Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Undefined
Fix Version/s: rhel-10.1
Affects Version/s: None
Component/s: python-setuptools
Labels:
None

Errata Link:
https://errata.engineering.redhat.com/advisory/148263
sprint_count:
1

AssignedTeam:
rhel-pt-python
Sub-System Group:

ssg_platform_tools

Sprint:
PT Python 2025 S08
Story Points:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None

Planning:
None

Steps to reproduce

$ podman run -ti --rm registry.access.redhat.com/ubi9/ubi:9.5 cat /usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info/INSTALLER

Actual results

pip

Expected results

rpm

More info

$ podman run -ti --rm registry.access.redhat.com/ubi9/ubi:9.5 rpm -qf /usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info/INSTALLER
python3-setuptools-53.0.0-13.el9.noarch

As described in ~~CLAIRDEV-115~~, clair-scan consults .dist-info/INSTALLER, and when it says 'pip', it wrongly assumes the package was installed with pip and claims the package has some CVE false-positives as a result.

is cloned by

RHEL-86802 [DEV] Tracking: pip in .dist-info/INSTALLER confuses clair-scan

Closed

is duplicated by

RHEL-71832 pip in .dist-info/INSTALLER confuses clair-scan

Closed

is related to

RHEL-82609 pip in .dist-info/INSTALLER confuses clair-scan

Release Pending

RHEL-82611 pip in .dist-info/INSTALLER confuses clair-scan

Release Pending

links to

RHBA-2025:148263 python-rpm-macros bug fix and enhancement update

Assignee:: Lukas Zachar

Reporter:: Jiri Popelka

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/12/19 12:59 PM

Updated:: 2025/06/30 8:21 AM

Resolved:: 2025/06/30 8:21 AM

Details

Description

Steps to reproduce

Actual results

Expected results

More info

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates