Problem:

In a Quay+Clair 3.4.3 setup running on CentOS 8 Clair fails to detect a known CVE-2020-1747 (https://access.redhat.com/security/cve/cve-2020-1747) which is present in the Quay 3.4.3 image. Pushing the image to Quay and getting scanned by Clair does not yield any vulnerabilities though the acknowledge CVE rating from Red Hat is Moderate.

Actual Results:

Clair correctly detects the presence of the PyYAML pip-package in version 5.3.0 but does not match the above mentioned CVE against it. The image was uploaded after updating Quay+Clair from 3.4.1 to 3.4.3

Expected Results:

Clair correctly reports CVE-2020-1747 against PyYAML 5.3.0 and suggests to upgrade to 5.3.1.

Reproducible:

Always. Install Quay/Clair 3.4.3 and push the official Quay 3.4.3 image from registry.redhat.io/quay/quay-rhel8:3.4.3 and wait for scan results.