Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-9

Go package data discrepancy in Quay.io

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • clair-4.7.2, claircore-1.5.22
    • indexer
    • None
    • 5
    • False
    • Hide

      None

      Show
      None
    • False

      When the gobin indexer what first deployed in production it did not persist a norm_version in the package table, this mean that matching wouldn't work for these packages as the matcher was querying that field. This bug was corrected so new Go packages were inserted with the norm_version and matched correctly. However, when the indexer sees packages it has seen before it does not duplicate them in the package table hence all the Go packages that were inserted before the bug fix are still in an incomplete state.

      We need to run a script to update Go packages in the DB with their norm_version (and norm_kind).  We can get a list of all potentially vulnerable packages from the matcher DB.

       

      Example of vulnerabilities not being surfaced:

      https://quay.io/repository/crozzy/tester/manifest/sha256:ca17930d9454508910564e195ddc833430587120e7a1c5bcfb0d9225bd41ac4f?tab=vulnerabilities

      github.com/opencontainers/runc v1.1.3

      https://github.com/advisories/GHSA-vpvm-3wq2-2wvm

              jcroslan@redhat.com Joseph Crosland
              jcroslan@redhat.com Joseph Crosland
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: