Managing vulnerabilities

Red Hat Edge Manager 1.2

Managing vulnerabilities in Red Hat Edge Manager

Red Hat Edge Manager Documentation Team

Abstract

This document describes how to configure vulnerability reporting and view CVE data for devices and fleets in Red Hat Edge Manager.

Preface

Configure Red Hat Trusted Profile Analyzer-backed vulnerability reporting and use the web console or CLI to assess CVE risk for devices, fleets, and your entire managed estate.

Chapter 1. Vulnerability management overview

When vulnerability reporting is enabled, Red Hat Edge Manager correlates Red Hat CVE and errata data with the bootc OS images that devices report, so you can assess risk per device, fleet, or across the estate without manually matching external scan results.

1.1. How vulnerability reporting works

At a configurable interval (default: every 15 minutes), the flightctl-periodic service:

  1. Collects the distinct OS image digests reported in device status across enrolled devices.
  2. Queries the Red Hat Trusted Profile Analyzer /api/v2/vulnerability/analyze endpoint for each digest.
  3. Stores the results in the Red Hat Edge Manager database, keyed by image digest and CVE ID.

The API, CLI, and web console read from the stored findings. Vulnerability data reflects the image digest a device reports in status.os.imageDigest, not on-device runtime scanning.

For High and Critical findings, the periodic service can also record CVE lifecycle events in the event stream. See CVE lifecycle events in the Additional resources section.

Prerequisites

  • A running Red Hat Trusted Profile Analyzer instance that the flightctl-periodic service can reach over the network.
  • The Red Hat Trusted Profile Analyzer API base URL (for example, Content from rhtpa.example.com is not included.https://rhtpa.example.com).
  • If Red Hat Trusted Profile Analyzer requires authentication, an OIDC issuer URL and OAuth2 client credentials for a client-credentials grant, or a deployment that allows unauthenticated access in non-production environments.
  • Software bill of materials (SBOM) or advisory data in Red Hat Trusted Profile Analyzer for the image digests your devices run. The Red Hat Edge Manager image builder can generate compliant SBOMs automatically; you can also ingest SBOMs from CI/CD. See SBOM requirements for Red Hat Trusted Profile Analyzer in the Additional resources section.

1.2. Scope and limitations

Vulnerability reporting in release 1.2:

  • Reports vulnerabilities associated with the bootc OS image digest on each device.
  • Uses Red Hat security data surfaced through Red Hat Trusted Profile Analyzer (CVEs and errata such as RHSAs).
  • Does not perform on-device runtime scanning.
  • Does not trigger automated remediation or image updates when a CVE is detected.

For severity definitions, see Red Hat security rating classification on the Red Hat Customer Portal.

Chapter 2. Configuring vulnerability reporting

Enable vulnerability reporting, connect Red Hat Edge Manager to Red Hat Trusted Profile Analyzer, and configure authentication and sync interval for your deployment.

Prerequisites

  • You completed a Red Hat Edge Manager installation on Red Hat OpenShift Container Platform or Red Hat Enterprise Linux. See Installing Red Hat Edge Manager on Red Hat OpenShift Container Platform or Installing Red Hat Edge Manager on Red Hat Enterprise Linux in the Additional resources section.
  • You meet the prerequisites in Vulnerability management overview in the Additional resources section.

2.1. Enabling vulnerability reporting on Red Hat OpenShift Container Platform or Kubernetes

Enable vulnerability reporting by setting Helm values for Red Hat Edge Manager and configuring Red Hat Trusted Profile Analyzer authentication.

Procedure

  1. Set vulnerabilityReporting.enabled to true in your Red Hat Edge Manager Helm release values. Merge the following example with your existing configuration:

    vulnerabilityReporting Helm values

    vulnerabilityReporting:
      enabled: true
      syncInterval: "15m"
      trustify:
        endpoint: "https://rhtpa.example.com"
        auth:
          mode: "none"

  2. If Red Hat Trusted Profile Analyzer uses OAuth2 client credentials, set auth.mode to client-credentials, set oidcIssuerUrl, and reference a Kubernetes secret for the client ID and secret:

    vulnerabilityReporting:
      enabled: true
      syncInterval: "15m"
      trustify:
        endpoint: "https://rhtpa.example.com"
        auth:
          mode: "client-credentials"
          oidcIssuerUrl: "https://sso.example.com/realms/rhtpa"
          secretName: "rhtpa-credentials"
  3. Create the secret in the same namespace as the Red Hat Edge Manager release before you upgrade:

    $ kubectl create secret generic rhtpa-credentials \
      --from-literal=client_id=<client_id> \
      --from-literal=client_secret=<client_secret> \
      -n <namespace>
  4. Upgrade the Helm release so flightctl-periodic loads the new configuration. The Red Hat Trusted Profile Analyzer credentials secret is mounted only into the periodic service pod.

2.2. Enabling vulnerability reporting on Red Hat Enterprise Linux with Podman

Enable vulnerability reporting on a Red Hat Enterprise Linux deployment by editing the service configuration file and restarting the periodic service.

Procedure

  1. Edit /etc/flightctl/service-config.yaml and set the vulnerabilityReporting block:

    vulnerabilityReporting:
      enabled: true
      syncInterval: 15m
      trustify:
        endpoint: https://rhtpa.example.com
        auth:
          mode: client-credentials
          oidcIssuerUrl: https://sso.example.com/realms/rhtpa
          clientId: <client_id>
          clientSecret: <client_secret>
    Important

    Avoid storing client secrets in plain text in production. Prefer environment variable overrides described in Configuration reference.

  2. Restart the periodic service:

    $ sudo systemctl restart flightctl-periodic.service

Verification

  1. Confirm flightctl-periodic logs contain vulnerability-sync entries after the sync interval elapses.
  2. Run flightctl get vuln --summary-only after devices report an imageDigest and Red Hat Trusted Profile Analyzer has data for those digests.

For troubleshooting, see Troubleshooting vulnerability reporting.

2.3. Configuration reference

Use the following tables to configure vulnerability reporting fields and environment variable overrides for Red Hat Edge Manager.

The following table describes fields under the vulnerabilityReporting key in Helm values or /etc/flightctl/service-config.yaml.

FieldTypeDefaultDescription

enabled

boolean

false

Enables vulnerability sync and API endpoints.

syncInterval

duration

15m

Interval between Red Hat Trusted Profile Analyzer sync runs. Use Go duration syntax (for example, 15m, 1h).

trustify.endpoint

string

Red Hat Trusted Profile Analyzer API base URL. Required when enabled is true.

trustify.auth.mode

string

none

Authentication mode: none or client-credentials.

trustify.auth.oidcIssuerUrl

string

OIDC issuer URL when mode is client-credentials.

trustify.auth.clientId

string

OAuth2 client ID for Podman deployments.

trustify.auth.clientSecret

string

OAuth2 client secret for Podman deployments.

trustify.auth.secretName

string

Kubernetes secret name with client_id and client_secret keys for Helm deployments.

You can override any value with environment variables on flightctl-periodic and flightctl-api:

Environment variableDescription

FLIGHTCTL_VULNERABILITY_REPORTING_ENABLED

true, 1, false, or 0

FLIGHTCTL_VULNERABILITY_REPORTING_SYNC_INTERVAL

Sync interval (for example, 15m)

FLIGHTCTL_VULNERABILITY_REPORTING_TRUSTIFY_ENDPOINT

Red Hat Trusted Profile Analyzer API base URL

FLIGHTCTL_VULNERABILITY_REPORTING_TRUSTIFY_AUTH_MODE

none or client-credentials

FLIGHTCTL_VULNERABILITY_REPORTING_TRUSTIFY_OIDC_ISSUER_URL

OIDC issuer URL

FLIGHTCTL_VULNERABILITY_REPORTING_TRUSTIFY_CLIENT_ID

OAuth2 client ID

FLIGHTCTL_VULNERABILITY_REPORTING_TRUSTIFY_CLIENT_SECRET

OAuth2 client secret

Environment variables take precedence over the configuration file.

2.4. Disabling vulnerability reporting

Set vulnerabilityReporting.enabled to false in Helm values or /etc/flightctl/service-config.yaml, then redeploy or restart services.

When the feature is disabled, vulnerability API endpoints return HTTP 501 Not Implemented with reason: FeatureDisabled. The sync task does not run.

Chapter 3. SBOM requirements for Red Hat Trusted Profile Analyzer

Red Hat Trusted Profile Analyzer must have SBOM or advisory data keyed to the image digests your devices report. Red Hat Edge Manager can generate compliant SBOMs during image builds; you can also supply SBOMs from CI/CD.

3.1. SBOMs from the image builder

When you build OS images with the Red Hat Edge Manager image builder, SBOMs are generated automatically in CycloneDX JSON format with the image digest in metadata.component, so Red Hat Trusted Profile Analyzer can correlate findings with status.os.imageDigest on enrolled devices.

For image builder workflows, see Operating system images for Red Hat Edge Manager in the Additional resources section.

3.2. Manual SBOM ingestion

When you upload SBOMs to Red Hat Trusted Profile Analyzer outside the image builder, use CycloneDX JSON (version 1.4 or later). Include the image digest in metadata.component, for example:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "metadata": {
    "component": {
      "type": "container",
      "name": "quay.io/example/my-image:v1.0.0",
      "version": "v1.0.0",
      "purl": "pkg:oci/example/my-image@sha256:abc123...?repository_url=quay.io",
      "bom-ref": "pkg:oci/example/my-image@sha256:abc123..."
    }
  },
  "components": []
}
FieldRequirement

metadata.component.type

Must be container for container images.

metadata.component.name

Full image reference (registry, name, and tag).

metadata.component.purl

OCI Package URL with digest: pkg:oci/<name>@sha256:<digest>?repository_url=<registry> in canonical (unencoded) form.

Generate SBOMs with Syft when images are built in CI/CD:

$ syft <image_reference> -o cyclonedx-json > sbom.json

Verify metadata.component.purl contains the digest before you upload the SBOM to Red Hat Trusted Profile Analyzer.

3.3. Red Hat Trusted Profile Analyzer instance

Deploy Red Hat Trusted Profile Analyzer so the flightctl-periodic service can reach it over HTTPS. You can run Red Hat Trusted Profile Analyzer alongside Red Hat Edge Manager or use an existing instance. See Red Hat Trusted Profile Analyzer documentation in the Additional resources section.

Chapter 4. Viewing vulnerabilities in the web console

Use the Red Hat Edge Manager web console, starting from Overview, to review estate-wide CVE data, drill into device and fleet risk, and explore impact for a specific CVE in the details panel.

Prerequisites

  • Vulnerability reporting is enabled. See Configuring vulnerability reporting in the Additional resources section.
  • You can sign in to the Red Hat Edge Manager web console.

4.1. Viewing the Security overview

Use the Red Hat Edge Manager web console to review estate-wide CVE data from the Overview dashboard.

Procedure

  1. In the navigation menu, open Overview.
  2. On the Overview dashboard, review the Security overview card. It shows the total number of active vulnerabilities and a short description that CVEs affect images deployed across your managed fleets and devices.
  3. In the card, review the count for each severity band: Critical, Important, Moderate, Low, None, and Undefined.
  4. To open the full CVE list, click View all CVEs in the card header.
  5. On the Security overview page, review the paginated CVE table. The table lists Name, Severity, Affected devices, and Affected images for each CVE. CVEs are sorted by severity, with Critical listed first.
  6. Use Filter by severity or Find by name to narrow the list. Sort columns or move between pages as needed.
  7. Click a CVE Name to open the CVE details panel for that CVE.

4.2. Viewing vulnerabilities on a device

Complete the following steps to view vulnerabilities affecting a specific device.

Procedure

  1. Open Devices and select a device to open the device details page.
  2. On the device details page, review the Security overview card. It shows a paginated table of CVEs affecting the device for the image digest the device reports. Filter by severity or CVE ID and sort columns as on other vulnerability pages.
  3. To review a single CVE in the context of the device, click a CVE row.

4.3. Exploring CVE details and impact

From the Security overview page, click a CVE Name to open the CVE details panel. Complete the following steps to explore CVE details and impact.

Procedure

  1. Review the CVE header, published date, and description.
  2. Review Severity and Scanner name (findings are sourced from Red Hat Trusted Profile Analyzer).
  3. In Affected images, review the image references that carry this CVE.
  4. In the Impact summary section, review how many devices and fleets run affected images. The summary table lists Fleet name, Affected devices, and Affected images per fleet. Devices without a fleet owner appear under None.
  5. In References, follow links to related Red Hat security advisories when they are available.
  6. Click a fleet name to open that fleet’s vulnerability view and see CVEs affecting the fleet.
  7. Click the number of affected devices for a fleet to open the Devices list with those devices pre-filtered.
  8. For devices without a fleet owner, click the affected device count in the None row to open the Devices list with those devices pre-filtered.

4.4. Viewing fleet vulnerabilities

Complete the following steps to view vulnerabilities affecting a specific fleet.

Procedure

  1. Open Fleets and select a fleet, or from the Impact summary in a CVE details panel, click a fleet name.
  2. On the fleet details page, review the Security overview card. It shows a paginated table of CVEs affecting that fleet only. Filter by severity or CVE ID and sort columns as on other vulnerability pages.
  3. To review a single CVE in the context of the fleet, click a CVE row.

    When you plan remediation, distinguish fleet-managed devices from devices without a fleet owner. Use the pre-filtered Devices list from the Impact summary in the CVE details panel to reach affected devices in the None row; update those devices individually or assign them to a fleet.

Chapter 5. Viewing vulnerabilities using the CLI

Use flightctl get vuln to review CVE data for the estate, a device, a fleet, or the blast radius of a single CVE.

Prerequisites

View the estate summary

  1. Run the following command:

    $ flightctl get vuln --summary-only

    The following output is an example:

    CRITICAL  HIGH  MEDIUM  LOW  UNKNOWN  TOTAL
    3         12    45      28   2        90

List all CVEs

  1. Run the following command:

    $ flightctl get vuln
  2. To sort results, add --sort-by and --order, as in the following examples:

    $ flightctl get vuln --sort-by cvssScore --order desc
    $ flightctl get vuln --sort-by publishedAt --order desc

View device vulnerabilities

  1. Run the following command:

    $ flightctl get vuln device/<device_name>
  2. To include a severity summary before the CVE list, add --summary:

    $ flightctl get vuln device/<device_name> --summary
  3. To show only the summary, use --summary-only:

    $ flightctl get vuln device/<device_name> --summary-only

View fleet vulnerabilities

  1. Run the following command:

    $ flightctl get vuln fleet/<fleet_name>

    You can use --summary or --summary-only with fleet queries the same way as for devices.

View CVE impact

  1. To see affected fleets and device counts for one CVE, run the following command:

    $ flightctl get vuln CVE-2023-44487

    The output includes severity, CVSS score, advisory ID, a link to the Red Hat Security portal or NVD, and per-fleet affected device counts.

List devices affected by a CVE

  1. Run the following command:

    $ flightctl get devices --cve-id CVE-2023-44487
  2. To combine --cve-id with label selectors or other supported --field-selector values, use commands such as the following:

    $ flightctl get devices --cve-id CVE-2023-44487 --selector region=us-west
    $ flightctl get devices --cve-id CVE-2023-44487 --field-selector "metadata.owner notcontains Fleet/"

Output formats and pagination

Run commands such as the following:

$ flightctl get vuln -o json
$ flightctl get vuln device/<device_name> -o yaml
$ flightctl get vuln fleet/<fleet_name> -o wide
$ flightctl get vuln --limit 10 --continue <token>

View CVE lifecycle events

Run the following command:

$ flightctl get events --field-selector="reason in (DeviceVulnerabilityCVEWarning,DeviceVulnerabilityCVECritical,DeviceVulnerabilityCVEResolved)"

Chapter 6. CVE lifecycle events

When vulnerability reporting is enabled, Red Hat Edge Manager emits per-device CVE lifecycle events after each sync for High and Critical findings, which you can inspect in the event stream.

The periodic service evaluates stored findings against each device’s reported image digest and emits:

Event reasonWhen it is emitted

DeviceVulnerabilityCVECritical

A Critical severity CVE affects the device’s running image digest and no unresolved Critical detection event exists for that device and CVE.

DeviceVulnerabilityCVEWarning

A High severity CVE affects the device under the same deduplication rules.

DeviceVulnerabilityCVEResolved

The condition clears because the device runs a different digest, severity drops below the event threshold, or the finding status is not_affected.

Medium, Low, and None severities do not generate lifecycle events.

Events reference the device in involvedObject and include cve_id, image_ref, and image_digest in details. A CVE marked fixed in Red Hat Trusted Profile Analyzer does not resolve the event until the device runs an image digest that is no longer affected.

Use flightctl get events with a field selector on reason to audit detections and resolutions. See View CVE lifecycle events in the Additional resources section.

Additional resources

Chapter 7. Troubleshooting vulnerability reporting

Diagnose missing CVE data, sync failures, and disabled API responses for vulnerability reporting.

Sync is not running

  1. Confirm vulnerabilityReporting.enabled is true in the configuration used by flightctl-periodic.
  2. Confirm vulnerabilityReporting.trustify.endpoint is set and reachable from the periodic service host or pod.
  3. Review periodic service logs for lines containing vulnerability-sync.

Authentication errors

If logs report Red Hat Trusted Profile Analyzer authentication errors:

  1. Verify trustify.auth.mode is none or client-credentials as appropriate.
  2. For client-credentials, confirm the OIDC issuer URL is reachable and that <oidcIssuerUrl>/.well-known/openid-configuration is accessible from the periodic service.
  3. Verify the client ID and secret in the Kubernetes secret or environment variables.

No vulnerability data appears

If sync succeeds but flightctl get vuln returns no rows:

  1. Run flightctl get device/<device_name> -o yaml and confirm status.os.imageDigest is populated.
  2. Confirm Red Hat Trusted Profile Analyzer has SBOM or advisory data for those digests. See SBOM requirements for Red Hat Trusted Profile Analyzer.
  3. Check periodic logs for Syncing vulnerabilities for N unique image digests.

Feature disabled responses

If API or CLI calls return HTTP 501 Not Implemented with reason: FeatureDisabled, enable vulnerability reporting as described in Configuring vulnerability reporting.

HTTP 503 Service Unavailable indicates a transient dependency failure (for example, the database or Red Hat Trusted Profile Analyzer is unreachable), not a disabled feature.

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.