Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

research(OS_Scan): Research on how to handle component version in policy violation based scanners #246

Open
2 of 3 tasks
lolaapenna opened this issue Sep 24, 2024 · 3 comments · May be fixed by #293
Open
2 of 3 tasks
Assignees

Comments

@lolaapenna
Copy link
Collaborator

lolaapenna commented Sep 24, 2024

Task Description

For the Open Stack Policy scan, we have the first policy violations instead of vulnerabilities and also new kinds of components. This comes with the question of whether the same schema needs/should be applied.

Currently, we do have components that can have multiple versions and those versions can have instances:

erDiagram
    ComponentInstance       }o--|| ComponentVersion: "is an instance of" 
    ComponentVersion        }|--|| Component: "is a version of"
Loading

For an OpenStack Entity such as a Security Group the question now arises if we want to store and represent data in a similar format.

Possible options could be:

  • Do not use components and component versions and create component instances/issue matches directly
  • Do use the same schema but enhance component versions with context information, and use a hash sum of the context as a version identifier
  • Other...

Acceptance Criteria:

  • Have decision drivers worked out
  • ADR created with multiple options evaluated
  • Informed decision taken
@lolaapenna
Copy link
Collaborator Author

A meeting will be scheduled to sync further (David, Michael and Max).

@drochow drochow closed this as completed Oct 7, 2024
@drochow
Copy link
Collaborator

drochow commented Oct 7, 2024

We did have a sync and did a preliminary decision! ADR follows

@lolaapenna
Copy link
Collaborator Author

pending @drochow review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants