Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-567

Clair is trying to download wrong OVAL data

    Details

    • Product:
      Quay Enterprise

      Description

      When updating, Clair tries to contact Red Hat's OVAL page but fails to download data:

      2020-03-31 13:12:35,095 INFO success: clair entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
      {"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2020-03-31 13:12:35.853022","error":"received 404 code downloading https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL3.xml","updater name":"rhel"}
      

      The OVAL in question does not exist in the database. According to Clair's code (Github), the first file that Clair should download is:

      https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL5.xml or
      https://www.redhat.com/security/data/oval/com.redhat.rhsa-20070044.xml

      Both of these files exist in the OVAL database. After failing to download the mentioned file, the updater stops and the database remains empty so all results are returned as positives. Clair has been deployed in OpenShift in a disconnected environment so access to other data sources is not possible, but curling the RHEL database endpoint from inside the pod is possible and working.

      Do you have any explanation why Clair would want to download a CVE that doesn't exist?

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                thomasmckay Thomas Mckay
                Reporter:
                rhn-support-ibazulic Ivan Bazulic
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: