SUSE Support

Here When You Need Us

SUSE Rancher’s CVE Triage Workflow for Software Dependencies

This document (000021574) is provided subject to the disclaimer at the end of this document.

Environment

The information applies to the following SUSE products:

  • Rancher Prime
  • RKE
  • RKE2
  • K3s
  • Harvester
  • Longhorn
  • NeuVector

Situation

Keeping software dependencies in source code, binaries and container images constantly up to date to fix security vulnerabilities, aka CVEs (Common Vulnerabilities and Exposures), is a process that requires a well-defined workflow. Updating a dependency to fix one CVE can require dozens of subsequent updates to propagate the fix to all the places where the affected component is used. This is especially true when talking about container images that are each composed of multiple binaries and that are used in complex cloud native solutions stacks, like SUSE Rancher Prime.

Resolution

For security vulnerabilities and CVEs in software dependencies and container images affecting the listed products, SUSE’s engineering teams and the Rancher Security team follow the workflow presented below to triage and identify how and where to fix such CVEs.


If you want to learn more about and Dive into how SUSE® Rancher Prime automation fixes CVEs to fortify security in containers and dependencies, please check out our blog post.
 

Note: consult Rancher’s VEX Hub repo for a higher resolution version of the workflow.




 

The process contains steps to identify where the CVE is - if it’s inside the container image base layer or in a binary; who owns the affected component - if it’s made by SUSE or imported from an upstream third-party; and how to propagate the fix until it reaches a development version of the listed products. The workflow also covers steps about marking CVEs as false-positives with VEX (check KB 000021573 for more information about this) and container images as no longer supported and EOL (end of life).

 

This workflow is part of a bigger process in SUSE Rancher related to the continuous and automated CVE scans of container images that are shipped in SUSE Rancher Prime. Our scans are capable of identifying CVEs in direct and indirect dependencies that we use to build our software (binaries) as well as in OS level packages inside the container images.

 

The CVE fixes are prioritized internally for the issues that have a greater probability of directly impacting the listed products. They are constantly being scheduled and applied in upcoming releases of those products.

 
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021574
  • Creation Date: 01-Oct-2024
  • Modified Date:08-Oct-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.