This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Artifact Analysis severity levels, controls and mitigations

Posted on 09-14-2023 05:44 PM
bihagkashikar
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi all

I came across this link https://cloud.google.com/artifact-analysis/docs/ods-cloudbuild#build_and_scan which provides an approach to block the build of an packages with higher severity vulnerabilities. This is great! 

However, my question, what are generally the steps to be taken when the severity is HIGH, for a package that is already used in productionised solution and there's no way to remove the package from the solution?

Solved Solved
0 2 217
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
christianpaula
Staff
Reply posted on --/--/---- --:-- AM

Hi @bihagkashikar,

Welcome to Google Cloud Community!

  • When a HIGH severity vulnerability is found in a package used in a productionized solution, you need to assess the risk, implement mitigation controls, monitor the situation, and have a plan for remediation.
  • You can also work with the package vendor, consider using a vulnerability management tool, and educate your team about security best practices.

The risk of a high-severity vulnerability in a production system when immediate removal of the package is not possible.

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
bihagkashikar
Silver 1
Silver 1
In response to christianpaula
Reply posted on --/--/---- --:-- AM

@christianpaula thank you for your note.

This is exactly my question on your comment - " you need to assess the risk, implement mitigation controls, monitor the situation, and have a plan for remediation"

What are google recommended steps that one can carry out. Consider this, what happens there's are vulnerability identified in the google cloud python library https://github.com/googleapis/google-cloud-python, Google Cloud must be taking some steps to mitigate the issue? 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
christianpaula
Staff
Reply posted on --/--/---- --:-- AM

Hi @bihagkashikar,

Welcome to Google Cloud Community!

  • When a HIGH severity vulnerability is found in a package used in a productionized solution, you need to assess the risk, implement mitigation controls, monitor the situation, and have a plan for remediation.
  • You can also work with the package vendor, consider using a vulnerability management tool, and educate your team about security best practices.

The risk of a high-severity vulnerability in a production system when immediate removal of the package is not possible.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
bihagkashikar
Silver 1
Silver 1
In response to christianpaula
Reply posted on --/--/---- --:-- AM

@christianpaula thank you for your note.

This is exactly my question on your comment - " you need to assess the risk, implement mitigation controls, monitor the situation, and have a plan for remediation"

What are google recommended steps that one can carry out. Consider this, what happens there's are vulnerability identified in the google cloud python library https://github.com/googleapis/google-cloud-python, Google Cloud must be taking some steps to mitigate the issue? 

Jump to Solution
0 Likes
Top Solution Authors
View all