Triage reported vulnerability discrepancies in Red Hat Containers
Issue
Whether or not a third party Vulnerability Scanner is certified with Red Hat, scan results may still contain discrepancies and lead to false positives for non-operating system packages like Java JARs, nodejs, and python packages. Third party scanners that have elected not to implement the rpm cli to identify which files originate from Red Hat will not be able to accurately identify RPM files because Red Hat patching versioning information may not be available in the packages themselves.
For example, Java .jars deployed by Red Hat RPMs may not have the correct Red Hat versioning string in the .jar file name or MANIFEST.MF file. Similarly, nodejs packages may not have the correct patched version in their associated package.json file.
Using RPM is the recommended approach to accurately identify if any file in a Red Hat Container has been deployed by an RPM.
Environment
Any Red Hat Enterprise Linux (RHEL) 7 or 8 based container, including Universal Base Image (UBI) containers that deploy non-OS type packages, like java, nodejs, and python.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
