Vulnerability Scanning and Patch Management

Vulnerability scanning is performed automatically using OWASP Dependency-Track tool to detect known common vulnerabilities in dependencies for both midPoint itself, connectors and for container images, including the operating system layer of the image.

Our response strategy depends on where the vulnerability is located, and whether the finding is relevant in practice.

For vulnerabilities found in midPoint, findings with High and Critical severity are analyzed for their actual impact. These are scheduled for fixing in the next planned maintenance release whenewer possible. If the impact is assessed as critical or otherwise high-risk, security midPoint release may be issued sooner. Lower-severity issues are also addressed through regular dependency updates.

For vulnerabilities affecting container images on OS layers, we fix mainly findings with High and Critical severity. The evaluation is based mainly on CVSS and EPSS values. If the defined thresholds are exceeded and a fix is available, a new container image is released. The midPoint version and container image tag remain unchanged.

If no patch is yet available, the situation is assessed individually and temporary mitigations may be applied until an updated base image becomes available.

Container nightly builds always use the latest available base images.

Some vulnerabilities reported by multiple scanners can be actually false positives, or the impact in midPoint is smaller than reported. To minimize duplicity reporting, such vulnerability may be documented on the False positives and residual vulnerabilities page until it is eliminated in a later update.