Amazon Inspector2 - Is it possible to create a suppression rule for issues that don't have a remediation available yet?

Question

At the moment, most of my "High" findings are kernel issues that don't have a remediation yet. i.e. there is no kernel to be installed that fixes the issue. Is there a way to create a rule to suppress these issues? They all have the same text in Remediation field

"Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."

An example CVEs https://access.redhat.com/security/cve/CVE-2021-40490.

I could add a rule for each one individually based on the CVE name or ID. However that isn't really a scalable solution.  I also want them to be shown again when there is a remediation available and hasn't been applied yet.

The most ideal solution would be to just have a view that only shows issues that can be remediated instead of having suppression rules for them.

Answer

FWIW, I managed to clear out a lot of these issues by deleting all old 4.14 kernels that weren't active.

### To upgrade 4.4. to 5.10
- sudo  amazon-linux-extras enable kernel-5.10
- sudo yum clean metadata
- sudo yum install -y kernel
- sudo reboot
- ....
- ssh ...
- sudo yum update -y

### To delete all non active kernels
- sudo rpm -q kernel #see which other kernel packages are installed.
- sudo package-cleanup --oldkernels --count=1 # Remove non active kernels. This was key to clear out all the issues.

I think it would be kindof nice if the package error for kernels indicated it was the non-active kernel causing the issues. I had thought the issues were stale and they would eventually go away. Not so. Need to delete the non active kernel packages.

Amazon Inspector2 - Is it possible to create a suppression rule for issues that don't have a remediation available yet?

To upgrade 4.4. to 5.10

To delete all non active kernels

Contenido relevante