Defining Vulnerability Exceptions
You can flag the required vulnerabilities as exceptions for specific images and containers. This means that despite their identification, they are intentionally left unreported and unaddressed.
Vulnerability exceptions refer to specific vulnerabilities that have been identified within a containerized environment but are intentionally exempted from remediation measures.
Here are a few possible reasons for granting exceptions:
- False Positives: Some vulnerabilities reported may be false positives.
- Third-Party Dependencies: Certain vulnerabilities may exist in third-party libraries or components that are beyond your immediate control.
- Compatibility Issues: Applying a fix for a vulnerability might have other impacts.
Before you begin: Create a list of QIDs that you want to define as an exception. See Creating a List of Vulnerabilities.
- Go to Exceptions > Vulnerability Exceptions, and click Create Exception.
- Enter a name for the exception.
- Select a type of the exception.
- Static: In this type, you create a vulnerability exception and choose Images or containers on which you want to add the exception, then you choose vulnerabilities which you would like to skip from the scanning.
- Dynamic: This is a default type for the exception. You can use a specific QQL to apply its vulnerability exceptions to the new image or container. The newly created images or containers that match search criteria get the dynamic vulnerability exception appended automatically.
- Select a reason for the exception and then provide an appropriate explanation for the same. You can select either of the following options:
- False Positive: if a vulnerability is a false positive.
- Risk Accepted: if the security team decides to tolerate or accept the level of risk associated with a vulnerability.
- Other: Any other reasons such as compliance requirements, patch unavailability, and operation impact.
- Specify start and end dates for the exception, and click Next.
- In Scope Details,
- For Static exception, select Images or Containers, and then select the images or containers on which the exceptions are to be added.
With Image as the scope, if you add an exception on an image, it is automatically cascaded to containers spawned from the image.
-
For Dynamic exception, search images or containers to which you would like to append the exceptions.
A query search requires exact string match, and it does not allow any wildcard entry.
The following search QQLs are supported under this exception. Their supported format is - <QQL>:'<image/container name>'- repo.tag: Applicable to the images and containers. Used to indicate a tag.
- repo.repository: Applicable to the images and containers. Used to indicate a repository.
- repo.registry: Applicable to the images and containers. Used to indicate a registry.
- cluster.k8s.pod.namespace: Applicable only to the containers. Used to indicate a cluster.
- For Static exception, select Images or Containers, and then select the images or containers on which the exceptions are to be added.
- In Vulnerability List,
- For Static exception, select a list of QIDs and click Next. You can also create a new vulnerability list on the fly while selecting a list.
You can select only one vulnerability list in an exception.
-
For Dynamic exception, select vulnerability lists that you want to add as exceptions.
- For Static exception, select a list of QIDs and click Next. You can also create a new vulnerability list on the fly while selecting a list.
- Review the details and click Submit.
- Both exceptions are applied not just to current or all future images or containers but also to the images and containers which have been scanned in the past 30 days.
If you want to apply an exception to an image that is scanned more than 30 days ago, you need to rescan the image. - You cannot specify more than 50 exceptions for an image or a container.
Related Links