search

p-rog / cve-analyser

A tool to analyse the list of detected CVEs in the containers (usually created by static security scanner) and compare them to the Red Hat Security Data.
21 stars 3 forks source link

Add custom processing for RHACS container images #7

Open dmc5179 opened 1 year ago

dmc5179 commented 1 year ago

Using oc-mirror we can look at the images for Red Hat Advanced Cluster Security here:

registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:71c2b03f01b0af6cb349e06bc2dc035a81e10f420ffb6358a4fdc5494bb57171=openshift4/ose-kube-rbac-proxy:e4df3a11
registry.redhat.io/rh-acs/main@sha256:dc13e3ff268e45309dc6c674396094a3d8777111a612c0cb143049e44c6241f9=rh-acs/main:e88b9d8e
registry.redhat.io/rh-acs/scanner-db@sha256:0d27694909f67ee50f80077fac91cfbff4ff41cbf50a31e289c15b2838110f08=rh-acs/scanner-db:bb030383
registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle@sha256:0baed09effdbfc973515d7bdce444dbf97a72c913a0ae1d7403106439b6cba62=advanced-cluster-security/rhacs-operator-bundle:45c8e50f
registry.redhat.io/rh-acs/collector@sha256:0663df17c38644b3292cacf4aa039c3d10af9f0a368659b2c631fc6e68c39442=rh-acs/collector:5122a605
registry.redhat.io/rh-acs/scanner@sha256:07cebc1cbca22002d69dbcd2bae8e6033cb9020b047360347f16c5cb5305cc37=rh-acs/scanner:61f9774d
registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator@sha256:eb747779369b369f20c205afc3b3d462309bc54869adb926aed1e2f186dadb03=advanced-cluster-security/rhacs-rhel8-operator:6e57adf5
registry.redhat.io/rh-acs/collector@sha256:e5a9524efaf7adfb79341048ef2c4fa567e5efd64d208c15e5b26de1fd97e351=rh-acs/collector:e3687cd4

But it turns out that there is no longer a repo at registry.redhat.io/rh-acs The images have all moved to registry.redhat.io/advanced-cluster-security/

Because of this, the cve-analyser is not able to lookup information about the RHACS images. As an example, here is a sample input:

CVE-2023-0361,rh-acs/main
CVE-2023-0361,rh-acs/main:3.74
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8:3.74

And sample output

CVE-2023-0361,rh-acs/main,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,rh-acs/main:3.74,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8:3.74,CVE Severity:Moderate,(Red Hat Enterprise Linux 8|Product impact:moderate|Affected|gnutls)

Only in the case where the advanced-cluster-security repo is used along with the tag is processing completed. This is not a flaw in the cve-analyser but rather an issue with how the RHACS containers were moved in the registry vs how they are shown in the operator catalog. I intend to submit a BZ against RHACS to resolve this issue if possible.

dmc5179 commented 1 year ago

PR submitted for this issue: https://github.com/p-rog/cve-analyser/pull/8