Differences between clair results with quay.io

[slashben]

I have been happily scanning my images "on prem" for a time using latest and greatest clair, when someone showed me that the results of the same images scanned by quay.io (registry built in feature) and my clair are very different.

I was told, that quay.io uses clair, but it looks like it returns more vulnerabilities (in my specific case 4x) than my local vanilla clair installation.

I was wondering if I am doing something wrong. Should I be updating my local vulnerability DB or etc.

Thx
B

[ldelossa]

Hey @BenHirschbergCa

I understand the confusion.

Quay.io is running Clair v2 - which is the older version of Clair.

Clair V4 overhauled a lot matching code and database sources. We typically see Clair V4 matching more accurately.

It's incorrect to compare quay.io scan results with Clair V4.

We are in the process of fork lifting Clair V4 into quay.io so in time, these results will be at parity.

[slashben]

hi @ldelossa , thanks for the quick response

I am trying to do a setup which is closer to Quay.

I took nginx:1.18.0 image from docker (5b5f9dcffa05). You can see here the test results on Quay.

On the other hand, I spawned a Clair v2 instance locally. I ran a scan on the same image, see results bellow.

TL;DR there is a major difference between the two. The Quay scan shows 1 high and 1 medium vulnerability while my local does not show anything above "low".

I have a feeling that I am missing something here.

When starting a Clair instance, should I bring a new vulnerability database? Or is Clair downloads it by itself? Am I running it with the wrong arguments?

I'd be happy for any input

Thx
B

ben@pmon-VirtualBox:~/Desktop$ claircli nginx:1.18.0
2021-04-07 16:21:37,474|INFO|*****************************1******************************
2021-04-07 16:21:37,475|INFO|Analyzing <Image: nginx:1.18.0>
2021-04-07 16:21:39,612|INFO|Push layer [1/5]: sha256:75646c2fb4101d306585c9b106be1dfa7d82720baabe1c75b64d759ea8adf341
2021-04-07 16:21:42,352|INFO|Push layer [2/5]: sha256:6e016d9ef29078ca5b6ae5faa37aa7923a8bc4e84f10eb336af4604977a9702e
2021-04-07 16:21:46,711|INFO|Push layer [3/5]: sha256:8f9d9e97b345d20a1761f0b51b6e7e2c94d4532b9f28b12e0aa092e9fc29e399
2021-04-07 16:21:47,635|INFO|Push layer [4/5]: sha256:6a780b46612a8981424bd167563290fcd7a46460f9a1aac7d215420f03027a33
2021-04-07 16:21:48,530|INFO|Push layer [5/5]: sha256:317470d2b570eb0083f52a37f1730728417bab32444a7108027fc7c336a1d696
2021-04-07 16:21:49,322|INFO|Fetch vulnerabilities for <Image: nginx:1.18.0>
2021-04-07 16:21:49,708|INFO|Defcon1    : 0
2021-04-07 16:21:49,709|INFO|Critical   : 0
2021-04-07 16:21:49,709|INFO|High       : 0
2021-04-07 16:21:49,709|INFO|Medium     : 0
2021-04-07 16:21:49,709|WARNING|Low        : 10
2021-04-07 16:21:49,709|WARNING|Negligible : 63
2021-04-07 16:21:49,710|WARNING|Unknown    : 26
2021-04-07 16:21:49,710|INFO|Generate html report for nginx:1.18.0
2021-04-07 16:21:49,789|INFO|Location: /home/ben/Desktop/clair-nginx_1.18.0.html
2021-04-07 16:21:49,790|INFO|============================================================
2021-04-07 16:21:49,790|INFO|            CLAIR ANALYSIS REPORTS: (1) IN TOTAL            
2021-04-07 16:21:49,790|INFO|============================================================
2021-04-07 16:21:49,791|ERROR|IMAGES WITH DETECTED VULNERABILITIES (1)
2021-04-07 16:21:49,791|ERROR|nginx:1.18.0

[ldelossa]

@BenHirschbergCa

Quay.io's Clair V2 has been running for quite some time and does not support the "deletion" of vulnerabilities.

What I'm thinking is happening here is Quay.io's Clair v2 database has historical data, which your new instance can no longer download due to being phased out or unavailable.