Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3115

Document Java scanning in Quay 3.6.3 as Tech Preview

    XMLWordPrintable

Details

    • 0

    Description

      The Java scanning feature that shipped with Quay 3.6 is dependent on an external service (CRDA) for vulnerability data. This service may sometimes rate limit Clair if too many requests are made in a short period of time. This has the effect of Clair appearing to miss certain vulnerabilities (e.g. log4j) because it will not report the rate limiting on CRDA.

      We should update our documentation to indicate that:

      • The Java scanning feature in Clair with Quay 3.6 should be considered a Technical Preview
      • The scanning feature may occasionally not detect certain vulnerabilities if its dependent service is not available or is rate limiting Clair.
      • Clair is using a shared, default token to access the CRDA service which may lead to more likely rate limiting. Customers can obtain and use their own token for CRDA which can help avoid the chance of rate limiting from occurring <you can get details from Clair Eng team>.
      • The Java scanning feature will be further enhanced in future Quay versions.

      Attachments

        Issue Links

          account is impacted by

          Task - Represents a small unit of work that is not end-user facing. PROJQUAY-3028 Release v3.6.3

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. PROJQUAY-3199 As a user of Quay 3.7, my Clair scanning results should only contain CRDA results if I have explicitly enabled them.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-stevsmit Steven Smith
              bdettelb@redhat.com Bill Dettelback
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: