Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6628

Quay 3.10.3 can't scan and report all vulnerabilities of Java Dependecies

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • clair-4.7.2
    • clair-downstream
    • False
    • None
    • False

      Description:

      This is an issue found in Quay 3.10.3, when pushed test image to Quay, and Clair complete the scan of the target image, check the vulnerability Report on Quay Console, find can't see the vulnerability of Ant, actually High image vulnerability of "GHSA-f62v-xpxf-3v68" is existed, and Quay should suggest Customers to use Ant version "1.10.9", pls review this issue.

      Quay: 3.10.3

      Clair: 4.7.2

      Test image: quay.io/quay-qetest/clair-java-test:latest

      https://github.com/advisories/GHSA-f62v-xpxf-3v68 

      Quay 3.10.3 can't report the High Vulnerabiliy of "ant":

      The following are the vulnerabilities of Ant:

      grype vulhub/weblogic --scope all-layers | grep java | grep ant
       ✔ Vulnerability DB                [no update available] 
       ✔ Loaded image                                                                                                                                                      vulhub/weblogic:latest
       ✔ Parsed image                                                                                                     sha256:7d35c6cd3bcd01f81cbce7dd936d12bfafa24f1ec6741be4d8fdbde02b6f4241
       ✔ Cataloged contents                                                                                                      e4c2fc722614cd4215a980c0c35850c40b1e1558cd829287ffbf18f9db7e0db5
         ├── ✔ Packages                        [2,177 packages] 
         ├── ✔ File digests                    [9,120 files] 
         └── ✔ File metadata                   [9,120 locations] 
       ✔ Scanned for vulnerabilities     [632 vulnerability matches] 
         ├── by severity: 39 critical, 96 high, 186 medium, 226 low, 85 negligible
         └── by status:   397 fixed, 235 not-fixed, 0 ignored 
      ant                   1.7.1                             1.10.9                                      java-archive  GHSA-f62v-xpxf-3v68  High        
      ant                   1.7.1                             1.9.16                                      java-archive  GHSA-q5r4-cfpx-h6fh  Medium      
      ant                   1.7.1                             1.9.16                                      java-archive  GHSA-5v34-g2px-j4fw  Medium      
      ant                   1.7.1                             1.9.15                                      java-archive  GHSA-4p6w-m9wc-c9c9  Medium       

              Unassigned Unassigned
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: