Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2473

Image vulnerability in non-base layers can't be scanned by Clair V4.2.2

    XMLWordPrintable

Details

    • 0

    Description

      Description:

      This is an issue found when use Clair V4.2.2(Deployed by Quay 3.6.0 Operator) to scan image which has known vulnerability(https://security-tracker.debian.org/tracker/CVE-2019-6111) in non-base layer, after pushed image to quay, Clair V4.2.2 can't scan and report the known image vulnerability

      Dockerfile:

      FROM debian:stretch-slim

RUN echo 'deb http://snapshot.debian.org/archive/debian/20170625T040030Z stretch-proposed-updates main' >> /etc/apt/sources.list && \
  apt-get -o Acquire::Check-Valid-Until=false update && \
  apt-get install openssh-client=1:7.4p1-10+deb9u1 -y

      Clair Version:

      oc get pod
NAME                                        READY   STATUS              RESTARTS   AGE
demo1-clair-app-5cfdb7d888-v4h8z            1/1     Running             1          18m
demo1-clair-app-5cfdb7d888-wsgsh            1/1     Running             0          18m
demo1-clair-postgres-595785c775-77pc6       1/1     Running             0          18m
demo1-quay-app-7bb9bb64b9-jlhqb             1/1     Running             0          18m
demo1-quay-app-7bb9bb64b9-zsq4m             1/1     Running             0          18m
demo1-quay-app-upgrade-dh5tl                0/1     Completed           0          19m
demo1-quay-config-editor-6699f44f7b-xhf9f   1/1     Running             0          18m
demo1-quay-database-6fc55b9fc7-qfhp4        0/1     ContainerCreating   0          18m
demo1-quay-database-786894cccd-jmcz8        1/1     Running             1          26m
demo1-quay-mirror-6585bb5b88-ssk8r          1/1     Running             0          18m
demo1-quay-mirror-6585bb5b88-tqfld          1/1     Running             0          18m
demo1-quay-postgres-init-s5c4s              1/1     Running             0          18m
demo1-quay-redis-6f8786d45f-87czr           1/1     Running             0          18m
quay-operator.v3.6.0-5fbccf9875-lccjk       1/1     Running             0          6h26m


oc logs demo1-clair-app-5cfdb7d888-v4h8z
{"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"starting"}
{"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"ready"}
{"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching http transport"}
{"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching introspection server"}
      Quay can't report the vulnerability of package "openssh-client"

       

       

       

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2474 Image vulnerability in squashed image can't be scanned by Clair V4.2.2

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2649 Clair v4 debian matching source/binary packages

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jcroslan@redhat.com Joseph Crosland
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: