Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-108

Quay Security Scans: false positive on bootc images

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • clair-4.8.0
    • indexer
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      I noticed a number of false positives in the Quay security scan for centos-bootc:stream10 images and others (see attached screenshot).

      In this specific example, Quay claims that podman v5.2.2-1 uses runc v1.1.1-xxx.  However, this version of Podman (according the src rpm commit 458f9b42760bf79aae4a96d0610b22f317ac7714) uses runc v1.1.13 (see go.mod file) where all the issues are fixed.

      Other scan results look legit. 

        1. Screenshot 2024-10-24 at 10.54.23.png
          Screenshot 2024-10-24 at 10.54.23.png
          414 kB

              vrothber@redhat.com Valentin Rothberg
              vrothber@redhat.com Valentin Rothberg
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: