Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2771

Problems with detecting vulnerabilities when using Clair v4

XMLWordPrintable

    • False
    • False
    • Quay Enterprise

      The client is using the follwing part of the Dockerfile to build their images:

      FROM php:8.0.10-apache-bullseye
      
      # Requirements for PHP Extensions
      # ext-zip requires libzip-dev libzip4 zlib1g-dev
      RUN apt-get update \
          && apt-get install -y libzip-dev libzip4 unzip zip zlib1g-dev \
          && apt autoremove -y \
          && apt-get clean \
          && rm -rf /var/lib/apt/lists/*
      
      # Enable aditional PHP Extensions
      RUN docker-php-ext-install zip
      

      The base image is 2 months old. When this image is pushed to Quay 3.6 backed with Clair v4, the image is passed. Green. On the other hand, Quay.io backed with Clair v2 shows 203 vulnerabilities in the same image, of which 1 is marked critical with a severity 9.8:

      https://security-tracker.debian.org/tracker/CVE-2019-19814 - linux-libc-dev package, marked as linux in Quay.io

      This is a CVE detected in the Apache webserver also used in the image:

      https://security-tracker.debian.org/tracker/CVE-2021-39275

      The client also used a very old RHEL 7 based image from our own registry for another test:

      https://catalog.redhat.com/software/containers/rhel7/rhel/57ea8cdc9c624c035f96f344?tag=7.0-21&push_date=1401989946000&container-tabs=gti

      The image is graded as F on registry.redhat.io. Again, Quay 3.6 backed by Clair v4 does not show any vulnerabilities. Screenshots of Quay.io results and Quay 3.6 results for the specific images are attached.

      Plesae check.

              hdonnay Henry Donnay
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: