Note: This project is expected to be released in fall 2021. Dates are not yet confirmed.
Dear Rancher customers,
We are excited to announce that rancher will soon share security scan results for the images in a Rancher release. This information will include CVE ids, status, and notes or remediation plans where available. The new scanning process will reduce the patching cycle time of Rancher images.
Which images will be scanned?
The new scanning process will be driven by the images.txt file already shipped with Rancher releases. This list includes all core Rancher components along with the images powering features. Automated processes will pick up any new images added to the product over time.
Which CVE's will be listed?
Any image containing a current CVE that is ranked by our scanner with a rating of high or above will be listed. As those new CVE's are reported, or new images are brought into the pipeline with existing high-level CVE's, the Rancher team will be alerted automatically and triage the vulnerability.
What information can we expect?
For each image listed we will show:
- Image name
- CVE ID
- Severity level
- Package name
- Status of patch
- For mirrored images the current upstream state
- For Rancher images, the status in Rancher pipeline
This information will be provided as a CSV on the release.
It will also be available on an HTML page that will be publicly accessible and updated weekly.
How will vulnerabilities be addressed?
Images mirrored from community projects:
- If the upstream project has already addressed and released a fix, then the images will be upgraded when possible in future Rancher releases.
- If the upstream project has not addressed the fix, an issue explaining the situation will be created and tracked by Rancher's engineering team.
Images maintained by Rancher will fall into one of the following categories:
- False-positive: This will be documented with an explanation.
- Vulnerabilities that will not be fixed: This will be documented with an explanation. For example, an upstream project that is no longer being maintained, or a vulnerability that has an exceedingly low attack surface.
- Vulnerabilities that can be fixed: These include Rancher projects or upstream packages that need to (and can be) updated. They will be addressed and released like any other issue within Rancher.
Rancher Support Team