Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1775

Clair does not recognize known Python vulnerabilities

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • quay-v3.4.4
    • quay-v3.4.3
    • clair
    • None

      Problem:

      In a Quay+Clair 3.4.3 setup running on CentOS 8 Clair fails to detect a known CVE-2020-1747 (https://access.redhat.com/security/cve/cve-2020-1747) which is present in the Quay 3.4.3 image. Pushing the image to Quay and getting scanned by Clair does not yield any vulnerabilities though the acknowledge CVE rating from Red Hat is Moderate.

      Actual Results:

      Clair correctly detects the presence of the PyYAML pip-package in version 5.3.0 but does not match the above mentioned CVE against it. The image was uploaded after updating Quay+Clair from 3.4.1 to 3.4.3

      Expected Results:

      Clair correctly reports CVE-2020-1747 against PyYAML 5.3.0 and suggests to upgrade to 5.3.1.

      Reproducible:

      Always. Install Quay/Clair 3.4.3 and push the official Quay 3.4.3 image from registry.redhat.io/quay/quay-rhel8:3.4.3 and wait for scan results.

        1. image.png
          199 kB
          Daniel Messer
        2. Screenshot from 2021-04-19 16-26-36.png
          190 kB
          Dongbo Yan

              ldelossa Louis DeLosSantos (Inactive)
              DanielMesser Daniel Messer
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: