vulnerabilities not matched for `node:12.22-buster` image
majewsky opened this issue · comments
Expected Outcome
When scanning the node:12.22-buster image from Docker Hub (specifically, the x86_64 component with digest sha256:280dbc1adbdac7d29d886f30bc1d09b6dfd77f37f550a127307c2f8895811313) in my Clair 4.6.0 instance, I expect to see several vulnerabilities. A colleague executed Clair 4.6.0 locally via docker-compose and got more than 100 vulns (see clairctl output here). Excerpt:
...
node:12.22-buster found libncursesw6 6.1+20181013-2+deb10u2 CVE-2021-39537 ncurses (fixed: 0:0)
node:12.22-buster found libncursesw6 6.1+20181013-2+deb10u2 CVE-2022-29458 ncurses (fixed: 0:6.1+20181013-2+deb10u3)
...
Actual Outcome
No vulnerabilities are found. This gist contains the vulnerability report for the image as well as the Clair config file (with secrets redacted, obviously).
As can be seen from the vulnerability report, the indexer seems to work fine. For example, libncursesw is correctly detected as being at version 6.1+20181013-2+deb10u2. The updater seems to work fine, too: Both expected vulnerabilities for this specific package show up in the DB (see snippet below). But the matcher seems to be unable to associate these two facts.
I feel like there is just a misconfiguration here, hence why I included my config in the gist above for reference. But if there is a misconfiguration, I absolutely can't see it.
clair=# SELECT * FROM vuln WHERE package_name = 'libncursesw6' AND name ~ 'CVE-202(2-29458|1-39537)' AND dist_version_code_name = 'buster';
-[ RECORD 1 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id | 1682291
hash_kind | md5
hash | \x99fecc2101b46d23285170d3ee3c17b4
updater | debian/updater/buster
name | CVE-2021-39537 ncurses
description | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537
severity |
normalized_severity | Unknown
package_name | libncursesw6
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:0
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 2 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id | 1711088
hash_kind | md5
hash | \xdc40306998d0f4a3482cdd107a27aa45
updater | debian/updater/buster
name | CVE-2022-29458 ncurses
description | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458
severity |
normalized_severity | Unknown
package_name | libncursesw6
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:6.1+20181013-2+deb10u3
arch_operation | invalid
vulnerable_range | empty
version_kind |
Environment
- Clair version/image: 4.6.0
- Clair client name/version: curl, mostly (clairctl output from 4.6.0)
- Host OS: RHEL 8.7 container on Flatcar 3374.2.4
- Kernel (e.g.
uname -a):Linux clair-indexer-64cd54fcb7-9dbzz 5.15.89-flatcar #1 SMP Wed Feb 15 18:00:42 -00 2023 x86_64 x86_64 x86_64 GNU/Linux - Kubernetes version (use
kubectl version): 1.25.6 - Network/Firewall setup: not relevant