Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2052

Duplicate reports of the same CVE present in security vulnerability metadata

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • clair-4.3.0
    • None
    • clair

      It seems that Clair will, when a security report is requested, create a vulnerability report with duplicate CVE entries for the same vulnerabilities if they are found under different repositories. For example:

                "Name": "systemd-pam",
                "VersionFormat": "",
                "NamespaceName": "",
                "AddedBy": "sha256:88afac75a7738cf4e403f8c2234207477781e19950ae6b21f1fee762a0c2c2bd",
                "Version": "239-41.el8_3.1",
                "Vulnerabilities": [
                  {
                    "Severity": "Medium",
                    "NamespaceName": "",
      ...
                    "FixedBy": "0:239-45.el8",
      ...
                    "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
                    "Metadata": {
                      "UpdatedBy": "RHEL8-rhel-8",
                      "RepoName": "cpe:/o:redhat:enterprise_linux:8::baseos",
                      "RepoLink": null,
                      "DistroName": "Red Hat Enterprise Linux Server",
                      "DistroVersion": "8"
                    }
                  },
                  {
                    "Severity": "Medium",
                    "NamespaceName": "",
      ...
                    "FixedBy": "0:239-45.el8",
      ...
                    "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
                    "Metadata": {
                      "UpdatedBy": "RHEL8-rhel-8",
                      "RepoName": "cpe:/a:redhat:enterprise_linux:8::appstream",
                      "RepoLink": null,
                      "DistroName": "Red Hat Enterprise Linux Server",
                      "DistroVersion": "8"
                    }
                  }
                ]
              },
      

      These two reports describe the same vulnerability, the only difference is the RepoName which is baseos (for the first vulnerability) and appstream (for the 2nd one). Can you please check this issue? Thanks!

        1. report.json
          146 kB
        2. quay-3.3.4-vuln-report.txt
          298 kB
        3. quay-3.3.4-clair-3.4.6.txt
          6 kB
        4. quay-2.8.0-vuln-report.txt
          5 kB
        5. quay-2.8.0-clair-3.4.6.txt
          54 kB
        6. image_comparison.xlsx
          10 kB
        7. clairctl-newest-report.json
          369 kB
        8. bug_example.yml
          5 kB

              jcroslan@redhat.com Joseph Crosland
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: