Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4159

Clair doesn't scan a particular image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • clair-4.4.3
    • clair
    • False
    • None
    • False
    • Quay Enterprise

      Image: mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30

      Client is claiming that this image is being scanned by Clair v2, but Quay UI shows the image as unsupported and Clair v4 does not detect any vulnerabilities:

      # docker exec -it clairv4 clairctl report  --host http://localhost:6060 mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30
2022-07-14T13:46:24Z INF body seems short digest=sha256:36cd0c040bb6db2de7870614d760cad304dbdb68c2416b4ea3c5db9580f9e47b ref=mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30 response="{\"manifest_hash\":\"sha256:36cd0c040bb6db2de7870614d760cad304dbdb68c2416b4ea3c5db9580f9e47b\",\"state\":\"IndexFinished\",\"packages\":{},\"distributions\":{\"1\":{\"id\":\"1\",\"did\":\"debian\",\"name\":\"Debian GNU/Linux\",\"version\":\"10 (buster)\",\"version_code_name\":\"buster\",\"version_id\":\"10\",\"arch\":\"\",\"cpe\":\"\",\"pretty_name\":\"Debian GNU/Linux 10 (buster)\"}},\"repository\":{},\"environments\":{},\"success\":true,\"err\":\"\"}" size=396
read:3.2-model-2022-04-30 ok

      This is with Clair version 4.4.4. The image is based on Debian Buster but I noticed the following discrepancy in the /etc/os-release file:

      # docker run --rm -it --entrypoint /bin/bash mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30
Unable to find image 'mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30' locally
3.2-model-2022-04-30: Pulling from azure-cognitive-services/vision/read
...
nonroot@5ab17b2e1cf6:/app$ cat /etc/os-release                                                                                   
PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="10"
VERSION="Debian GNU/Linux 10 (buster)"
HOME_URL="https://github.com/GoogleContainerTools/distroless"
SUPPORT_URL="https://github.com/GoogleContainerTools/distroless/blob/master/README.md"
BUG_REPORT_URL="https://github.com/GoogleContainerTools/distroless/issues/new"

# docker run --rm -it debian:10
Unable to find image 'debian:10' locally
10: Pulling from library/debian
...

root@baa891814137:/# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

      So the content of the file is definitely different. Not sure if that would cause it to not be scanned. Can you please check and confirm?
      Thanks!

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: