Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-93

java: central search can be load-bearing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • clair-4.7.4
    • indexer
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Important

      Some vulnerabilities are not detected by Clair.

      Customer is concerned about below 3 critical CVEs not being shown in Clair scan which show up in another scanner (Trivy) scan.

      • CVE-2020-10683
      • CVE-2022-22965
      • CVE-2021-45046

      When testing with sample image, we found that we can see the respective CVEs by searching for the package name that is affected.

      1. https://nvd.nist.gov/vuln/detail/CVE-2020-10683 via GHSA-hwj3-m3p6-hj38
        package: dom4j
      2. https://nvd.nist.gov/vuln/detail/CVE-2022-22965 via GHSA-36p3-wjmg-h94x
          package: spring-beans, spring-webmvc
      3. https://nvd.nist.gov/vuln/detail/CVE-2021-45046 via GHSA-7rjr-3q55-vv33
          package: log4j-core

      However, it seems they are not detected in customer's image.

      A difference that we noticed is that in the sample image we used, the package name for dom4j is dom4j:dom4j but in customer image it is org.dom4j.

        1. customer_manifest_docker.png
          customer_manifest_docker.png
          64 kB
        2. customer_manifest_podman.png
          customer_manifest_podman.png
          78 kB
        3. our_manifest_podman.png
          our_manifest_podman.png
          60 kB

              Unassigned Unassigned
              rhn-support-alosingh Alok Singh
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: