Details
-
Bug
-
Resolution: Done
-
Major
-
None
Description
When updating, Clair tries to contact Red Hat's OVAL page but fails to download data:
2020-03-31 13:12:35,095 INFO success: clair entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) {"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2020-03-31 13:12:35.853022","error":"received 404 code downloading https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL3.xml","updater name":"rhel"}
The OVAL in question does not exist in the database. According to Clair's code (Github), the first file that Clair should download is:
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL5.xml or
https://www.redhat.com/security/data/oval/com.redhat.rhsa-20070044.xml
Both of these files exist in the OVAL database. After failing to download the mentioned file, the updater stops and the database remains empty so all results are returned as positives. Clair has been deployed in OpenShift in a disconnected environment so access to other data sources is not possible, but curling the RHEL database endpoint from inside the pod is possible and working.
Do you have any explanation why Clair would want to download a CVE that doesn't exist?
