CVE Maintenance¶
On a monthly basis, the master development branch of StarlingX is scanned
for CVEs using the third party tool Vulscan
to provide an unbiased view
of vulnerabilities. The generated reports are reviewed by the Security team.
For CVE’s which meet StarlingX’s CVE Fix Criteria Policy as documented
below, fixes are provided in the StarlingX master branch.
Note
There are no scans executed or CVE fixes implemeneted on the released versions / branches on StarlingX.
For the current Debian-based versions of StarlingX:
CVSS v3.x base scores and base metrics are used in the CVE fix criteria
The CVE
Fix Criteria Policy
is:Main Fix Criteria
CVSS v3.x Base score >= 7.0
Base Metrics has the following:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None or Low
Availability Impact: High or Low
User Interaction: None
A correction is available upstream
OR, visibility is HIGH and a correction is available upstream
In the past, for older CentOS-based versions of StarlingX:
CVSS v2 base scores and base vectors were used in the CVE fix criteria
The CVE
Fix Criteria Policy
was:Main Fix Criteria
CVSS v2 Base score >= 7.0
Base Vector has the following:
Access Vector: Network
Access Complexity: Low
Authentication: None or Single
Availability Impact: Partial/Complete
A correction was available upstream
OR, visibility was HIGH and a correction was available upstream