Manage Vulnerability Exceptions and Global Lists
This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use
Sysdig Secure allows users to put specific CVEs on Global Exception lists. Common reasons to exempt a vulnerability from consideration while scanning an image include, for example:
Knowing that the vuln does not apply to your runtime or cannot be exploited
Knowing that the suggested “fix version” will break a chain of dependencies, and you plan to evaluate how to patch this vulnerability in more detail
Knowing that there is no available fix for the vulnerability yet and you absolutely must deploy this application in production. (You decide to use a temporary alternate security strategy to protect from the vulnerability.)
When devising exception lists, you can detail what exceptions you introduce, for which images, and for how long, establishing a vulnerability exception management workflow.
Additionally, specific images can be marked as untrusted or globally trusted to ensure they always/never pass a scan.
Previous versions of Sysdig Secure called this feature Whitelist and Blacklist, and the options were located under the Scanning Policies tab.
Note that “blacklist” options for other entities, such as users, ports, packages, etc., are listed in Scanning Policy Gates and Triggers.
Create Multiple Exception Lists
By default, a single list is provided. Its name,
Default exceptions list, can be retitled or removed if desired.
To create additional lists:
Image Scanning > Vulnerability Exceptionsand click the
Addbutton on the left side of the screen.
Hover over the info bubble on an existing list to see its name, description, and last-modified date.
For an exception list to be applied to an image during a scan, you must set up a scanning policy assignment to map the image to the list.
If you delete or rename an exception list, the modification will be also applied to the policy assignments that contain that list.
Add a Vulnerability to a List
There are two ways to add a vulnerability to a list: from the Exceptions List page, or from the Scan Results.
From the Exceptions List Page
Image Scanning > Vulnerability Exceptionsand choose the desired list from the left menu. (In this example, the Exception list is named “Python exceptions”.)
Addbutton on the right side of the screen.
Enter the identifying details:
VULN ID: Required
Expiration Date: Required, but can be ’never'
From the Scan Results
The scan results for an image may flag vulnerabilities you don’t consider necessary. From the results list, you can quickly append those entries to exception lists as follows:
Image Scanning > Scan Results.
Select the Vulnerability type from the left menu and review the resulting list of flagged vulnerabilities.
Exceptionscolumn displays the number of lists already containing this vulnerability.
Click the hover button to open the “Add Exception” dialog .
Enter the details and click
List: Sysdig will indicate with a “radar” icon the lists that are being applied to this image according to the policy assignments which are relevant for the evaluation of this particular image
You can also enter additional list names in the field to create a new list.
Expiration Date: Required, but can be ’never'
Manage Vulnerabilities in a List
An exception list can contain any number of vulnerabilities. Each vulnerability listing displays additional properties to help the security team understand the context, feed sources, and the justification and time span for the vulnerability to be on the list.
Fields in the List View
Select Image Scanning > Vulnerability Exceptions and choose a list from the left menu to review the vulnerability list details.
Review the column data:
Enabled: On/off toggle for whether the exception for this vulnerability is active. If the vulnerability exception is disabled, it will not disappear from the list but will not be taken into account when evaluating an image. Rows that have met their expiration date are automatically disabled.
Name: String entered by the user to identify the vulnerability. For example,
Description: Vulnerability description, provided by Sysdig once the Vuln ID is provided by the user.
Notes: User-defined exception notes. Could be used to justify the decision or to append any additional links or information.
Expiration date: Day configured by the user for this exception to expire.
never, for a vulnerability that should not expire. If an expiration is set, then
dayis the minimum time resolution.
All expiration dates are evaluated against 0:00 UTC timezone
Access and Edit Additional Details
Click on an exception row to see additional details about the vulnerability and to edit its properties.
View the full description
View and modify user notes
View and modify Expiration date
Disabled exceptions cannot be re-enabled until a future date is set.
View segmented feed information, for every feed that is reporting this vulnerability:
Severity of the vulnerability as reported per each individual feed (color-coded)
Link to vulnerability details as provided per feed
Add Images to a Global List
There are two ways to add images to a Global Trusted or Untrusted list: from the list or from a scan result.
From the Global list:
Image Scanningmodule, select either
Global - Trusted Imagesor
Global - Untrusted Images.
The list of previously added images is displayed.
Add each image in a comma-separated list, then click
A tag name must be valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.
A tag name may not start with a period or a dash and may contain a maximum of 128 characters.
From the Scan Results:
Image Scanningmodule, choose the
Select the relevant repository from the list and open the relevant image.
Add to Listat the top of the page.
Add Image to Trusted Imagesor
Add Image to Untrusted Imagesas needed.