Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2052

Duplicate reports of the same CVE present in security vulnerability metadata

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • clair-4.3.0
    • None
    • clair
    • 0

    Description

      It seems that Clair will, when a security report is requested, create a vulnerability report with duplicate CVE entries for the same vulnerabilities if they are found under different repositories. For example:

                "Name": "systemd-pam",
          "VersionFormat": "",
          "NamespaceName": "",
          "AddedBy": "sha256:88afac75a7738cf4e403f8c2234207477781e19950ae6b21f1fee762a0c2c2bd",
          "Version": "239-41.el8_3.1",
          "Vulnerabilities": [
            {
              "Severity": "Medium",
              "NamespaceName": "",
...
              "FixedBy": "0:239-45.el8",
...
              "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
              "Metadata": {
                "UpdatedBy": "RHEL8-rhel-8",
                "RepoName": "cpe:/o:redhat:enterprise_linux:8::baseos",
                "RepoLink": null,
                "DistroName": "Red Hat Enterprise Linux Server",
                "DistroVersion": "8"
              }
            },
            {
              "Severity": "Medium",
              "NamespaceName": "",
...
              "FixedBy": "0:239-45.el8",
...
              "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
              "Metadata": {
                "UpdatedBy": "RHEL8-rhel-8",
                "RepoName": "cpe:/a:redhat:enterprise_linux:8::appstream",
                "RepoLink": null,
                "DistroName": "Red Hat Enterprise Linux Server",
                "DistroVersion": "8"
              }
            }
          ]
        },

      These two reports describe the same vulnerability, the only difference is the RepoName which is baseos (for the first vulnerability) and appstream (for the 2nd one). Can you please check this issue? Thanks!

      Attachments

        1. bug_example.yml
          5 kB
        2. clairctl-newest-report.json
          369 kB
        3. image_comparison.xlsx
          10 kB
        4. quay-2.8.0-clair-3.4.6.txt
          54 kB
        5. quay-2.8.0-vuln-report.txt
          5 kB
        6. quay-3.3.4-clair-3.4.6.txt
          6 kB
        7. quay-3.3.4-vuln-report.txt
          298 kB
        8. report.json
          146 kB

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2244 Strange discrepancies in two different Clair v4 versions regarding same images

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2867 Duplicate reports of the same CVE in the security report

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jcroslan@redhat.com Joseph Crosland
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: