Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4159

Clair doesn't scan a particular image

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Normal
    • None
    • clair-4.4.3
    • clair
    • False
    • None
    • False
    • Quay Enterprise
    • 0

    Description

      Image: mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30

      Client is claiming that this image is being scanned by Clair v2, but Quay UI shows the image as unsupported and Clair v4 does not detect any vulnerabilities:

      # docker exec -it clairv4 clairctl report  --host http://localhost:6060 mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30
2022-07-14T13:46:24Z INF body seems short digest=sha256:36cd0c040bb6db2de7870614d760cad304dbdb68c2416b4ea3c5db9580f9e47b ref=mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30 response="{\"manifest_hash\":\"sha256:36cd0c040bb6db2de7870614d760cad304dbdb68c2416b4ea3c5db9580f9e47b\",\"state\":\"IndexFinished\",\"packages\":{},\"distributions\":{\"1\":{\"id\":\"1\",\"did\":\"debian\",\"name\":\"Debian GNU/Linux\",\"version\":\"10 (buster)\",\"version_code_name\":\"buster\",\"version_id\":\"10\",\"arch\":\"\",\"cpe\":\"\",\"pretty_name\":\"Debian GNU/Linux 10 (buster)\"}},\"repository\":{},\"environments\":{},\"success\":true,\"err\":\"\"}" size=396
read:3.2-model-2022-04-30 ok

      This is with Clair version 4.4.4. The image is based on Debian Buster but I noticed the following discrepancy in the /etc/os-release file:

      # docker run --rm -it --entrypoint /bin/bash mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30
Unable to find image 'mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30' locally
3.2-model-2022-04-30: Pulling from azure-cognitive-services/vision/read
...
nonroot@5ab17b2e1cf6:/app$ cat /etc/os-release                                                                                   
PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="10"
VERSION="Debian GNU/Linux 10 (buster)"
HOME_URL="https://github.com/GoogleContainerTools/distroless"
SUPPORT_URL="https://github.com/GoogleContainerTools/distroless/blob/master/README.md"
BUG_REPORT_URL="https://github.com/GoogleContainerTools/distroless/issues/new"

# docker run --rm -it debian:10
Unable to find image 'debian:10' locally
10: Pulling from library/debian
...

root@baa891814137:/# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

      So the content of the file is definitely different. Not sure if that would cause it to not be scanned. Can you please check and confirm?
      Thanks!

      Attachments

        Issue Links

          duplicates

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. PROJQUAY-1729 Support for scanning distroless containers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: