The Clair team should create a standardized form for reporting vulnerability inconsistencies. A standardized way to do this would ensure that reports are actionable and reproducible.

Needs:

• List of minimum required information, in a form:
• Version
• Configuration
• Server Logs
• Clair Client logs
• Where/how to access the container
• What/Why
• Automation for validation and closing stale reports.

Wants:

• Vulnerability database export
• Dropbox for uploading artifacts
• Export needed information from Quay (on-prem only, presumably)

Extra:

• clairctl subcommand to submit reports