Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6387

Quay 3.10 Clair 4.7.2 can't report all High image vulnerabilities for OpenJDK image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • clair-4.7.2, quay-v3.10.0
    • clair
    • False
    • None
    • False
    • 0

      Description:

      This is an issue found in Quay 3.10, when deploy Quay 3.10 with managed Clair, after push openjdk image, found can't report all expected High image vulnerability.

      The results is scanned by Docker Hub built in security scanned, report totally 47 High Image vulnerability, but Clair only report 10 High Image vulnerability. Pls review this issue.

      Docker Image:

      https://hub.docker.com/layers/library/openjdk/22-jdk/images/sha256-3e90ad244aa3cbcd90c623fda8c8e4a058d46703ea8bfe290a312440177d94c2?context=explore 

      Quay: quay-operator-bundle-container-v3.10.0-144

      Clair: 4.7.2

      Docker Security Scanner:

      Clair 4.7.2:

        1. image-2023-11-09-19-02-53-713.png
          image-2023-11-09-19-02-53-713.png
          193 kB
        2. image-2023-11-09-19-07-15-085.png
          image-2023-11-09-19-07-15-085.png
          703 kB

            Unassigned Unassigned
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: