You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When scanning the node:12.22-buster image from Docker Hub (specifically, the x86_64 component with digest sha256:280dbc1adbdac7d29d886f30bc1d09b6dfd77f37f550a127307c2f8895811313) in my Clair 4.6.0 instance, I expect to see several vulnerabilities. A colleague executed Clair 4.6.0 locally via docker-compose and got more than 100 vulns (see clairctl output here). Excerpt:
...
node:12.22-buster found libncursesw6 6.1+20181013-2+deb10u2 CVE-2021-39537 ncurses (fixed: 0:0)
node:12.22-buster found libncursesw6 6.1+20181013-2+deb10u2 CVE-2022-29458 ncurses (fixed: 0:6.1+20181013-2+deb10u3)
...
Actual Outcome
No vulnerabilities are found. This gist contains the vulnerability report for the image as well as the Clair config file (with secrets redacted, obviously).
As can be seen from the vulnerability report, the indexer seems to work fine. For example, libncursesw is correctly detected as being at version 6.1+20181013-2+deb10u2. The updater seems to work fine, too: Both expected vulnerabilities for this specific package show up in the DB (see snippet below). But the matcher seems to be unable to associate these two facts.
I feel like there is just a misconfiguration here, hence why I included my config in the gist above for reference. But if there is a misconfiguration, I absolutely can't see it.
clair=# SELECT * FROM vuln WHERE package_name = 'libncursesw6' AND name ~ 'CVE-202(2-29458|1-39537)' AND dist_version_code_name = 'buster';
-[ RECORD 1 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id | 1682291
hash_kind | md5
hash | \x99fecc2101b46d23285170d3ee3c17b4
updater | debian/updater/buster
name | CVE-2021-39537 ncurses
description | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537
severity |
normalized_severity | Unknown
package_name | libncursesw6
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:0
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 2 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id | 1711088
hash_kind | md5
hash | \xdc40306998d0f4a3482cdd107a27aa45
updater | debian/updater/buster
name | CVE-2022-29458 ncurses
description | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458
severity |
normalized_severity | Unknown
package_name | libncursesw6
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:6.1+20181013-2+deb10u3
arch_operation | invalid
vulnerable_range | empty
version_kind |
Environment
Clair version/image: 4.6.0
Clair client name/version: curl, mostly (clairctl output from 4.6.0)
Host OS: RHEL 8.7 container on Flatcar 3374.2.4
Kernel (e.g. uname -a): Linux clair-indexer-64cd54fcb7-9dbzz 5.15.89-flatcar #1 SMP Wed Feb 15 18:00:42 -00 2023 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes version (use kubectl version): 1.25.6
Network/Firewall setup: not relevant
The text was updated successfully, but these errors were encountered:
Expected Outcome
When scanning the
node:12.22-buster
image from Docker Hub (specifically, the x86_64 component with digestsha256:280dbc1adbdac7d29d886f30bc1d09b6dfd77f37f550a127307c2f8895811313
) in my Clair 4.6.0 instance, I expect to see several vulnerabilities. A colleague executed Clair 4.6.0 locally via docker-compose and got more than 100 vulns (see clairctl output here). Excerpt:Actual Outcome
No vulnerabilities are found. This gist contains the vulnerability report for the image as well as the Clair config file (with secrets redacted, obviously).
As can be seen from the vulnerability report, the indexer seems to work fine. For example, libncursesw is correctly detected as being at version
6.1+20181013-2+deb10u2
. The updater seems to work fine, too: Both expected vulnerabilities for this specific package show up in the DB (see snippet below). But the matcher seems to be unable to associate these two facts.I feel like there is just a misconfiguration here, hence why I included my config in the gist above for reference. But if there is a misconfiguration, I absolutely can't see it.
Environment
uname -a
):Linux clair-indexer-64cd54fcb7-9dbzz 5.15.89-flatcar #1 SMP Wed Feb 15 18:00:42 -00 2023 x86_64 x86_64 x86_64 GNU/Linux
kubectl version
): 1.25.6The text was updated successfully, but these errors were encountered: