-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
clair-4.7.2
-
False
-
None
-
False
-
-
Description:
This is an issue found in Quay 3.10.3, when pushed test image to Quay, and Clair complete the scan of the target image, check the vulnerability Report on Quay Console, find can't see the vulnerability of Ant, actually High image vulnerability of "GHSA-f62v-xpxf-3v68" is existed, and Quay should suggest Customers to use Ant version "1.10.9", pls review this issue.
Quay: 3.10.3
Clair: 4.7.2
Test image: quay.io/quay-qetest/clair-java-test:latest
https://github.com/advisories/GHSA-f62v-xpxf-3v68
Quay 3.10.3 can't report the High Vulnerabiliy of "ant":
The following are the vulnerabilities of Ant:
grype vulhub/weblogic --scope all-layers | grep java | grep ant
✔ Vulnerability DB [no update available]
✔ Loaded image vulhub/weblogic:latest
✔ Parsed image sha256:7d35c6cd3bcd01f81cbce7dd936d12bfafa24f1ec6741be4d8fdbde02b6f4241
✔ Cataloged contents e4c2fc722614cd4215a980c0c35850c40b1e1558cd829287ffbf18f9db7e0db5
├── ✔ Packages [2,177 packages]
├── ✔ File digests [9,120 files]
└── ✔ File metadata [9,120 locations]
✔ Scanned for vulnerabilities [632 vulnerability matches]
├── by severity: 39 critical, 96 high, 186 medium, 226 low, 85 negligible
└── by status: 397 fixed, 235 not-fixed, 0 ignored
ant 1.7.1 1.10.9 java-archive GHSA-f62v-xpxf-3v68 High
ant 1.7.1 1.9.16 java-archive GHSA-q5r4-cfpx-h6fh Medium
ant 1.7.1 1.9.16 java-archive GHSA-5v34-g2px-j4fw Medium
ant 1.7.1 1.9.15 java-archive GHSA-4p6w-m9wc-c9c9 Medium
