Vulnerability management

Hello,

What is the Percona position on vulnerability management and disclosure, and are there any plans to tie this into recognised sources like the National Vulnerability Database etc.?

The reason I ask is no vulnerabilities will be shown for Percona Server for MongoDB (PSMDB) in common security tooling like Nessus, Wiz etc. which many companies require for compliance and remediation.

I see forum posts ( Security Advisory: Percona Server for MongoDB 🚨 , MongoBleed Impact and Mitigation: How to Protect Your MongoDB Servers ) and blogs which is great, but not an ideal source for critical vulnerability management.

I’ve scoured the GitHub docs, Jira and this forum but couldn’t find any authoritative information on the approach.

I can see some past forum posts on this but not specific to MongoDB.

There are also a number of posts are asking if a product contains a CVE which could potentially be solved by reporting.

Thanks,

William

Hello William,

Welcome to our community and thank you for raising this excellent point. All is correct what you stated.

We are actively working on standardizing our build pipelines to include SBOMs (Software Bill of Materials) and later also VEX (Vulnerability Exploitability eXchange) documentation. Providing these machine-readable files will allow modern tools like Nessus or Wiz to accurately ingest what code is inside PSMDB and evaluate its true vulnerability status regardless of the package name. SBOMs should be available in our next releases. VEX - soon after.

We also plan to work with the NVD to ensure Percona’s specific Common Platform Enumerations are recognized and accurately associated with upstream equivalents during CVE assignments

Hope that helps.