Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6387

Quay 3.10 Clair 4.7.2 can't report all High image vulnerabilities for OpenJDK image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • clair-4.7.2, quay-v3.10.0
    • clair
    • False
    • None
    • False

      Description:

      This is an issue found in Quay 3.10, when deploy Quay 3.10 with managed Clair, after push openjdk image, found can't report all expected High image vulnerability.

      The results is scanned by Docker Hub built in security scanned, report totally 47 High Image vulnerability, but Clair only report 10 High Image vulnerability. Pls review this issue.

      Docker Image:

      https://hub.docker.com/layers/library/openjdk/22-jdk/images/sha256-3e90ad244aa3cbcd90c623fda8c8e4a058d46703ea8bfe290a312440177d94c2?context=explore 

      Quay: quay-operator-bundle-container-v3.10.0-144

      Clair: 4.7.2

      Docker Security Scanner:

      Clair 4.7.2:

        1. image-2023-11-09-19-02-53-713.png
          image-2023-11-09-19-02-53-713.png
          193 kB
        2. image-2023-11-09-19-07-15-085.png
          image-2023-11-09-19-07-15-085.png
          703 kB

              Unassigned Unassigned
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: