From 50d354b452ee5bd633f3bf0a61b56a95dd90ef44 Mon Sep 17 00:00:00 2001 From: Tian Wang <133085652+aws-tianquaw@users.noreply.github.com> Date: Wed, 5 Jun 2024 16:10:13 -0700 Subject: [PATCH 1/2] Add security vulnerability FAQs to README.md --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 2e275ed9..3113ab66 100644 --- a/README.md +++ b/README.md @@ -142,6 +142,16 @@ For more info on the FIPS provider see: https://github.com/openssl/openssl/blob/ ## Security +### What is the image security vulnerability scanning process? +SageMaker Distribution images have ECR enhanced scanningenabled for detecting Common Vulnerabilities and Exposures (CVE). CVE is a list of publicly known information about security vulnerability and exposure. The National Vulnerability Database (NVD) provides CVE details such as severity, impact rating, and fix information. Both CVE and NVD are available for public consumption and free for security tools and services to use. For more information, see CVE Frequently Asked Questions (FAQs). The scan will be executed continuously for all actively supported image versions, and SageMaker will release new image versions to fix the CVEs based on the scanning results. + +### How are security issues fixed? +SageMaker team will regularly release new image version with fixes to the security issues. If the security fix requires a minor or major version release, SageMaker team may release ad-hoc versions with the fix. Once a new image version is released, the actively supported image versions will be updated with the latest supported image version information. You will then be able to pull the latest images with security fixes from our ECR repositories. + +### Can I still access the older image versions once a newer image version is released? +We don't take down images once they are released as they would be used by customers and we don't break customers at runtime by removing products. You will still be able to pull older images from our ECR repositories. However, it is highly recommended for you to consume the latest image versions to obtain the most up-to-date functionalities, security patches, and more. + + See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. ## License From 2a3c0b37612bfe556cc5e13c06084daa15009eca Mon Sep 17 00:00:00 2001 From: Tian Wang <133085652+aws-tianquaw@users.noreply.github.com> Date: Wed, 5 Jun 2024 16:15:09 -0700 Subject: [PATCH 2/2] Minor fix as we have not added a table including supported image versions. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3113ab66..f0b1223c 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ For more info on the FIPS provider see: https://github.com/openssl/openssl/blob/ SageMaker Distribution images have ECR enhanced scanningenabled for detecting Common Vulnerabilities and Exposures (CVE). CVE is a list of publicly known information about security vulnerability and exposure. The National Vulnerability Database (NVD) provides CVE details such as severity, impact rating, and fix information. Both CVE and NVD are available for public consumption and free for security tools and services to use. For more information, see CVE Frequently Asked Questions (FAQs). The scan will be executed continuously for all actively supported image versions, and SageMaker will release new image versions to fix the CVEs based on the scanning results. ### How are security issues fixed? -SageMaker team will regularly release new image version with fixes to the security issues. If the security fix requires a minor or major version release, SageMaker team may release ad-hoc versions with the fix. Once a new image version is released, the actively supported image versions will be updated with the latest supported image version information. You will then be able to pull the latest images with security fixes from our ECR repositories. +SageMaker team will regularly release new image version with fixes to the security issues. If the security fix requires a minor or major version release, SageMaker team may release ad-hoc versions with the fix. Once a new image version is released, you will be able to pull the latest images with security fixes from our ECR repositories. ### Can I still access the older image versions once a newer image version is released? We don't take down images once they are released as they would be used by customers and we don't break customers at runtime by removing products. You will still be able to pull older images from our ECR repositories. However, it is highly recommended for you to consume the latest image versions to obtain the most up-to-date functionalities, security patches, and more.