Do not break on found CVE lacking remedy

  • 16 March 2023
  • 3 replies
  • 55 views

  • We are using Debricked as a stage in our Azure Devops Pipeline.

    We have been forced to actually disable it’s capacity to fail the pipeline as it does that too much.

    What we really want is for it to fail if and only if
    A CVE is found of certain level
    AND there do exist a remedy for it that we can fix.

    Stopping on CVE that has no fix makes no sense, imho.

3 replies

Userlevel 1
Badge +2


@GAskefalk we have actually faced a similar challenge and found a workaround to make our lives a bit easier, although it is not 100% what you are looking for and there is room for improvement in the tool:

  1. We have set an Automation where we say: "If CVSS is at least High then flag as vulnerable "
  2. From the Repositories view we click on a specific repo and then in there we filter it by review status = Vulnerable
  3. Then we need to go one by one in each  vulnerabilities to check if there is a fix version available. If not, we select “Pause until a fix is available” under “Pause rule triggering” in the Action section. Then, in the opening dialog, we choose an appropriate max pause time in the dropdown. Click “Save” to confirm your selection and pause automation rules for the vulnerability.

Hope this helps. I think it is a great idea if this process could be more automated. Maybe you can submit an Idea?

Ok

thanks for the input, it seems a tad to manual for us, and i really hope we can get an “upvote” for this feature, i really think everyone would benefit from it.

Thanks again for the great advice!

Gerry

Userlevel 1
Badge +2

@GAskefalk I just added it in the Ideas section, feel free to upvote it:

Cheers!

Reply