specific mitigation information.

schemaVersion: v1
summary: Security mitigation information for this application is tracked by the security-mitigation.yaml file that's part of this helm chart.
mitigations:
  - cves:
      - CVE-2019-1010022
    affectedPackageUri: helm://rimusz/security-sample-chart
    affectedVersions: "<= 0.1.5"
    description: This security mitigation information for CVE-2019-10100 applies to the specified affectedVersions of charts.
  - cves:
      - CVE-2019-11888
    affectedPackageUri: docker://docker.io/rimusz/security-sample-app
    affectedVersions: "<= 0.1.1"
    description: This CVE is applicable for applications running on Windows. This application currently doesn't support Windows OS, hence this CVE does not impact our users.

Example 2: Ability for producers point security mitigation information that is hosted externally on wiki / webpage.

schemaVersion: v1
summary: Artifactory helm chart is secure and details are mentioned in the security advisory page. 
securityAdvisoryUrl: https://jfrog.com/artifactory/security-advisory.html

Example 3: Ability for producers to point to externally hosted security-mitigation.yaml file.

schemaVersion: v1
summary: Artifactory helm chart is secure and details are mentioned in the security advisory page. 
securityAdvisoryUrl: https://jfrog.com/artifactory/security-advisory.html
mitigationExternalFileUrl: https://jfrog.com/artifactory/security-mitigation.yaml

Presence of security-mitigation.yaml also represents intent for producers to be transparent with all high severity issues with their consumers.

Explanation: once a mitigation note is provied for 1 high CVE, all high CVEs will be activiated and made public in the UI.

Example 1: Let’s assume that application A has 5 high severity issues. If mitigation information is provided for 1 CVE that has high severity, then all 5 security issues will be made public on the UI.

Should you have any questions, please email us at chartcenter@jfrog.com