Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2052

Duplicate reports of the same CVE present in security vulnerability metadata

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • clair-4.3.0
    • None
    • clair

      It seems that Clair will, when a security report is requested, create a vulnerability report with duplicate CVE entries for the same vulnerabilities if they are found under different repositories. For example:

                "Name": "systemd-pam",
                "VersionFormat": "",
                "NamespaceName": "",
                "AddedBy": "sha256:88afac75a7738cf4e403f8c2234207477781e19950ae6b21f1fee762a0c2c2bd",
                "Version": "239-41.el8_3.1",
                "Vulnerabilities": [
                  {
                    "Severity": "Medium",
                    "NamespaceName": "",
      ...
                    "FixedBy": "0:239-45.el8",
      ...
                    "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
                    "Metadata": {
                      "UpdatedBy": "RHEL8-rhel-8",
                      "RepoName": "cpe:/o:redhat:enterprise_linux:8::baseos",
                      "RepoLink": null,
                      "DistroName": "Red Hat Enterprise Linux Server",
                      "DistroVersion": "8"
                    }
                  },
                  {
                    "Severity": "Medium",
                    "NamespaceName": "",
      ...
                    "FixedBy": "0:239-45.el8",
      ...
                    "Name": "RHSA-2021:1611: systemd security, bug fix, and enhancement update (Moderate)",
                    "Metadata": {
                      "UpdatedBy": "RHEL8-rhel-8",
                      "RepoName": "cpe:/a:redhat:enterprise_linux:8::appstream",
                      "RepoLink": null,
                      "DistroName": "Red Hat Enterprise Linux Server",
                      "DistroVersion": "8"
                    }
                  }
                ]
              },
      

      These two reports describe the same vulnerability, the only difference is the RepoName which is baseos (for the first vulnerability) and appstream (for the 2nd one). Can you please check this issue? Thanks!

        1. bug_example.yml
          5 kB
          Matthew Bradley
        2. clairctl-newest-report.json
          369 kB
          Ivan Bazulic
        3. image_comparison.xlsx
          10 kB
          Ivan Bazulic
        4. quay-2.8.0-clair-3.4.6.txt
          54 kB
          Ivan Bazulic
        5. quay-2.8.0-vuln-report.txt
          5 kB
          Ivan Bazulic
        6. quay-3.3.4-clair-3.4.6.txt
          6 kB
          Ivan Bazulic
        7. quay-3.3.4-vuln-report.txt
          298 kB
          Ivan Bazulic
        8. report.json
          146 kB
          Ivan Bazulic

              jcroslan@redhat.com Joseph Crosland
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: