-
Bug
-
Resolution: Done
-
Critical
-
quay-v3.6.0
-
False
-
False
-
Description:
This is an issue found when use Clair V4.2.2(Deployed by Quay 3.6.0 Operator) to scan image which has known vulnerability(https://security-tracker.debian.org/tracker/CVE-2019-6111) in non-base layer, after pushed image to quay, Clair V4.2.2 can't scan and report the known image vulnerability
Dockerfile:
FROM debian:stretch-slim RUN echo 'deb http://snapshot.debian.org/archive/debian/20170625T040030Z stretch-proposed-updates main' >> /etc/apt/sources.list && \ apt-get -o Acquire::Check-Valid-Until=false update && \ apt-get install openssh-client=1:7.4p1-10+deb9u1 -y
Clair Version:
oc get pod NAME READY STATUS RESTARTS AGE demo1-clair-app-5cfdb7d888-v4h8z 1/1 Running 1 18m demo1-clair-app-5cfdb7d888-wsgsh 1/1 Running 0 18m demo1-clair-postgres-595785c775-77pc6 1/1 Running 0 18m demo1-quay-app-7bb9bb64b9-jlhqb 1/1 Running 0 18m demo1-quay-app-7bb9bb64b9-zsq4m 1/1 Running 0 18m demo1-quay-app-upgrade-dh5tl 0/1 Completed 0 19m demo1-quay-config-editor-6699f44f7b-xhf9f 1/1 Running 0 18m demo1-quay-database-6fc55b9fc7-qfhp4 0/1 ContainerCreating 0 18m demo1-quay-database-786894cccd-jmcz8 1/1 Running 1 26m demo1-quay-mirror-6585bb5b88-ssk8r 1/1 Running 0 18m demo1-quay-mirror-6585bb5b88-tqfld 1/1 Running 0 18m demo1-quay-postgres-init-s5c4s 1/1 Running 0 18m demo1-quay-redis-6f8786d45f-87czr 1/1 Running 0 18m quay-operator.v3.6.0-5fbccf9875-lccjk 1/1 Running 0 6h26m oc logs demo1-clair-app-5cfdb7d888-v4h8z {"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"starting"} {"level":"info","component":"main","version":"v4.2.2","time":"2021-09-01T07:32:15Z","message":"ready"} {"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching http transport"} {"level":"info","component":"main","time":"2021-09-01T07:32:15Z","message":"launching introspection server"}
Quay can't report the vulnerability of package "openssh-client"
- duplicates
-
-
- Closed
-
- is blocked by
-
-
- Closed
-