Proposal to fix #144

[gonfva-bcl]

This suggests a possible solution for #144. Underlying layers of the image may have a vulnerability that is fixed in the top layers. With this code, we introduce a new variable that allows to only analyse the last layer

[alaendle]

While I really believe this feature is needed, I'm not really sure this fix works as expected. Tried to verify this feature against the image rabbitmq:3.8.3-management - and it still reports warnings against packages that aren't present on the top layer. Not sure so if this is a problem of klar or clair - haven't debugged the running app. Using API v1 of clair.

[gonfva-bcl]

Hi @alaendle Could you point to a specific package that is reported as vulnerable and it's been fixed or it's not available in the latest layer?

[alaendle]

Regarding the image rabbitmq:3.8.3-mangement I would consider gnupg2 to be such a case. But please consider this statement with caution, because I haven't spent much time searching for the cause!

[gonfva-bcl]

Not sure how klar/clair detects it, but there is certainly something

$ docker run --rm rabbitmq:3.8.3-management gpgv --version
gpgv (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[alaendle]

So please forgot everything I've said before. gpgv (containing sources from gnupg2 - this explains the link clair recognizes) is already included in ubuntu:18.04. I wrongly expected that the package "gnupg2" somehow got added/removed in some layers - because I couldn't find the reported package name (to the letter) on the top layer. The mistake was clearly mine. Everything works as expected. So once again thanks for adding this feature - and I really would enjoy to see this pull-request gets merged.