Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-5299

Quay reports inexisting issues and ignore valid problems

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • clair-4.7.0
    • None
    • clair
    • False
    • None
    • False

      Hi,

      I'm not sure if this the right place to report this.

      We've got an image that comes with Django and a couple of extra Python packages.

      https://quay.io/repository/ansible/wisdom-service/manifest/sha256:373b3546ada4d6f3072f3b291fb435dccf29f35d6072f2b9ebee877549d79a6c?tab=vulnerabilities

      The image comes with ansible 7.4.0 which is not vulnerable to CVE-2020-25636 and aiohttp's CVE-2022-33124 is invalid according to the team.

      However, Quay ignores the following CVE:

       

      (venv) [root@fe2e4532501b www]# pip-audit
Found 4 known vulnerabilities in 2 packages
Name   Version ID                  Fix Versions
------ ------- ------------------- -------------------
django 4.1.3   GHSA-q2jf-h9jm-m7p4 3.2.17,4.0.9,4.1.6
django 4.1.3   GHSA-2hrw-hx67-34x6 3.2.18,4.0.10,4.1.7
redis  4.5.1   GHSA-24wv-mv5m-xv4h 4.3.6,4.4.3,4.5.3
redis  4.5.1   GHSA-8fww-64cx-x8p5 4.4.4,4.5.4

       

        1. image-2023-04-12-13-13-14-568.png
          image-2023-04-12-13-13-14-568.png
          50 kB

              Unassigned Unassigned
              gleboude1@redhat.com Gonéri Le Bouder
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: