Skip to content

VAT 2022.07.07

  • VAT BE: 1.9.38
  • VAT FE: 2.9.33
  • ROSIE: none

BLUF of release

  • ABC/ORA changes
    • ORA rules 1A (Remediation Rate) and 2B (How Recent are Vulnerabilities) have been permanently removed.
    • ORA rule 2A (Open Vulnerabilities) has been reworked:
      • The penalty for Critical findings has been increased from 2 to 10.
      • The penalty for High findings has been increased from 1 to 4.
      • Medium findings now have a penalty cap of 30. An image will not be penalized more than 30 points for Medium findings no matter how many there are.
      • Low findings now have a penalty cap of 10. An image will not be penalized more than 10 points for Low findings no matter how many there are.
      • Mitigated findings now halve the penalty. A mitigated critical finding will cost 5 points instead of 10.
      • Reminder: 2A uses 100 points as the baseline. Each open finding reduces the score.
    • The ABC Remediation deadline has been combined with the Mitigation deadline.
      • Findings now have Justification, Mitigation/Remediation, and CVE Age deadlines.
      • Findings that are mitigated will not fail the Mitigation/Remediation deadline.
      • Findings must still be remediated before the CVE Age deadline.
      • See ABC documentation for the updated deadlines.
    • ABC "Mitigation Tolerance" has been renamed to "Max Count" to better describe what it means. The Max Count is the maximum number of findings allowed for a specific severity, regardless of whether they are mitigated.
    • VAT now has info popups on the ABC and ORA tables, similar to the info popups on Iron Bank Front End. These give additional information about ABC and ORA rules.
  • Container logs have been re-implemented:
    • To prevent the confusing and costly practice of copying logs for new versions of the container.
    • Container logs are now stored in one place for all versions of the container.
    • The container log now shows all container decisions in one place for all versions in a much easier way to follow.
    • Auto approvals now have references back to the last human entry to make way for preserving the original message for display.
  • Fixed issue where Keycloak intercept and redirect to VAT would mangle the URL causing issues.

P1 API Breaking Changes

None

Warning

There will be more such changes in future releases to standardize values

Tickets Completed

ABC/ORA updates

  • IBVAT-1081: Rename ABC Mitigation Tolerance
  • IBVAT-1083: Fully remove ORA 1A and 2B
  • IBVAT-1084: ORA rework 2a
  • IBVAT-1088: Combine ABC mitigation and remediation columns
  • IBVAT-1059: Add info popups to ABC/ORA display on image details page

VAT API

None

BE Enhancements

  • IBVAT-1096: JS Moment Library is deprecated and so was replaced.

FE/UI Enhancements

  • IBVAT-1094: (green star) Link original container log to vat_bot records.
  • IBVAT-1062: (green star) Migrate container log, update vat import to prevent copying container logs
  • IBVAT-1077: Fix /vat routes getting clobbered by redirects
  • IBVAT-721: Add branch and Tag to pipeline access requests

Misc work (No user experience changes)

  • IBVAT-1071: Spike: Investigate new best practices for react 17/18 features
  • Dependency updates and pipeline fixes.
  • IBVAT-965: Spike: Standardize API property names

OBE

  • IBVAT-1060: Add findings to ABC compliance display summary