N
Hi Alex,
Thanks for taking the time to respond to my request.
I fully agree that individual vulnerabilities are often not relevant for a container image.
The problem arises when we can not make distinctions when assessing, as we might never be able to assess a vulnerability using the global scope.
A scaled down example could be that we have two feed groups, each with their own Package Policy. 'External' which is used for the build/store of an application served to external users comprised of the general public(i.e. a web service), while 'Internal' is used for an identical but separately generated application that is run strictly for internal users with no exposure to the internet.
External:
Universal Feed, Nuget feed, Container feed
Internal:
Universal Feed, Nuget feed, Container feed
Then we might have a vulnerability like PGV-255532C, assuming we in our application are using the functionality of sqlite which is affected.
This would pose an unacceptable risk for an application reachable and used by external users, while it could be fine for an internal application.
The current assessment structure for containers wouldn't allow us to continue using the container in the 'Internal' feed group, without also allowing the container in the 'External' feed group.
I agree on the premise that an Image is more like a Build, than it is a Package. But even then sharing policies between containers and package feeds would remain relevant for our usecase.
Best regards
Nils Nilsson
