Question: mapping result from Vulnerability- & ConfigAudit-Reports

Question

Question: mapping result from Vulnerability- & ConfigAudit-Reports

sudoleg opened this issue 6 months ago · comments

Hey, I don't quite understand how the result (pass, skip, warn, error, or fail) is mapped from Vulnerability- & ConfigAudit-Reports.

Based on my observations, I guess that for VulnerabilityReports, if a CVE has a critical/high score, the result is fail. For low to medium scores it's warn.
And for ConfigAuditReport it's always fail if a resource doesn't pass the evaluation.

Is my understanding correct? Otherwise I would be very happy if someone could provide a brief explanation :)

Frank Jogeleit · Answer 1 · Wed Feb 07 2024 18:55:10 GMT+0800 (China Standard Time)

Hey,

correct, in case of VulnerabilityReport the result mapping is resolved by severity

https://github.com/fjogeleit/trivy-operator-polr-adapter/blob/main/pkg/adapters/shared/severity.go#L24

In case of ConfigAuditReports its based on the "success" flag

Success: false => fail Result
Success: true => pass Result

Oleg Korznikov · Answer 2 · Wed Feb 07 2024 21:38:14 GMT+0800 (China Standard Time)

ok, I understand. Thank you :)