Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2473

Image vulnerability in non-base layers can't be scanned by Clair V4.2.2

XMLWordPrintable

      Description:

      This is an issue found when use Clair V4.2.2(Deployed by Quay 3.6.0 Operator) to scan image which has known vulnerability(https://security-tracker.debian.org/tracker/CVE-2019-6111) in non-base layer, after pushed image to quay, Clair V4.2.2 can't scan and report the known image vulnerability

      Dockerfile:

      FROM debian:stretch-slim
      
      RUN echo 'deb http://snapshot.debian.org/archive/debian/20170625T040030Z stretch-proposed-updates main' >> /etc/apt/sources.list && \
        apt-get -o Acquire::Check-Valid-Until=false update && \
        apt-get install openssh-client=1:7.4p1-10+deb9u1 -y
      

      Clair Version:

      oc get pod
      NAME                                        READY   STATUS              RESTARTS   AGE
      demo1-clair-app-5cfdb7d888-v4h8z            1/1     Running             1          18m
      demo1-clair-app-5cfdb7d888-wsgsh            1/1     Running             0          18m
      demo1-clair-postgres-595785c775-77pc6       1/1     Running             0          18m
      demo1-quay-app-7bb9bb64b9-jlhqb             1/1     Running             0          18m
      demo1-quay-app-7bb9bb64b9-zsq4m             1/1     Running             0          18m
      demo1-quay-app-upgrade-dh5tl                0/1     Completed           0          19m
      demo1-quay-config-editor-6699f44f7b-xhf9f   1/1     Running             0          18m
      demo1-quay-database-6fc55b9fc7-qfhp4        0/1     ContainerCreating   0          18m
      demo1-quay-database-786894cccd-jmcz8        1/1     Running             1          26m
      demo1-quay-mirror-6585bb5b88-ssk8r          1/1     Running             0          18m
      demo1-quay-mirror-6585bb5b88-tqfld          1/1     Running             0          18m
      demo1-quay-postgres-init-s5c4s              1/1     Running             0          18m
      demo1-quay-redis-6f8786d45f-87czr           1/1     Running             0          18m
      quay-operator.v3.6.0-5fbccf9875-lccjk       1/1     Running             0          6h26m
      
      
      oc logs demo1-clair-app-5cfdb7d888-v4h8z
      {"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"starting"}
      {"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"ready"}
      {"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching http transport"}
      {"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching introspection server"}
      
      Quay can't report the vulnerability of package "openssh-client"

       

       

       

              jcroslan@redhat.com Joseph Crosland
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: