-
Bug
-
Resolution: Done
-
Critical
-
None
-
False
-
False
-
Quay Enterprise
-
Undefined
-
It seems that Clair will, when a security report is requested, create a vulnerability report with duplicate CVE entries for the same vulnerabilities if they are found under different repositories. For example:
"Name": "systemd-pam",
"VersionFormat": "",
"NamespaceName": "",
"AddedBy": "sha256:88afac75a7738cf4e403f8c2234207477781e19950ae6b21f1fee762a0c2c2bd",
"Version": "239-41.el8_3.1",
"Vulnerabilities": [
{
"Severity": "Medium",
"NamespaceName": "",
...
"FixedBy": "0:239-45.el8",
...
"Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
"Metadata": {
"UpdatedBy": "RHEL8-rhel-8",
"RepoName": "cpe:/o:redhat:enterprise_linux:8::baseos",
"RepoLink": null,
"DistroName": "Red Hat Enterprise Linux Server",
"DistroVersion": "8"
}
},
{
"Severity": "Medium",
"NamespaceName": "",
...
"FixedBy": "0:239-45.el8",
...
"Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
"Metadata": {
"UpdatedBy": "RHEL8-rhel-8",
"RepoName": "cpe:/a:redhat:enterprise_linux:8::appstream",
"RepoLink": null,
"DistroName": "Red Hat Enterprise Linux Server",
"DistroVersion": "8"
}
}
]
},
These two reports describe the same vulnerability, the only difference is the RepoName which is baseos (for the first vulnerability) and appstream (for the 2nd one). Can you please check this issue? Thanks!
- relates to
-
-
- Closed
-
-
-
- Closed
-
