Managing vulnerabilities
Managing vulnerabilities in Red Hat Edge Manager
Abstract
Preface
Configure Red Hat Trusted Profile Analyzer-backed vulnerability reporting and use the web console or CLI to assess CVE risk for devices, fleets, and your entire managed estate.
Chapter 1. Vulnerability management overview
When vulnerability reporting is enabled, Red Hat Edge Manager correlates Red Hat CVE and errata data with the bootc OS images that devices report, so you can assess risk per device, fleet, or across the estate without manually matching external scan results.
1.1. How vulnerability reporting works
At a configurable interval (default: every 15 minutes), the flightctl-periodic service:
- Collects the distinct OS image digests reported in device status across enrolled devices.
-
Queries the Red Hat Trusted Profile Analyzer
/api/v2/vulnerability/analyzeendpoint for each digest. - Stores the results in the Red Hat Edge Manager database, keyed by image digest and CVE ID.
The API, CLI, and web console read from the stored findings. Vulnerability data reflects the image digest a device reports in status.os.imageDigest, not on-device runtime scanning.
For High and Critical findings, the periodic service can also record CVE lifecycle events in the event stream. See CVE lifecycle events in the Additional resources section.
Prerequisites
-
A running Red Hat Trusted Profile Analyzer instance that the
flightctl-periodicservice can reach over the network. -
The Red Hat Trusted Profile Analyzer API base URL (for example,
Content from rhtpa.example.com is not included.https://rhtpa.example.com). - If Red Hat Trusted Profile Analyzer requires authentication, an OIDC issuer URL and OAuth2 client credentials for a client-credentials grant, or a deployment that allows unauthenticated access in non-production environments.
- Software bill of materials (SBOM) or advisory data in Red Hat Trusted Profile Analyzer for the image digests your devices run. The Red Hat Edge Manager image builder can generate compliant SBOMs automatically; you can also ingest SBOMs from CI/CD. See SBOM requirements for Red Hat Trusted Profile Analyzer in the Additional resources section.
1.2. Scope and limitations
Vulnerability reporting in release 1.2:
- Reports vulnerabilities associated with the bootc OS image digest on each device.
- Uses Red Hat security data surfaced through Red Hat Trusted Profile Analyzer (CVEs and errata such as RHSAs).
- Does not perform on-device runtime scanning.
- Does not trigger automated remediation or image updates when a CVE is detected.
For severity definitions, see Red Hat security rating classification on the Red Hat Customer Portal.
Chapter 2. Configuring vulnerability reporting
Enable vulnerability reporting, connect Red Hat Edge Manager to Red Hat Trusted Profile Analyzer, and configure authentication and sync interval for your deployment.
Prerequisites
- You completed a Red Hat Edge Manager installation on Red Hat OpenShift Container Platform or Red Hat Enterprise Linux. See Installing Red Hat Edge Manager on Red Hat OpenShift Container Platform or Installing Red Hat Edge Manager on Red Hat Enterprise Linux in the Additional resources section.
- You meet the prerequisites in Vulnerability management overview in the Additional resources section.
Additional resources
2.1. Enabling vulnerability reporting on Red Hat OpenShift Container Platform or Kubernetes
Enable vulnerability reporting by setting Helm values for Red Hat Edge Manager and configuring Red Hat Trusted Profile Analyzer authentication.
Procedure
Set
vulnerabilityReporting.enabledtotruein your Red Hat Edge Manager Helm release values. Merge the following example with your existing configuration:vulnerabilityReportingHelm valuesvulnerabilityReporting: enabled: true syncInterval: "15m" trustify: endpoint: "https://rhtpa.example.com" auth: mode: "none"If Red Hat Trusted Profile Analyzer uses OAuth2 client credentials, set
auth.modetoclient-credentials, setoidcIssuerUrl, and reference a Kubernetes secret for the client ID and secret:vulnerabilityReporting: enabled: true syncInterval: "15m" trustify: endpoint: "https://rhtpa.example.com" auth: mode: "client-credentials" oidcIssuerUrl: "https://sso.example.com/realms/rhtpa" secretName: "rhtpa-credentials"Create the secret in the same namespace as the Red Hat Edge Manager release before you upgrade:
$ kubectl create secret generic rhtpa-credentials \ --from-literal=client_id=<client_id> \ --from-literal=client_secret=<client_secret> \ -n <namespace>
-
Upgrade the Helm release so
flightctl-periodicloads the new configuration. The Red Hat Trusted Profile Analyzer credentials secret is mounted only into the periodic service pod.
2.2. Enabling vulnerability reporting on Red Hat Enterprise Linux with Podman
Enable vulnerability reporting on a Red Hat Enterprise Linux deployment by editing the service configuration file and restarting the periodic service.
Procedure
Edit
/etc/flightctl/service-config.yamland set thevulnerabilityReportingblock:vulnerabilityReporting: enabled: true syncInterval: 15m trustify: endpoint: https://rhtpa.example.com auth: mode: client-credentials oidcIssuerUrl: https://sso.example.com/realms/rhtpa clientId: <client_id> clientSecret: <client_secret>ImportantAvoid storing client secrets in plain text in production. Prefer environment variable overrides described in Configuration reference.
Restart the periodic service:
$ sudo systemctl restart flightctl-periodic.service
Verification
-
Confirm
flightctl-periodiclogs containvulnerability-syncentries after the sync interval elapses. -
Run
flightctl get vuln --summary-onlyafter devices report animageDigestand Red Hat Trusted Profile Analyzer has data for those digests.
For troubleshooting, see Troubleshooting vulnerability reporting.
2.3. Configuration reference
Use the following tables to configure vulnerability reporting fields and environment variable overrides for Red Hat Edge Manager.
The following table describes fields under the vulnerabilityReporting key in Helm values or /etc/flightctl/service-config.yaml.
| Field | Type | Default | Description |
|---|---|---|---|
|
| boolean |
| Enables vulnerability sync and API endpoints. |
|
| duration |
|
Interval between Red Hat Trusted Profile Analyzer sync runs. Use Go duration syntax (for example, |
|
| string | — |
Red Hat Trusted Profile Analyzer API base URL. Required when |
|
| string |
|
Authentication mode: |
|
| string | — |
OIDC issuer URL when |
|
| string | — | OAuth2 client ID for Podman deployments. |
|
| string | — | OAuth2 client secret for Podman deployments. |
|
| string | — |
Kubernetes secret name with |
You can override any value with environment variables on flightctl-periodic and flightctl-api:
| Environment variable | Description |
|---|---|
|
|
|
|
|
Sync interval (for example, |
|
| Red Hat Trusted Profile Analyzer API base URL |
|
|
|
|
| OIDC issuer URL |
|
| OAuth2 client ID |
|
| OAuth2 client secret |
Environment variables take precedence over the configuration file.
2.4. Disabling vulnerability reporting
Set vulnerabilityReporting.enabled to false in Helm values or /etc/flightctl/service-config.yaml, then redeploy or restart services.
When the feature is disabled, vulnerability API endpoints return HTTP 501 Not Implemented with reason: FeatureDisabled. The sync task does not run.
Chapter 3. SBOM requirements for Red Hat Trusted Profile Analyzer
Red Hat Trusted Profile Analyzer must have SBOM or advisory data keyed to the image digests your devices report. Red Hat Edge Manager can generate compliant SBOMs during image builds; you can also supply SBOMs from CI/CD.
3.1. SBOMs from the image builder
When you build OS images with the Red Hat Edge Manager image builder, SBOMs are generated automatically in CycloneDX JSON format with the image digest in metadata.component, so Red Hat Trusted Profile Analyzer can correlate findings with status.os.imageDigest on enrolled devices.
For image builder workflows, see Operating system images for Red Hat Edge Manager in the Additional resources section.
3.2. Manual SBOM ingestion
When you upload SBOMs to Red Hat Trusted Profile Analyzer outside the image builder, use CycloneDX JSON (version 1.4 or later). Include the image digest in metadata.component, for example:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"metadata": {
"component": {
"type": "container",
"name": "quay.io/example/my-image:v1.0.0",
"version": "v1.0.0",
"purl": "pkg:oci/example/my-image@sha256:abc123...?repository_url=quay.io",
"bom-ref": "pkg:oci/example/my-image@sha256:abc123..."
}
},
"components": []
}| Field | Requirement |
|---|---|
|
|
Must be |
|
| Full image reference (registry, name, and tag). |
|
|
OCI Package URL with digest: |
Generate SBOMs with Syft when images are built in CI/CD:
$ syft <image_reference> -o cyclonedx-json > sbom.json
Verify metadata.component.purl contains the digest before you upload the SBOM to Red Hat Trusted Profile Analyzer.
3.3. Red Hat Trusted Profile Analyzer instance
Deploy Red Hat Trusted Profile Analyzer so the flightctl-periodic service can reach it over HTTPS. You can run Red Hat Trusted Profile Analyzer alongside Red Hat Edge Manager or use an existing instance. See Red Hat Trusted Profile Analyzer documentation in the Additional resources section.
Chapter 4. Viewing vulnerabilities in the web console
Use the Red Hat Edge Manager web console, starting from Overview, to review estate-wide CVE data, drill into device and fleet risk, and explore impact for a specific CVE in the details panel.
Prerequisites
- Vulnerability reporting is enabled. See Configuring vulnerability reporting in the Additional resources section.
- You can sign in to the Red Hat Edge Manager web console.
4.1. Viewing the Security overview
Use the Red Hat Edge Manager web console to review estate-wide CVE data from the Overview dashboard.
Procedure
- In the navigation menu, open Overview.
- On the Overview dashboard, review the Security overview card. It shows the total number of active vulnerabilities and a short description that CVEs affect images deployed across your managed fleets and devices.
- In the card, review the count for each severity band: Critical, Important, Moderate, Low, None, and Undefined.
- To open the full CVE list, click View all CVEs in the card header.
- On the Security overview page, review the paginated CVE table. The table lists Name, Severity, Affected devices, and Affected images for each CVE. CVEs are sorted by severity, with Critical listed first.
- Use Filter by severity or Find by name to narrow the list. Sort columns or move between pages as needed.
- Click a CVE Name to open the CVE details panel for that CVE.
4.2. Viewing vulnerabilities on a device
Complete the following steps to view vulnerabilities affecting a specific device.
Procedure
- Open Devices and select a device to open the device details page.
- On the device details page, review the Security overview card. It shows a paginated table of CVEs affecting the device for the image digest the device reports. Filter by severity or CVE ID and sort columns as on other vulnerability pages.
- To review a single CVE in the context of the device, click a CVE row.
4.3. Exploring CVE details and impact
From the Security overview page, click a CVE Name to open the CVE details panel. Complete the following steps to explore CVE details and impact.
Procedure
- Review the CVE header, published date, and description.
- Review Severity and Scanner name (findings are sourced from Red Hat Trusted Profile Analyzer).
- In Affected images, review the image references that carry this CVE.
- In the Impact summary section, review how many devices and fleets run affected images. The summary table lists Fleet name, Affected devices, and Affected images per fleet. Devices without a fleet owner appear under None.
- In References, follow links to related Red Hat security advisories when they are available.
- Click a fleet name to open that fleet’s vulnerability view and see CVEs affecting the fleet.
- Click the number of affected devices for a fleet to open the Devices list with those devices pre-filtered.
- For devices without a fleet owner, click the affected device count in the None row to open the Devices list with those devices pre-filtered.
4.4. Viewing fleet vulnerabilities
Complete the following steps to view vulnerabilities affecting a specific fleet.
Procedure
- Open Fleets and select a fleet, or from the Impact summary in a CVE details panel, click a fleet name.
- On the fleet details page, review the Security overview card. It shows a paginated table of CVEs affecting that fleet only. Filter by severity or CVE ID and sort columns as on other vulnerability pages.
To review a single CVE in the context of the fleet, click a CVE row.
When you plan remediation, distinguish fleet-managed devices from devices without a fleet owner. Use the pre-filtered Devices list from the Impact summary in the CVE details panel to reach affected devices in the None row; update those devices individually or assign them to a fleet.
Additional resources
Chapter 5. Viewing vulnerabilities using the CLI
Use flightctl get vuln to review CVE data for the estate, a device, a fleet, or the blast radius of a single CVE.
Prerequisites
- Vulnerability reporting is enabled. See Configuring vulnerability reporting.
- You installed and authenticated the Flight Control CLI.
View the estate summary
Run the following command:
$ flightctl get vuln --summary-only
The following output is an example:
CRITICAL HIGH MEDIUM LOW UNKNOWN TOTAL 3 12 45 28 2 90
List all CVEs
Run the following command:
$ flightctl get vuln
To sort results, add
--sort-byand--order, as in the following examples:$ flightctl get vuln --sort-by cvssScore --order desc $ flightctl get vuln --sort-by publishedAt --order desc
View device vulnerabilities
Run the following command:
$ flightctl get vuln device/<device_name>
To include a severity summary before the CVE list, add
--summary:$ flightctl get vuln device/<device_name> --summary
To show only the summary, use
--summary-only:$ flightctl get vuln device/<device_name> --summary-only
View fleet vulnerabilities
Run the following command:
$ flightctl get vuln fleet/<fleet_name>
You can use
--summaryor--summary-onlywith fleet queries the same way as for devices.
View CVE impact
To see affected fleets and device counts for one CVE, run the following command:
$ flightctl get vuln CVE-2023-44487
The output includes severity, CVSS score, advisory ID, a link to the Red Hat Security portal or NVD, and per-fleet affected device counts.
List devices affected by a CVE
Run the following command:
$ flightctl get devices --cve-id CVE-2023-44487
To combine
--cve-idwith label selectors or other supported--field-selectorvalues, use commands such as the following:$ flightctl get devices --cve-id CVE-2023-44487 --selector region=us-west $ flightctl get devices --cve-id CVE-2023-44487 --field-selector "metadata.owner notcontains Fleet/"
Output formats and pagination
Run commands such as the following:
$ flightctl get vuln -o json $ flightctl get vuln device/<device_name> -o yaml $ flightctl get vuln fleet/<fleet_name> -o wide $ flightctl get vuln --limit 10 --continue <token>
View CVE lifecycle events
Run the following command:
$ flightctl get events --field-selector="reason in (DeviceVulnerabilityCVEWarning,DeviceVulnerabilityCVECritical,DeviceVulnerabilityCVEResolved)"
Chapter 6. CVE lifecycle events
When vulnerability reporting is enabled, Red Hat Edge Manager emits per-device CVE lifecycle events after each sync for High and Critical findings, which you can inspect in the event stream.
The periodic service evaluates stored findings against each device’s reported image digest and emits:
| Event reason | When it is emitted |
|---|---|
|
| A Critical severity CVE affects the device’s running image digest and no unresolved Critical detection event exists for that device and CVE. |
|
| A High severity CVE affects the device under the same deduplication rules. |
|
|
The condition clears because the device runs a different digest, severity drops below the event threshold, or the finding status is |
Medium, Low, and None severities do not generate lifecycle events.
Events reference the device in involvedObject and include cve_id, image_ref, and image_digest in details. A CVE marked fixed in Red Hat Trusted Profile Analyzer does not resolve the event until the device runs an image digest that is no longer affected.
Use flightctl get events with a field selector on reason to audit detections and resolutions. See View CVE lifecycle events in the Additional resources section.
Additional resources
Chapter 7. Troubleshooting vulnerability reporting
Diagnose missing CVE data, sync failures, and disabled API responses for vulnerability reporting.
Sync is not running
-
Confirm
vulnerabilityReporting.enabledistruein the configuration used byflightctl-periodic. -
Confirm
vulnerabilityReporting.trustify.endpointis set and reachable from the periodic service host or pod. -
Review periodic service logs for lines containing
vulnerability-sync.
Authentication errors
If logs report Red Hat Trusted Profile Analyzer authentication errors:
-
Verify
trustify.auth.modeisnoneorclient-credentialsas appropriate. -
For
client-credentials, confirm the OIDC issuer URL is reachable and that<oidcIssuerUrl>/.well-known/openid-configurationis accessible from the periodic service. - Verify the client ID and secret in the Kubernetes secret or environment variables.
No vulnerability data appears
If sync succeeds but flightctl get vuln returns no rows:
-
Run
flightctl get device/<device_name> -o yamland confirmstatus.os.imageDigestis populated. - Confirm Red Hat Trusted Profile Analyzer has SBOM or advisory data for those digests. See SBOM requirements for Red Hat Trusted Profile Analyzer.
-
Check periodic logs for
Syncing vulnerabilities for N unique image digests.
Feature disabled responses
If API or CLI calls return HTTP 501 Not Implemented with reason: FeatureDisabled, enable vulnerability reporting as described in Configuring vulnerability reporting.
HTTP 503 Service Unavailable indicates a transient dependency failure (for example, the database or Red Hat Trusted Profile Analyzer is unreachable), not a disabled feature.
Additional resources