Red Hat SummitChapter 4. Known issues
Resolved known issues for this release of Red Hat Trusted Profile Analyzer (RHTPA):
A list of unresolved known issues found in this release:
- License information does not comply with SPDX specification standards
-
The embedded license information within a package or component of a Software Bill of Materials (SBOM) does not comply with the SPDX specification standards. Because of this issue, RHTPA marks the package URL license details as
NOASSERTION. Currently, there is no workaround for this issue.
- A custom Quay source with self signed certificate does not import data
- When you set a custom Quay source with self signed certificate, the data is not import into RHTPA. This is because the trust anchor for data importers is missing. Currently, there is no workaround for this issue.
- An
IncompleteBodyerror when using OpenShift Data Foundation -
Red Hat’s OpenShift Data Foundation does not support compression logic that uses the
aws-sdkRust client. When using OpenShift Data Foundation as an object store for RHTPA, you can get a409response code, along with anIncompleteBodyerror message. This issue resides within the OpenShift Data Foundation code base. To workaround this issue, we removed the compression logic capability from RHTPA’s source code when using OpenShift Data Foundation. This workaround results in Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) documents uploading without errors.
- The
rhtpa-operator-controller-managerpod in a reconciliation loop -
The
rhtpa-operator-controller-managerpod keeps going into a reconciliation loop each time after updating the server or resource. This makes manual changes impossible because it conflicts with the configuration updates automatically done during reconciliation. This also cause the logs to fill up with a line every second for each new reconciliation trigger event. Currently, there is no workaround for this issue.
- Large number of vulnerabilities reported
- The logic that correlates vulnerability data between advisories and large Software Bill of Materials (SBOM) documents can cause pages to load slowly, and display large number of vulnerabilities. Currently, there is no workaround for this issue.
- Searching by SBOM version gives inconsistent results
-
When using Software Bill of Materials (SBOM) version numbers as search criteria, you can get inconsistent results. In some cases, the search engine can find SBOM version numbers that have the version number in the file name or in the
document_idfield. In other cases, the search engine finds no matching SBOM versions, even with a valid SBOM version number. There is currently no workaround for this issue.
- Remote server connection drops on bulk uploads that use the API
- When uploading a compressed SBOM document that uses the RHTPA API, for example, a 350 MB compressed file, the connection to the remote RHTPA service can drop. This causes a partial uploading of the files. To workaround this issue, split the larger SBOM document into smaller sizes, for example, a compressed file roughly 10-20 MB in size. This allows the uploading to finish successfully.
- Vulnerability information cannot be deleted by using the API
-
Using the RHTPA API to delete vulnerabilities and Common Vulnerabilities and Exposures (CVE) information gives a foreign key constraints error message. With this release, we added a
Not implementedmessage in the return code. In a future release, we are going to deprecate this delete function.
- No support for CPE version 2.3
- The Common Platform Enumeration (CPE) specification and Software Bill of Materials (SBOM) formatted with string bindings does not render properly in the RHTPA console, and when exporting license information. There is currently no workaround for this issue.
- Trusted Profile Analyzer 2.0 requires Helm version 3.17 or later
- To install RHTPA 2.0 and later, you must use Helm version 3.17 or later to deploy the Trusted Profile Analyzer service on the Red Hat OpenShift Container Platform.
- No support for CVSS v4 scores
- Currently, there is no support for Common Vulnerability Scoring System (CVSS) version 4 scores in RHTPA.
- Advisories with an environment or temporal score fails to upload
- A Common Security Advisory Framework (CSAF) document with a Common Vulnerability Scoring System (CVSS) vector that has an environment or temporal score can fail when uploading it to RHTPA. Because of this upload failure, you cannot see the advisory within the RHTPA console. Currently, there is no workaround for this issue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}