-
Spike
-
Resolution: Done
-
Normal
-
clair-4.7.2
-
3
-
False
-
None
-
False
-
-
-
0
Description:
This is an issue found in Quay 3.10.2, after push image to Quay and this image has various vulnerability of Golang Packages, see the following output of Quay Console, the expected behavior is Quay/Clair can display the vulnerabilities of Golang packages, pls review this issue.
The expected Golang Vulnerability should be displayed by Quay/Clair:
- github.com/aws/aws-sdk-go (GHSA-f5pg-7wfw-84q9, GHSA-76wf-9vgp-pj7w, GHSA-6jvc-q2x7-pchv and GHSA-7f33-f4f5-xwgw)
- stdlib (CVE-2023-29405, CVE-2023-29404, CVE-2023-29402,CVE-2023-24540 and CVE-2023-24538)
- golang.org/x/net (GHSA-vvpx-j8f3-3w6h, GHSA-69cg-p879-7622, GHSA-4374-p667-p6c8, GHSA-qppj-fm5r-hxr3 )
- google.golang.org/grpc (GHSA-m425-mq94-257g and GHSA-qppj-fm5r-hxr3)
- golang.org/x/crypto (GHSA-gwc9-m7rh-j2ww, GHSA-8c26-wmh5-6g9v and GHSA-45x7-px36-x8w8)
Quay Version: 3.10.2
Quay 3.10.2 can't report all vulnerability of Golang Packages
The following is the expected vulnerability of the golang packages:
grype migrate/migrate:v4.15.2 --scope all-layers ✔ Vulnerability DB [updated] ✔ Loaded image migrate/migrate:v4.15.2 ✔ Parsed image sha256:cd21c33b7dd6ded355077197ea522c7cb7b1171a1599eb0985a188805fc80ce7 ✔ Cataloged contents 3a51df494ee971290ad51b7dc8a093ee09268a178ddc7cb727128108ae7cc457 ├── ✔ Packages [89 packages] ├── ✔ File digests [212 files] └── ✔ File metadata [212 locations] ✔ Scanned for vulnerabilities [91 vulnerability matches] ├── by severity: 9 critical, 47 high, 33 medium, 2 low, 0 negligible └── by status: 21 fixed, 70 not-fixed, 0 ignored [0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.32.1-r8 apk CVE-2022-48174 Critical busybox 1.32.1-r8 1.32.1-r9 apk CVE-2022-30065 High github.com/aws/aws-sdk-go v1.17.7 1.34.0 go-module GHSA-f5pg-7wfw-84q9 Medium github.com/aws/aws-sdk-go v1.17.7 1.34.0 go-module GHSA-76wf-9vgp-pj7w Medium github.com/aws/aws-sdk-go v1.17.7 1.34.0 go-module GHSA-6jvc-q2x7-pchv Medium github.com/aws/aws-sdk-go v1.17.7 1.34.0 go-module GHSA-7f33-f4f5-xwgw Low golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 0.0.0-20211202192323-5770296d904e go-module GHSA-gwc9-m7rh-j2ww High golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 0.0.0-20220314234659-1baeb1ce4c0b go-module GHSA-8c26-wmh5-6g9v High golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 0.17.0 go-module GHSA-45x7-px36-x8w8 Medium golang.org/x/net v0.0.0-20220225172249-27dd8689420f 0.7.0 go-module GHSA-vvpx-j8f3-3w6h High golang.org/x/net v0.0.0-20220225172249-27dd8689420f 0.0.0-20220906165146-f3363e06e74c go-module GHSA-69cg-p879-7622 High golang.org/x/net v0.0.0-20220225172249-27dd8689420f 0.17.0 go-module GHSA-4374-p667-p6c8 High golang.org/x/net v0.0.0-20220225172249-27dd8689420f 0.17.0 go-module GHSA-qppj-fm5r-hxr3 Medium golang.org/x/net v0.0.0-20220225172249-27dd8689420f 0.13.0 go-module GHSA-2wrh-6pvc-2jm9 Medium golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf 0.0.0-20220412211240-33da011f77ad go-module GHSA-p782-xgp4-8hr8 Medium golang.org/x/text v0.3.7 0.3.8 go-module GHSA-69ch-w2m2-3vjp High google.golang.org/grpc v1.45.0 1.56.3 go-module GHSA-m425-mq94-257g High google.golang.org/grpc v1.45.0 1.56.3 go-module GHSA-qppj-fm5r-hxr3 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2023-4807 High libcrypto1.1 1.1.1n-r0 apk CVE-2023-0464 High libcrypto1.1 1.1.1n-r0 apk CVE-2023-0286 High libcrypto1.1 1.1.1n-r0 apk CVE-2023-0215 High libcrypto1.1 1.1.1n-r0 apk CVE-2022-4450 High libcrypto1.1 1.1.1n-r0 apk CVE-2023-5678 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2023-3817 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2023-2650 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2023-0466 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2023-0465 Medium libcrypto1.1 1.1.1n-r0 apk CVE-2022-4304 Medium libcrypto1.1 1.1.1n-r0 1.1.1q-r0 apk CVE-2022-2097 Medium libssl1.1 1.1.1n-r0 apk CVE-2023-4807 High libssl1.1 1.1.1n-r0 apk CVE-2023-0464 High libssl1.1 1.1.1n-r0 apk CVE-2023-0286 High libssl1.1 1.1.1n-r0 apk CVE-2023-0215 High libssl1.1 1.1.1n-r0 apk CVE-2022-4450 High libssl1.1 1.1.1n-r0 apk CVE-2023-5678 Medium libssl1.1 1.1.1n-r0 apk CVE-2023-3817 Medium libssl1.1 1.1.1n-r0 apk CVE-2023-2650 Medium libssl1.1 1.1.1n-r0 apk CVE-2023-0466 Medium libssl1.1 1.1.1n-r0 apk CVE-2023-0465 Medium libssl1.1 1.1.1n-r0 apk CVE-2022-4304 Medium libssl1.1 1.1.1n-r0 1.1.1q-r0 apk CVE-2022-2097 Medium ssl_client 1.32.1-r8 apk CVE-2022-48174 Critical ssl_client 1.32.1-r8 1.32.1-r9 apk CVE-2022-30065 High stdlib go1.17.8 go-module CVE-2023-29405 Critical stdlib go1.17.8 go-module CVE-2023-29404 Critical stdlib go1.17.8 go-module CVE-2023-29402 Critical stdlib go1.17.8 go-module CVE-2023-24540 Critical stdlib go1.17.8 go-module CVE-2023-24538 Critical stdlib go1.17.8 go-module CVE-2023-45287 High stdlib go1.17.8 go-module CVE-2023-45285 High stdlib go1.17.8 go-module CVE-2023-44487 High stdlib go1.17.8 go-module CVE-2023-39323 High stdlib go1.17.8 go-module CVE-2023-29403 High stdlib go1.17.8 go-module CVE-2023-29400 High stdlib go1.17.8 go-module CVE-2023-24539 High stdlib go1.17.8 go-module CVE-2023-24537 High stdlib go1.17.8 go-module CVE-2023-24536 High stdlib go1.17.8 go-module CVE-2023-24534 High stdlib go1.17.8 go-module CVE-2022-41725 High stdlib go1.17.8 go-module CVE-2022-41724 High stdlib go1.17.8 go-module CVE-2022-41723 High stdlib go1.17.8 go-module CVE-2022-41722 High stdlib go1.17.8 go-module CVE-2022-41715 High stdlib go1.17.8 go-module CVE-2022-32189 High stdlib go1.17.8 go-module CVE-2022-30635 High stdlib go1.17.8 go-module CVE-2022-30633 High stdlib go1.17.8 go-module CVE-2022-30632 High stdlib go1.17.8 go-module CVE-2022-30631 High stdlib go1.17.8 go-module CVE-2022-30630 High stdlib go1.17.8 go-module CVE-2022-30580 High stdlib go1.17.8 go-module CVE-2022-2880 High stdlib go1.17.8 go-module CVE-2022-2879 High stdlib go1.17.8 go-module CVE-2022-28327 High stdlib go1.17.8 go-module CVE-2022-28131 High stdlib go1.17.8 go-module CVE-2022-27664 High stdlib go1.17.8 go-module CVE-2022-24675 High stdlib go1.17.8 go-module CVE-2023-39326 Medium stdlib go1.17.8 go-module CVE-2023-39319 Medium stdlib go1.17.8 go-module CVE-2023-39318 Medium stdlib go1.17.8 go-module CVE-2023-29409 Medium stdlib go1.17.8 go-module CVE-2023-29406 Medium stdlib go1.17.8 go-module CVE-2023-24532 Medium stdlib go1.17.8 go-module CVE-2022-41717 Medium stdlib go1.17.8 go-module CVE-2022-32148 Medium stdlib go1.17.8 go-module CVE-2022-29526 Medium stdlib go1.17.8 go-module CVE-2022-1962 Medium stdlib go1.17.8 go-module CVE-2022-1705 Medium stdlib go1.17.8 go-module CVE-2022-30629 Low zlib 1.2.12-r0 apk CVE-2023-45853 Critical zlib 1.2.12-r0 1.2.12-r2 apk CVE-2022-37434 Critical
- is related to
-
PROJQUAY-6622 claircore: gobin: does not detect several Go vulnerabilities
-
- Closed
-
- links to
