Open PedroEss opened 2 years ago
jcroall
commented
2 years ago Hi @PedroEss - wha does your policy setup look like in Black Duck Hub? Can you set up a policy on security issues with severity > 7.0 (a decent boundary) and then apply that to your rapid scans?
PedroEss
commented
2 years ago Hi @PedroEss - wha does your policy setup look like in Black Duck Hub? Can you set up a policy on security issues with severity > 7.0 (a decent boundary) and then apply that to your rapid scans?
There is no setting to set specific value of VCSS. The policy is appearing as "warning" and it is not possible to for example break the build because of this warning. btw. the policy is set above VCSS 7.0 show the warning.
jcroall
commented
2 years ago I'll check with a Black Duck expert today, but I think the "Highest vulnerability score" policy rule type is compared to a CVSS score.
Black Duck is a bit confusing. There are vulnerability severities from CVSS scores (Critical, High, Medium, Low), and then a policy severity (Blocker, Critical, Major, Minor, Trivial). You can actually have a policy that looks like this:
The fail-on-all-policy-severities is there because by default, detect will not generate an exit code > 0 to indicate a policy failure if the POLICY severity is not I think High or Critical. That way you can have policies that fail but don't warrant breaking the build or other things. The fail-on-all-policy-severities tells the action to fail if ANY policies fail. You probably don't need it...
I think you could create a policy that fails on highest vulnerability score greater than 7.0 (or 6.9, I suppose) and give the policy a "High" severity (yes, confusing) and then I think it should work.
I have set up the parameter "fail-on-all-policy-severities: true" but I do not want to limit to all severities levels, for instance I need to limit > 7.0. It is not possible now. Also when above parameter is set and it is failing, it is not possible to get job id for 'Black Duck Policy Check' job.