quay.io `current version` and `fixed by version` both wrong for given vulnerability

[dchambers]

Hopefully this report helps you to make quay.io even better 👍

My container depends on nginx:1.15.0-alpine, which itself depends on alpine:3.7. It is being flagged with vulnerability CVE-2018-6942 due to the use of freetype 2.8.1-r2, which it says can be fixed by using freetype 2.8.1-r3. However, Alpine's package manager shows that Alpine 3.7 is already using freetype 2.8.1-r3. This is the first problem.

Secondly, reading CVE-2018-6942 for myself I can see that this bug actually isn't fixed till after freetype 3.9, so it looks like the fixed by field is incorrect too based on this advisory, so this is the second problem.

Thanks!

[timendez]

Omg @dchambers I have been struggling with this problem for a while now. How did you fix it?

[timendez]

Nevermind, I figured it out. I had to add

RUN apk update
RUN apk add --upgrade freetype-dev

to my Dockerfile.template. I was using the wrong package name for freetype.

[dchambers]

Hi @timendez, I hadn't actually fixed the underlying problem myself, but I see you now have. Thanks for sharing 👍

[lucab]

I think it is just a mismatch between package names, distribution DB and what's inside the container image. I'd suggest to bring this discussion to some alpine forum, because we are not directly involved into what ends up inside the specific container image. If you think that instead this is some kind of logic bug in the analyzer, please report it to https://github.com/coreos/clair. I'm otherwise going to close this ticket, as there isn't anything directly actionable here.

[dchambers]

Hi @lucab, that's really interesting. Are you able to point to any docs about (or quickly explain) how Clair determines the actual package versions being used when scanning a container?

[lucab]

@dchambers it is broadly described here and in the presentations linked in the other docs there.

[bison]

The updated package (2.8.1-r3) is available in the Alpine repository, but that doesn't mean that images built before it was available actually have the updated package. It looks like the nginx image has not updated:

$ docker run --rm nginx:1.15.0-alpine apk -v info 2>/dev/null | grep freetype
freetype-2.8.1-r2

As for the fixed-by version, this can get confusing because distro maintainers commonly backport fixes from newer versions of software to the older versions shipped in the distro. It looks like Alpine did that here:

https://bugs.alpinelinux.org/issues/8988 https://git.alpinelinux.org/cgit/aports/commit/?id=89c7aef675e52f6296314b9c79c495732c7b5809

So, unless I'm misunderstanding, I don't think this is an issue with Quay or Clair.

Hope this helps.

[dchambers]

Seriously comprehensive answer there @bison. Thanks so much for taking the time to craft that response and helping me to understand what's going on here. :+1: