Image Vulnerabilities Reports for Alpine image are different for On Premise Quay and Quay.io

Solution Verified - Updated -

Environment

  • Red Hat Quay
    • 3.7.6

Issue

  • An alpine based image had been uploaded to private Quay image registry and the vulscan reports are green (no vulnerabilities found) but when the same image was uploaded to quay.io then there were vulnerabilities found.

Resolution

  • This issue has been fixed in latest versions of Clair i.e 4.5 which is shipped with Quay v3.8.0. Upgrading to latest version will show alpine vulnerabilities properly.
  • Workaround is to drop Clair database each time a new Alpine Linux container is released.

Root Cause

  • If alpine updates their security feed then Clair should recognize that there is a newer version and attempt to insert any new vulnerabilities and associate all vulnerabilities from the new version with a new "update operation". the latest "update operation" is then queried during matching (which happens dynamically when the endpoint is called), so new vulnerabilities in the latest update should be used to match against.

  • Alpine 3.16 support was added in the clair v4.4.4. So, when one updated Clair to 4.4.4, the manifest was indexed by an earlier version of Clair (before the alpine distro was supported). The alpine scanner version wasn't changed when the scanner was updated in v4.4.4, so Clair just returned the index report it had earlier instead of re-indexing.

  • This will be automatically fixed in the next Clair version as the alpine logic will be updated and the version will be changed and Quay will re-request the indexing. This change will look for new distributions dynamically.

Diagnostic Steps

  • Check the vulnerabilities reports, for the custom image, from both On premise Quay and Quay.io. And compare the results.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments