|Welcome||FAQ||Inclusion Process||Roadmap||Security Tab||Mitigation Notes||JFrog Container Registry||Inclusion from Source|
Security Mitigation Notes
Security Mitigation Notes are a way for you as the chart maintainer to add notes on our UI that users can read to understand the status of vulnerabilities. Your high severity vulnerabilities are hidden by default to give you time to mitigate.
Opt-in to show high severity vulnerabilities
Once you add mitigation notes to any high severity vulnerability using the security-mitigation.yaml (outlined below), you are opting-in for us to make all of your vulnerability information available on the UI.
You can use the spec below to fill out the security-mitigation.yaml file to get these notes on the security tab of your chart on ChartCenter. Once we’ve received the filled out security-mitigation.yaml, you will receieve a confirmation and your mitigation summary and indvidiual CVE notes will be available on the UI for everyone.
Please note that high severity vulnerabilities are hidden on the UI be default, but once you include your security-migitation.yaml with any high CVE tagged, your high vulnerabiliteis will be activated and we will publish details of high vulnerabilities on the security tab as well.
Once you add a single CVE note on a high vulnerability and send us the file, you are opting in for us to activate details for all high vulnerabilities.
This spec will walk you through how to the should be filled out.
Here is the Spec:
You can get a copy of the security-mitigation.yaml file here.
Security mitigation provides the ability for producers to specify mitigation notes for security issues associated with their Helm chart with their consumers.
These mitigation notes will appear on the security tab of your Helm chart on ChartCenter.
The security mitigation spec supports 3 use cases:
- Ability for producers to provide overall and/or CVE specific mitigation information.
- Ability for producers to point security to a mitigation website that is hosted externally on a wiki / webpage.
- Ability for producers to point to externally hosted security-mitigation.yaml file.
Here are the fields:
|summary||Overall mitigation summary that applies to all chart versions||text|
|securityAdvisoryUrl||Link pointing to a mitigation information hosted externally such as wiki, web page, etc.||url|
|useMitigationExternalFile||true means security-mitigation.yaml is hosted somewhere else. false means the content of the current file represents security mitigation information. Default value: false||true/false|
|mitigationExternalFileUrl||If useMitigationExternalFile is set to true, then this parameter points to a url of externally hosted security-mitigation.yaml||url|
|mitigations: cves||List of CVEs for which mitigation notes are being provided.||CVE-YYYY-NNNN|
|mitigations: cves: affectedPackageUri||Indicates package Uri for which the security mitigation is provided. Currently we support only two package uri: Docker docker://docker.io/bitnami/postgres Helm helm://artifactory||uri|
|mitigations: cves: affectedVersions||SemVer Constraint from Masterminds/semver as used on Chart.yaml for kubeVersion specifying which versions should use the mitigation information.||Example: “> 1.2.x||< 2.5.8”|
|mitigations: cves: description||Mitigation notes at CVE level.||text description|
Example 1: Ability for producers to provide overall and/or CVE specific mitigation information.
schemaVersion: v1 summary: Security mitigation information for this application is tracked by the security-mitigation.yaml file that's part of this helm chart. mitigations: - cves: - CVE-2019-1010022 affectedPackageUri: helm://rimusz/security-sample-chart affectedVersions: "<= 0.1.5" description: This security mitigation information for CVE-2019-10100 applies to the specified affectedVersions of charts. - cves: - CVE-2019-11888 affectedPackageUri: docker://docker.io/rimusz/security-sample-app affectedVersions: "<= 0.1.1" description: This CVE is applicable for applications running on Windows. This application currently doesn't support Windows OS, hence this CVE does not impact our users.
Example 2: Ability for producers point security mitigation information that is hosted externally on wiki / webpage.
schemaVersion: v1 summary: Artifactory helm chart is secure and details are mentioned in the security advisory page. securityAdvisoryUrl: https://jfrog.com/artifactory/security-advisory.html
Example 3: Ability for producers to point to externally hosted security-mitigation.yaml file.
schemaVersion: v1 summary: Artifactory helm chart is secure and details are mentioned in the security advisory page. securityAdvisoryUrl: https://jfrog.com/artifactory/security-advisory.html mitigationExternalFileUrl: https://jfrog.com/artifactory/security-mitigation.yaml
Presence of security-mitigation.yaml also represents intent for producers to be transparent with all high severity issues with their consumers.
Explanation: once a mitigation note is provied for 1 high CVE, all high CVEs will be activiated and made public in the UI.
Example 1: Let’s assume that application A has 5 high severity issues. If mitigation information is provided for 1 CVE that has high severity, then all 5 security issues will be made public on the UI.
Should you have any questions, please email us at email@example.com