Is "ELSA-2021-9344" a false-positive?

Question

Is "ELSA-2021-9344" a false-positive?

katoto135 opened this issue 3 years ago · comments

Description of Problem / Feature Request

I use "Amazon ECR image scanning" daily.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html

For a container created by the latest (8u302) image of "openjdk: 8-oracle",
this vulnerability has been continuously detected.

  name：ELSA-2021-9344
  package：glibc:2.28-151.0.1.el8
  severity：HIGH

All update packages listed in ELSA below that can be reached from the scan result include "2.28-151.0.1" in the "Filename".
https://linux.oracle.com/errata/ELSA-2021-9344.html

On the other hand, the version of "glibc" in the container that the vulnerability has been detected is the same "2.28-151.0.1" as the update packages listed in ELSA.

So I would like to ask you the following.

(1) Is "ELSA-2021-9344" a false-positive in my case?
(2) If so, could you update a vulnerability database?

Sorry to bother you guys, but AWS support advised me to post here.

Expected Outcome

No vulnerability.

Actual Outcome

{
    "registryId": "",
    "repositoryName": "",
    "imageId": {
        "imageDigest": "",
        "imageTag": ""
    },
    "imageScanStatus": {
        "status": "COMPLETE",
        "description": "The scan was completed successfully."
    },
    "imageScanFindings": {
        "imageScanCompletedAt": "2021-09-01T16:01:51.000Z",
        "vulnerabilitySourceUpdatedAt": "2021-09-01T10:03:21.000Z",
        "findings": [
            {
                "name": "ELSA-2021-9344",
                "description": "    ",
                "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
                "severity": "HIGH",
                "attributes": [
                    {
                        "key": "package_version",
                        "value": "2.28-151.0.1.el8"
                    },
                    {
                        "key": "package_name",
                        "value": "glibc"
                    }
                ]
            },
            {
                "name": "ELSA-2021-9344",
                "description": "    ",
                "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
                "severity": "HIGH",
                "attributes": [
                    {
                        "key": "package_version",
                        "value": "2.28-151.0.1.el8"
                    },
                    {
                        "key": "package_name",
                        "value": "glibc-common"
                    }
                ]
            },
            {
                "name": "ELSA-2021-9344",
                "description": "    ",
                "uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
                "severity": "HIGH",
                "attributes": [
                    {
                        "key": "package_version",
                        "value": "2.28-151.0.1.el8"
                    },
                    {
                        "key": "package_name",
                        "value": "glibc-minimal-langpack"
                    }
                ]
            }
        ],
        "findingSeverityCounts": {
            "HIGH": 3
        }
    }
}

Environment

Base Docker images in CodeBuild:

aws/codebuild/docker:18.09.0
aws/codebuild/standard:5.0

Hank Donnay · Answer 1 · Thu Sep 02 2021 22:41:27 GMT+0800 (China Standard Time)

What version of clair is this? It seems like v2, which is not maintained; I don't know how ELSA data is ingested.

Please reopen if this seems to happen with the current version.

Keshav Kini · Answer 2 · Tue Jun 28 2022 15:58:18 GMT+0800 (China Standard Time)

@katoto135 FWIW, yes it is a false positive, see oracle/weblogic-image-tool#337 (comment)