Description of Problem / Feature Request

I deployed clair in openshift. After clair was ready, I couldn't query CVE-2021-29842 in table vuln. I am not sure how/where clair fetches vulnerabilities. And why CVE-2021-29842 is not fetched? Could you please help me on this? Thanks.

Expected Outcome

Actual Outcome

Environment

• Clair version/image:
• Clair client name/version:
• Host OS:
• Kernel (e.g. uname -a):
• Kubernetes version (use kubectl version):
• Network/Firewall setup:

Updaters are responsible for pulling vulnerabilities from various sources, normalizing the data and inserting it into the DB, here is a list that is currently supported: https://github.com/quay/clair/blob/b3c3e38574df1d53c37fbf9c7fe0128b2c76c35e/Documentation/reference/config.md#updaterssets.

It appears that the CVE you mention is related to the IBM WebSphere Application Server which wouldn't be a part of any of the existing updaters' datasets. As always, community contributions are welcome (there are a number of updater examples to reference), but remember, in order to be useful for Clair, there also needs to be a scanner that can identify that that package exists in the image.

@crozzy Thank you very much.

@crozzy is there a way that we can add IBM WebSphere Application Server into any updater so that clair can find out its vulnerability?

There would need to be a feed of some sort for those vulnerabilities, as a prerequisite.

Then, someone would need to write or make sure existing code works for:

• Discovering the software in a layer (a PackageScanner)
• Ingesting the vulnerabilities (an Updater)
• Matching the vulnerabilities and discovered packages (a Matcher)

Thanks.