Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-71832

pip in .dist-info/INSTALLER confuses clair-scan

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • python3.11-setuptools
    • None
    • rhel-pt-python
    • ssg_platform_tools
    • None
    • False
    • Hide

      None

      Show
      None
    • None

      Steps to reproduce

      $ podman run -ti --rm registry.redhat.io/rhel9/python-311:9.5 cat /usr/lib/python3.11/site-packages/setuptools-65.5.1.dist-info/INSTALLER

      Actual results

      pip

      Expected results

      rpm

      More info

      $ podman run -ti --rm registry.redhat.io/rhel9/python-311:9.5 rpm -qf /usr/lib/python3.11/site-packages/setuptools-65.5.1.dist-info/INSTALLER
      python3.11-setuptools-65.5.1-3.el9.noarch

      As described in CLAIRDEV-115, clair-scan consults .dist-info/INSTALLER, and when it says 'pip', it wrongly assumes the package was installed with pip and claims the package has some CVE false-positives as a result.

              python-maint python-maint
              jpopelka@redhat.com Jiri Popelka
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: