CVE Maintenance

On a monthly basis, the master development branch of StarlingX is scanned for CVEs using the third party tool Vulscan to provide an unbiased view of vulnerabilities. The generated reports are reviewed by the Security team. For CVE’s which meet StarlingX’s CVE Fix Criteria Policy as documented below, fixes are provided in the StarlingX master branch.

Note

There are no scans executed or CVE fixes implemeneted on the released versions / branches on StarlingX.

For the current Debian-based versions of StarlingX:

  • CVSS v3.x base scores and base metrics are used in the CVE fix criteria

  • The CVE Fix Criteria Policy is:

    • Main Fix Criteria

      • CVSS v3.x Base score >= 7.0

      • Base Metrics has the following:

        • Attack Vector: Network

        • Attack Complexity: Low

        • Privileges Required: None or Low

        • Availability Impact: High or Low

        • User Interaction: None

      • A correction is available upstream

    • OR, visibility is HIGH and a correction is available upstream

In the past, for older CentOS-based versions of StarlingX:

  • CVSS v2 base scores and base vectors were used in the CVE fix criteria

  • The CVE Fix Criteria Policy was:

    • Main Fix Criteria

      • CVSS v2 Base score >= 7.0

      • Base Vector has the following:

        • Access Vector: Network

        • Access Complexity: Low

        • Authentication: None or Single

        • Availability Impact: Partial/Complete

      • A correction was available upstream

    • OR, visibility was HIGH and a correction was available upstream