-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
clair-4.7.2, quay-v3.10.3
-
None
-
False
-
None
-
False
-
-
-
0
Description:
This is an issue found in Quay 3.10.3 with Clair 4.7.2, now after pushed image to Quay with various High Dotnet vulnerabilities, but Quay can't scan and report all dotnet image vulnerabilities on Quay Console, pls review this issue.
Quay: 3.10.3
Clair: 4.7.2
Quay 3.10.3 can't scan and report vulnerabilities of dotnet packages:
grype bitnami/dotnet-sdk:6.0.403 --scope all-layers | grep dotnet ✔ Vulnerability DB [no update available] ✔ Loaded image bitnami/dotnet-sdk:6.0.403 ✔ Parsed image sha256:7d44f6020cf5c7d652c4a18988fcd528240cff23c149edf5049e6eee550f10ba ✔ Cataloged contents 4cb862ff41c875da60166b9e7abe8af3dec94d878a165dbd09f75bd7681d3048 ├── ✔ Packages [2,855 packages] ├── ✔ File digests [9,983 files] └── ✔ File metadata [9,983 locations] ✔ Scanned for vulnerabilities [1009 vulnerability matches] ├── by severity: 18 critical, 276 high, 270 medium, 24 low, 411 negligible (10 unknown) └── by status: 417 fixed, 592 not-fixed, 0 ignored [0019] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NuGet.CommandLine.XPlat 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.2 dotnet GHSA-3885-8gqc-3wpf Medium NuGet.Commands 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.3 dotnet GHSA-g3q9-xf95-8hp5 High NuGet.Commands 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.5 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.Commands 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.2 dotnet GHSA-3885-8gqc-3wpf Medium NuGet.Commands 6.3.1-rc.1+01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1.01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1 6.3.1 dotnet GHSA-g3q9-xf95-8hp5 High NuGet.Commands 6.3.1-rc.1+01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1.01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1 6.3.3 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.Common 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.5 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.Common 6.3.1-rc.1+01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1.01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1 6.3.3 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.PackageManagement 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.5 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.Protocol 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.3 dotnet GHSA-g3q9-xf95-8hp5 High NuGet.Protocol 6.0.0+e0edb52d2ee204ab1117c9a592addc705cc76471.e0edb52d2ee204ab1117c9a592addc705cc76471 6.0.5 dotnet GHSA-6qmf-mmc7-6c2p High NuGet.Protocol 6.3.1-rc.1+01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1.01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1 6.3.1 dotnet GHSA-g3q9-xf95-8hp5 High NuGet.Protocol 6.3.1-rc.1+01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1.01bc4df1ef99c9c213f892ec8b25e46b23c7cfb1 6.3.3 dotnet GHSA-6qmf-mmc7-6c2p High
