Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

RHSA vulnerability not detected #1369

Open
adrianmarcu18 opened this issue Mar 7, 2022 · 2 comments
Open

RHSA vulnerability not detected #1369

adrianmarcu18 opened this issue Mar 7, 2022 · 2 comments

Comments

@adrianmarcu18
Copy link

Is this a request for help?:
Not a request for help.

Is this a BUG REPORT or a FEATURE REQUEST? (choose one):
Bug report

Version of Anchore Engine and Anchore CLI if applicable:
v1.1.0

What happened:
High Vulnerability RHSA-2022:0666 (CVE-2022-24407) not detected for RHEL 7 images.

What did you expect to happen:
Vulnerability CVE-2022-24407 to be detected on RHEL 7 images.

Any relevant log output from /var/log/anchore:
No relevant logs are needed.

What docker images are you using:
Centos 7 base images.

How to reproduce the issue:
Analyze any Centos 7 image with cyrus-sasl-lib:2.1.26-23.el7 package (or lower version). No vulnerabilities will be found.

Anything else we need to know:
Upon checking the latest version of the grypedb (as of today 07.03.2022), if we filter out on CVE-2022-24407, we can see that RHEL sources are not there. Only debian, sles and ubuntu listed.
The latest rhel7 vulnerability listed in grype is CVE-2022-25315, which was published on 19.02.2022.
The vulnerability which is not detected is from 22.02.2022

@adrianmarcu18
Copy link
Author

In the meantime it seems the grypedb has been updated with the latest vulnerabilities, including the one mentioned above. Would be nice to have some root cause for the issue so that we can have more trust in grypedb being up to date.

@zhill
Copy link
Member

zhill commented Mar 23, 2022

We recently identified an issue with the RedHat security API returning 403s intermittently during the grype db build process. We made some configuration changes to reduce the likelihood of what appears to be rate-limiting and are no longer seeing the issues and continue to monitor the situation to ensure builds continue daily as expected.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants