It was brought up by prodsec that Clair may report false positives for some non-rpm content that Red Hat patches. A scenario exists when a container created by RH contains a vulnerability emanating from some non-RH content within the container (the vulnerability is from OSV and addresses Grafana for example), RH patches this vulnerability and releases a new tag for the container. In this situation, unless the RH patchers have modified the version to make it un-matchable, Clair will continue to find a vulnerability as the packages metadata/version still identifies it as vulnerable.

Edit

While trying to find an example to add to this issue I was looking at https://catalog.redhat.com/software/containers/rhel8/grafana/5edf9c35dd19c7063a62aff6, Clair detects the grafana package as follows:

    "4128": {
      "id": "4128",
      "name": "github.com/grafana/grafana",
      "version": "(devel)",
      "kind": "binary",
      "source": {
        "id": "1",
        "name": "",
        "version": ""
      }
    },

Presumably Go is detecting that code has been modified and no longer represents the original Grafana version (7.5.15), hence `(devel)`, this means Clair will never match it to a vulnerability.