CVE-2021-29842 cannot be found in clair db
chengjun0124 opened this issue · comments
Description of Problem / Feature Request
I deployed clair in openshift. After clair was ready, I couldn't query CVE-2021-29842 in table vuln. I am not sure how/where clair fetches vulnerabilities. And why CVE-2021-29842 is not fetched? Could you please help me on this? Thanks.
Expected Outcome
Actual Outcome
Environment
- Clair version/image:
- Clair client name/version:
- Host OS:
- Kernel (e.g.
uname -a
): - Kubernetes version (use
kubectl version
): - Network/Firewall setup:
Updaters
are responsible for pulling vulnerabilities from various sources, normalizing the data and inserting it into the DB, here is a list that is currently supported: https://github.com/quay/clair/blob/b3c3e38574df1d53c37fbf9c7fe0128b2c76c35e/Documentation/reference/config.md#updaterssets.
It appears that the CVE you mention is related to the IBM WebSphere Application Server which wouldn't be a part of any of the existing updaters' datasets. As always, community contributions are welcome (there are a number of updater examples to reference), but remember, in order to be useful for Clair, there also needs to be a scanner that can identify that that package exists in the image.
@crozzy is there a way that we can add IBM WebSphere Application Server
into any updater so that clair can find out its vulnerability?
There would need to be a feed of some sort for those vulnerabilities, as a prerequisite.
Then, someone would need to write or make sure existing code works for:
- Discovering the software in a layer (a PackageScanner)
- Ingesting the vulnerabilities (an Updater)
- Matching the vulnerabilities and discovered packages (a Matcher)
Thanks.