anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.57k stars 273 forks source link

RHSA vulnerability not detected #1369

Open adrianmarcu18 opened 2 years ago

adrianmarcu18 commented 2 years ago

Is this a request for help?: Not a request for help.

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): Bug report

Version of Anchore Engine and Anchore CLI if applicable: v1.1.0

What happened: High Vulnerability RHSA-2022:0666 (CVE-2022-24407) not detected for RHEL 7 images.

What did you expect to happen: Vulnerability CVE-2022-24407 to be detected on RHEL 7 images.

Any relevant log output from /var/log/anchore: No relevant logs are needed.

What docker images are you using: Centos 7 base images.

How to reproduce the issue: Analyze any Centos 7 image with cyrus-sasl-lib:2.1.26-23.el7 package (or lower version). No vulnerabilities will be found.

Anything else we need to know: Upon checking the latest version of the grypedb (as of today 07.03.2022), if we filter out on CVE-2022-24407, we can see that RHEL sources are not there. Only debian, sles and ubuntu listed. The latest rhel7 vulnerability listed in grype is CVE-2022-25315, which was published on 19.02.2022. The vulnerability which is not detected is from 22.02.2022

adrianmarcu18 commented 2 years ago

In the meantime it seems the grypedb has been updated with the latest vulnerabilities, including the one mentioned above. Would be nice to have some root cause for the issue so that we can have more trust in grypedb being up to date.

zhill commented 2 years ago

We recently identified an issue with the RedHat security API returning 403s intermittently during the grype db build process. We made some configuration changes to reduce the likelihood of what appears to be rate-limiting and are no longer seeing the issues and continue to monitor the situation to ensure builds continue daily as expected.