Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UBI-based images do not generate any vulnerabilities #221

Closed
jeason81 opened this issue Dec 7, 2020 · 2 comments · Fixed by #222
Closed

UBI-based images do not generate any vulnerabilities #221

jeason81 opened this issue Dec 7, 2020 · 2 comments · Fixed by #222
Labels
bug Something isn't working

Comments

@jeason81
Copy link

jeason81 commented Dec 7, 2020

What happened:
When scanning a UBI-based image such as registry.access.redhat.com/ubi8/ubi:latest, the utility identifies 191 packages installed but 0 vulnerabilities.

What you expected to happen:
I expected that UBI would match the RedHat vulnerability information just as it does with CentOS images.

How to reproduce it (as minimally and precisely as possible):
grype registry.access.redhat.com/ubi8/ubi:latest
grype centos:latest

Anything else we need to know?:
RedHat UBI image uses the same packages as RedHat Enterprise Linux and thus CentOS. Likely the utility itself isn't aware of the similarity.

Environment:

  • Output of grype version:
Application:          grype
Version:              0.6.0
BuildDate:            2020-12-03T22:35:30Z
GitCommit:            1a75295d702a5f80d02d45a6263f96925673c775
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.14.12
Compiler:             gc
Supported DB Schema:  1
  • OS (e.g: cat /etc/os-release or similar): MacOS 11 Big Sur
@wagoodman
Copy link
Contributor

@jeason81 good catch. @luhring discovered that in some cases we are using both the major and minor distro version fo selecting the vulnerability source, where in some cases we should be using only the major version. In this case we were using a namespace of rhel:8.3 where it should have been rhel:8.

@wagoodman
Copy link
Contributor

@jeason81 v0.6.1 was just released with this fix. Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants