Is "ELSA-2021-9344" a false-positive?
katoto135 opened this issue · comments
Description of Problem / Feature Request
I use "Amazon ECR image scanning" daily.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
For a container created by the latest (8u302) image of "openjdk: 8-oracle",
this vulnerability has been continuously detected.
name:ELSA-2021-9344
package:glibc:2.28-151.0.1.el8
severity:HIGH
All update packages listed in ELSA below that can be reached from the scan result include "2.28-151.0.1" in the "Filename".
https://linux.oracle.com/errata/ELSA-2021-9344.html
On the other hand, the version of "glibc" in the container that the vulnerability has been detected is the same "2.28-151.0.1" as the update packages listed in ELSA.
So I would like to ask you the following.
(1) Is "ELSA-2021-9344" a false-positive in my case?
(2) If so, could you update a vulnerability database?
Sorry to bother you guys, but AWS support advised me to post here.
Expected Outcome
No vulnerability.
Actual Outcome
{
"registryId": "",
"repositoryName": "",
"imageId": {
"imageDigest": "",
"imageTag": ""
},
"imageScanStatus": {
"status": "COMPLETE",
"description": "The scan was completed successfully."
},
"imageScanFindings": {
"imageScanCompletedAt": "2021-09-01T16:01:51.000Z",
"vulnerabilitySourceUpdatedAt": "2021-09-01T10:03:21.000Z",
"findings": [
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-151.0.1.el8"
},
{
"key": "package_name",
"value": "glibc"
}
]
},
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-151.0.1.el8"
},
{
"key": "package_name",
"value": "glibc-common"
}
]
},
{
"name": "ELSA-2021-9344",
"description": " ",
"uri": "https://linux.oracle.com/errata/ELSA-2021-9344.html",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "2.28-151.0.1.el8"
},
{
"key": "package_name",
"value": "glibc-minimal-langpack"
}
]
}
],
"findingSeverityCounts": {
"HIGH": 3
}
}
}
Environment
Base Docker images in CodeBuild:
- aws/codebuild/docker:18.09.0
- aws/codebuild/standard:5.0
What version of clair is this? It seems like v2, which is not maintained; I don't know how ELSA data is ingested.
Please reopen if this seems to happen with the current version.
@katoto135 FWIW, yes it is a false positive, see oracle/weblogic-image-tool#337 (comment)