Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86802

[DEV] Tracking: pip in .dist-info/INSTALLER confuses clair-scan

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhel-10.1
    • None
    • python-setuptools
    • None
    • 1
    • rhel-pt-python
    • ssg_platform_tools
    • PT PRNDL 2025 S05
    • 5
    • False
    • Hide

      None

      Show
      None
    • None

      Steps to reproduce

      $ podman run -ti --rm registry.access.redhat.com/ubi9/ubi:9.5 cat /usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info/INSTALLER

      Actual results

      pip

      Expected results

      rpm

      More info

      $ podman run -ti --rm registry.access.redhat.com/ubi9/ubi:9.5 rpm -qf /usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info/INSTALLER
      python3-setuptools-53.0.0-13.el9.noarch

      As described in CLAIRDEV-115, clair-scan consults .dist-info/INSTALLER, and when it says 'pip', it wrongly assumes the package was installed with pip and claims the package has some CVE false-positives as a result.

              thrnciar Tomáš Hrnčiar
              jpopelka@redhat.com Jiri Popelka
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: