Unsupported scan results on Google Distroless images

Question

Unsupported scan results on Google Distroless images

toastbrotch opened this issue 2 years ago · comments

Hi

When I push Google Distroless Images to my Quay registry, I've got Unsupported security scan results.
(just tried with mcr.microsoft.com/azure-cognitive-services/vision/read:3.2-model-2022-04-30 )

Expected Outcome
Security findings based on CVE for Debian.

Actual Outcome
Unsupported

Environment
Clair version/image: clair-rhel8:v3.7.2

the same was reported on Clair V2 but it got simply closed (#1001). now that we have Clair V4 the same problem still exists.

any plans to fix this? is it fixable?

thanx.ivo

mr.shintla · Answer 1 · Thu Jul 07 2022 16:55:36 GMT+0800 (China Standard Time)

$ cat /etc/os-release                                                                                   
PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="10"
VERSION="Debian GNU/Linux 10 (buster)"

Hank Donnay · Answer 2 · Fri Jul 08 2022 04:36:22 GMT+0800 (China Standard Time)

"Distroless" containers don't use the standard dpkg database and so aren't supported by the dpkg package in claircore.

Support would have to be added there.

mr.shintla · Answer 3 · Wed Sep 07 2022 19:05:18 GMT+0800 (China Standard Time)

as i see more and more distroless containers appear here, adding support would be great