Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2052

Duplicate reports of the same CVE present in security vulnerability metadata

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • clair-4.3.0
    • None
    • clair
    • 0

    Description

      It seems that Clair will, when a security report is requested, create a vulnerability report with duplicate CVE entries for the same vulnerabilities if they are found under different repositories. For example:

                "Name": "systemd-pam",
          "VersionFormat": "",
          "NamespaceName": "",
          "AddedBy": "sha256:88afac75a7738cf4e403f8c2234207477781e19950ae6b21f1fee762a0c2c2bd",
          "Version": "239-41.el8_3.1",
          "Vulnerabilities": [
            {
              "Severity": "Medium",
              "NamespaceName": "",
...
              "FixedBy": "0:239-45.el8",
...
              "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
              "Metadata": {
                "UpdatedBy": "RHEL8-rhel-8",
                "RepoName": "cpe:/o:redhat:enterprise_linux:8::baseos",
                "RepoLink": null,
                "DistroName": "Red Hat Enterprise Linux Server",
                "DistroVersion": "8"
              }
            },
            {
              "Severity": "Medium",
              "NamespaceName": "",
...
              "FixedBy": "0:239-45.el8",
...
              "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
              "Metadata": {
                "UpdatedBy": "RHEL8-rhel-8",
                "RepoName": "cpe:/a:redhat:enterprise_linux:8::appstream",
                "RepoLink": null,
                "DistroName": "Red Hat Enterprise Linux Server",
                "DistroVersion": "8"
              }
            }
          ]
        },

      These two reports describe the same vulnerability, the only difference is the RepoName which is baseos (for the first vulnerability) and appstream (for the 2nd one). Can you please check this issue? Thanks!

      Attachments

        1. bug_example.yml
          5 kB
          Matthew Bradley
        2. clairctl-newest-report.json
          369 kB
          Ivan Bazulic
        3. image_comparison.xlsx
          10 kB
          Ivan Bazulic
        4. quay-2.8.0-clair-3.4.6.txt
          54 kB
          Ivan Bazulic
        5. quay-2.8.0-vuln-report.txt
          5 kB
          Ivan Bazulic
        6. quay-3.3.4-clair-3.4.6.txt
          6 kB
          Ivan Bazulic
        7. quay-3.3.4-vuln-report.txt
          298 kB
          Ivan Bazulic
        8. report.json
          146 kB
          Ivan Bazulic

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2244 Strange discrepancies in two different Clair v4 versions regarding same images

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2867 Duplicate reports of the same CVE in the security report

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jcroslan@redhat.com Joseph Crosland
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: