Initial version of the containerinfo object, state and item XSD

[mpreisler]

Request for comments.

I am designing a new OVAL test that queries container image properties. There are two main uses cases of such a test:

• container image CVE feed
  • check that the image is signed and is coming from a trusted source, check the labels to figure out if there is a known vulnerability inside it
• generic container image checking
  • check labels for anti-patterns
  • check that all images are coming from some authoritative registry
  • ...

Personally I am more interested in the first use-case but I want to make the test powerful enough to satisfy both.

Example workflow for the container image CVE feed workflow:

• query all technology=docker images with Label Authoritative_Registry=registry.access.redhat.com and Label name=rhel7/sssd, signed by $REDHAT_key
• combine Version and Release labels and compare the images with a states of vulnerable images

This is very similar to the RPM CVE feed workflow. My main issue is how to make this vendor neutral and generic, especially the part about combining Version and Release labels. Other vendors may do this in other ways, these two particular labels don't even have to be present. At the same time I need a simple way to do the piece-wise comparison, a lexical comparison won't do. Any ideas here are welcome.

[solind]

Hi Martin, have you reviewed the Docker schema that was subsequently proposed? Can the proposals be combined?

[mpreisler]

Hi @solind,
yes, that is our plan. See #151