Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: None
Affects Version/s: clair-4.3.3
Component/s: clair
Labels:
- report-interpretation
- triaged

Blocked:
False
Ready:
False
Product:
Quay Enterprise
Market:

RICE Score:
0

Target Version:

clair-4.3.5

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Clair shows false positive on packages in pyup.io which have actually been resolved by more recent RHSAs.

Case in point - refer to attached image:

clair-4.3.x says python3-urllib3-1.24.2-5.el8.noarch is vulnerable according to pyup.io-38834.
The vulnerability was addressed in https://access.redhat.com/errata/RHSA-2021:1631, build #5 of python3-urllib3-1.24.2 is NOT vulnerable.

The python3-urllib3 package is included in nodejs-14 built on ubi8, here:

https://catalog.redhat.com/software/containers/ubi8/nodejs-14/5ed7887dd70cc50e69c2fabb?container-tabs=packages

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image (11).png
151 kB
2021/11/29 10:18 PM

is related to

PROJQUAY-4023 Clair interprets scan results instead of just delivering them

New

PROJQUAY-1279 Allow users silence specific CVEs per repo / per org

In Progress

PROJQUAY-4994 Allow users silence specific CVEs per repo / per org

Closed

relates to

PROJQUAY-3294 Python rpm scans produces false positive on rhel/ubi based images

Closed

Assignee:: Unassigned

Reporter:: Daniel Yocum

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2021/11/29 10:21 PM

Updated:: 2023/01/23 8:38 PM

Resolved:: 2021/12/01 7:22 PM