Major Description:
This is an issue found in Quay 3.10.3 with managed Clair Component, after pushed image of 'Red Hat Container First content' to Quay, waiting for Clair Complete the scanning, found can't see all image vulnerabilities on Quay Console, pls review this issue.
Quay: 3.10.3
Clair: 4.7.2
Test image: registry.redhat.io/quay/quay-rhel8:v3.10.2-2
Quay 3.10.3 scan image vulnerabilities of Red Hat Container First content
The following image vulnerabilities should be reported:
Critical image vulnerabilities:
grype registry.redhat.io/quay/quay-rhel8:v3.10.2-2 --scope all-layers | grep Critical ✔ Vulnerability DB [no update available] ✔ Loaded image registry.redhat.io/quay/quay-rhel8:v3.10.2-2 ✔ Parsed image sha256:882f3adefe6e7772b118b46b22479eb0320757b2e848db1a29ca550d87da61a6 ✔ Cataloged contents 194c2c8d6f732087fc629d590a2daaaf126a7857590f29238cd84ec2cd5a8987 ├── ✔ Packages [484 packages] ├── ✔ File digests [9,245 files] └── ✔ File metadata [9,245 locations] ✔ Scanned for vulnerabilities [248 vulnerability matches] ├── by severity: 3 critical, 17 high, 123 medium, 103 low, 0 negligible (2 unknown) └── by status: 20 fixed, 228 not-fixed, 0 ignored [0016] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none glibc 2.28-236.el8.7 (won't fix) rpm CVE-2019-1010022 Critical glibc-common 2.28-236.el8.7 (won't fix) rpm CVE-2019-1010022 Critical glibc-minimal-langpack 2.28-236.el8.7 (won't fix) rpm CVE-2019-1010022 Critical
High image vulnerabilities:
grype registry.redhat.io/quay/quay-rhel8:v3.10.2-2 --scope all-layers | grep High ✔ Vulnerability DB [no update available] ✔ Loaded image registry.redhat.io/quay/quay-rhel8:v3.10.2-2 ✔ Parsed image sha256:882f3adefe6e7772b118b46b22479eb0320757b2e848db1a29ca550d87da61a6 ✔ Cataloged contents 194c2c8d6f732087fc629d590a2daaaf126a7857590f29238cd84ec2cd5a8987 ├── ✔ Packages [484 packages] ├── ✔ File digests [9,245 files] └── ✔ File metadata [9,245 locations] ✔ Scanned for vulnerabilities [248 vulnerability matches] ├── by severity: 3 critical, 17 high, 123 medium, 103 low, 0 negligible (2 unknown) └── by status: 20 fixed, 228 not-fixed, 0 ignored [0015] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none Pillow 10.0.1 10.2.0 python GHSA-3f63-hfp8-52jq High golang.org/x/net v0.10.0 0.17.0 go-module GHSA-4374-p667-p6c8 High setuptools 39.2.0 65.5.1 python GHSA-r9hx-vwmv-q579 High setuptools 50.3.2 65.5.1 python GHSA-r9hx-vwmv-q579 High stdlib go1.19.13 go-module CVE-2023-45287 High stdlib go1.19.13 go-module CVE-2023-45285 High stdlib go1.19.13 go-module CVE-2023-44487 High stdlib go1.19.13 go-module CVE-2023-39323 High stdlib go1.20.10 go-module CVE-2023-45285 High stdlib go1.20.6 go-module CVE-2023-45285 High stdlib go1.20.6 go-module CVE-2023-44487 High stdlib go1.20.6 go-module CVE-2023-39325 High
