Critical The images I tried are:
library/alpine/k8s:1.20.7
library/drupal:latest
library/drupal:8.4.0-rc1 (4 years old)
In all three images, Quay shows all detected vulnerabilities as Unknown. When I open Drupal's latest to check on those 200 vulnerabilities, all vulnerabilities say the issue is Fixed in 0:0. Some vulnerabilities have the correct CVE information attached along with the CVSSv3 score but they still show as unknown. Even those that are marked as high.
It would also appear that detection of vulnerabilities is still not correct. The image library/mariadb:10.6.3-focal turns up with 0 vulnerabilities in Quay 3.6.0. Quay.io on the other hand for the same image detects 69 vulnerabilities, of which 1 is high, 48 are medium. And patches are available for 51.
Image on quay.io: https://quay.io/repository/ibazulic1/mariadb?tab=tags
Please see attached screenshots. Thank you!
- is related to
-
PROJQUAY-2804 Debian data improvement
-
- Closed
-
- relates to
-
PROJQUAY-2013 Clair v4 shows incorrect fixed versions for Debian packages
-
- Closed
-
-
-
- Closed
-
