Vulnerability Management

[dervoeti]

Vulnerability Management Epic

We need to manage vulnerabilities in all components of our platform continuously to comply with upcoming regulations and customer requirements. Critical vulnerabilities need to be discovered and triaged quickly, statements about them should be published in machine-readable form (at least). The foundational work has already been done and we created some assessments, these are the next steps.

### MVP
- [x] https://github.com/stackabletech/infrastructure/issues/209
- [x] Define a "collaboration" workflow (maybe with GitHub Issues)
- [x] https://github.com/stackabletech/infrastructure/issues/213
- [x] Create a "vulnerability centric view" in SecObserve
- [x] Allow deletion of pending assessments
- [x] Show remediations in observation log view
- [ ] https://github.com/stackabletech/infrastructure/issues/214
- [ ] https://github.com/stackabletech/issues/issues/592
- [x] Debug flipping vulnerabilities: https://secobserve.stackable.tech/#/observations/1387048/show
- [x] Create assessment templates / examples as guidelines
- [ ] https://github.com/stackabletech/issues/issues/596
- [ ] https://github.com/stackabletech/infrastructure/issues/210

### Next steps
- [x] Include ARM images
- [x] Enable automatic CSAF validation
- [x] Explore tools helping with vulnerability analysis (e.g. reachability analysis tools like Snyk)
- [x] Configure SecObserve RBAC
- [ ] https://github.com/stackabletech/issues/issues/614
- [ ] https://github.com/stackabletech/issues/issues/650
- [ ] Define CSAF visibility policy and figure out how separation of public/paid feed can be done
- [ ] Analyze some high or critical vulnerabilities in RPM packages and issue VEX statements about them
- [ ] Automatically create issues for new vulnerabilities

### Long-Term goals
- [ ] https://github.com/stackabletech/docker-images/issues/940
- [ ] https://github.com/stackabletech/docker-images/issues/817
- [ ] https://github.com/stackabletech/issues/issues/638
- [ ] Alerting for new vulnerabilities