search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!
https://project-copacetic.github.io/copacetic/
Apache License 2.0
1.02k stars 69 forks source link

[QUESTION] How to resolve "downloaded package perl-Archive-Tar version 2.38-488.cm2 lower than required 5.34.1-489.cm2 for update" #559

Closed Miller-Kyle closed 6 months ago

Miller-Kyle commented 7 months ago

What is your question?

As of a few days ago I started getting many errors related to perl packages. No changes have been made, so I'm not sure where this is coming from. What should I check to debug this?

Scan and patch:

trivy image --vuln-type os --ignore-unfixed -f json -o copa-patch.json "$IMAGE"

copa patch \
  -i "$IMAGE" \
  -r copa-patch.json \
  -t "$tag-patched" \
  -a tcp://0.0.0.0:8888

Errors:

2024-04-09T14:04:23.1518544Z Error: 137 errors occurred:
2024-04-09T14:04:23.1519320Z    * downloaded package perl-Archive-Tar version 2.38-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1520204Z    * downloaded package perl-Attribute-Handlers version 1.01-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1521828Z    * downloaded package perl-B version 1.82-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1522640Z    * downloaded package perl-Benchmark version 1.23-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1523449Z    * downloaded package perl-CPAN version 2.28-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1524611Z    * downloaded package perl-CPAN-Meta version 2.150010-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1525841Z    * downloaded package perl-CPAN-Meta-Requirements version 2.140-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1526572Z    * downloaded package perl-CPAN-Meta-YAML version 0.018-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1527499Z    * downloaded package perl-Carp version 1.52-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1528182Z    * downloaded package perl-Class-Struct version 0.66-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1528902Z    * downloaded package perl-Compress-Raw-Bzip2 version 2.101-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1529621Z    * downloaded package perl-Compress-Raw-Zlib version 2.101-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1530332Z    * downloaded package perl-Config-Extensions version 0.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1531032Z    * downloaded package perl-Config-Perl-V version 0.33-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1531910Z    * downloaded package perl-DBM_Filter version 0.06-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1532624Z    * downloaded package perl-Data-Dumper version 2.179-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1533367Z    * downloaded package perl-Devel-PPPort version 3.62-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1534065Z    * downloaded package perl-Devel-Peek version 1.30-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1535083Z    * downloaded package perl-Devel-SelfStubber version 1.06-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1536030Z    * downloaded package perl-Digest version 1.19-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1536743Z    * downloaded package perl-Digest-MD5 version 2.58-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1537983Z    * downloaded package perl-DirHandle version 1.05-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1538796Z    * downloaded package perl-Dumpvalue version 2.27-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1539474Z    * downloaded package perl-DynaLoader version 1.50-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1540135Z    * downloaded package perl-English version 1.11-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1540763Z    * downloaded package perl-Env version 1.05-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1541660Z    * downloaded package perl-Errno version 1.33-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1542351Z    * downloaded package perl-ExtUtils-Constant version 0.25-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1543187Z    * downloaded package perl-ExtUtils-Embed version 1.35-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1543967Z    * downloaded package perl-ExtUtils-Install version 2.20-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1544658Z    * downloaded package perl-ExtUtils-Miniperl version 1.10-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1545303Z    * downloaded package perl-Fcntl version 1.14-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1545975Z    * downloaded package perl-File-Basename version 2.85-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1546661Z    * downloaded package perl-File-Compare version 1.100.600-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1547321Z    * downloaded package perl-File-Copy version 2.35-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1547991Z    * downloaded package perl-File-DosGlob version 1.12-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1548833Z    * downloaded package perl-File-Fetch version 1.00-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1549496Z    * downloaded package perl-File-Find version 1.39-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1550307Z    * downloaded package perl-File-Path version 2.18-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1550983Z    * downloaded package perl-File-stat version 1.09-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1551611Z    * downloaded package perl-FileCache version 1.10-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1552277Z    * downloaded package perl-FileHandle version 2.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1552943Z    * downloaded package perl-Filter-Simple version 0.96-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1553591Z    * downloaded package perl-FindBin version 1.52-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1554267Z    * downloaded package perl-Getopt-Std version 1.13-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1554928Z    * downloaded package perl-HTTP-Tiny version 0.076-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1555785Z    * downloaded package perl-Hash-Util version 0.25-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1556465Z    * downloaded package perl-Hash-Util-FieldHash version 1.21-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1557151Z    * downloaded package perl-I18N-Collate version 1.02-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1557967Z    * downloaded package perl-I18N-LangTags version 0.45-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1558827Z    * downloaded package perl-I18N-Langinfo version 0.19-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1559638Z    * downloaded package perl-IO version 1.46-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1560380Z    * downloaded package perl-IO-Compress version 2.102-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1561038Z    * downloaded package perl-IO-Socket-IP version 0.41-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1561681Z    * downloaded package perl-IPC-Open3 version 1.21-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1562309Z    * downloaded package perl-IPC-SysV version 2.09-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1562964Z    * downloaded package perl-Locale-Maketext version 1.29-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1563624Z    * downloaded package perl-MIME-Base64 version 3.16-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1564297Z    * downloaded package perl-Math-BigInt-FastCalc version 0.500.900-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1565042Z    * downloaded package perl-Math-BigRat version 0.2614-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1565727Z    * downloaded package perl-Math-Complex version 1.59-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1566804Z    * downloaded package perl-Memoize version 1.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1567590Z    * downloaded package perl-Module-Load-Conditional version 0.74-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1568323Z    * downloaded package perl-Module-Metadata version 1.000037-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1569379Z    * downloaded package perl-NDBM_File version 1.15-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1570212Z    * downloaded package perl-NEXT version 0.68-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1570867Z    * downloaded package perl-Net version 1.02-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1571531Z    * downloaded package perl-Net-Ping version 2.74-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1572185Z    * downloaded package perl-ODBM_File version 1.17-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1573000Z    * downloaded package perl-Opcode version 1.50-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1573742Z    * downloaded package perl-POSIX version 1.97-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1574377Z    * downloaded package perl-PathTools version 3.80-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1575023Z    * downloaded package perl-Perl-OSType version 1.010-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1575885Z    * downloaded package perl-PerlIO-via-QuotedPrint version 0.09-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1576579Z    * downloaded package perl-Pod-Functions version 1.13-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1577243Z    * downloaded package perl-Pod-Html version 1.27-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1578573Z    * downloaded package perl-Pod-Perldoc version 3.28.01-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1579221Z    * downloaded package perl-Safe version 2.43-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1579919Z    * downloaded package perl-Search-Dict version 1.07-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1580587Z    * downloaded package perl-SelectSaver version 1.02-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1583599Z    * downloaded package perl-SelfLoader version 1.26-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1584503Z    * downloaded package perl-Symbol version 1.09-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1586005Z    * downloaded package perl-Sys-Hostname version 1.23-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1586826Z    * downloaded package perl-Sys-Syslog version 0.36-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1587490Z    * downloaded package perl-Term-ANSIColor version 5.01-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1588382Z    * downloaded package perl-Term-Cap version 1.17-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1589035Z    * downloaded package perl-Term-Complete version 1.403-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1589753Z    * downloaded package perl-Term-ReadLine version 1.17-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1590686Z    * downloaded package perl-Test version 1.31-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1591379Z    * downloaded package perl-Text-Abbrev version 1.02-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1592570Z    * downloaded package perl-Text-Balanced version 2.04-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1593370Z    * downloaded package perl-Text-ParseWords version 3.30-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1594182Z    * downloaded package perl-Thread version 3.05-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1594841Z    * downloaded package perl-Thread-Queue version 3.14-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1595511Z    * downloaded package perl-Thread-Semaphore version 2.13-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1596133Z    * downloaded package perl-Tie version 4.6-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1596765Z    * downloaded package perl-Tie-File version 1.06-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1597426Z    * downloaded package perl-Tie-Memoize version 1.1-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1598064Z    * downloaded package perl-Tie-RefHash version 1.40-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1598701Z    * downloaded package perl-Time version 1.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1599351Z    * downloaded package perl-Time-Piece version 1.3401-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1599995Z    * downloaded package perl-Unicode-Collate version 1.29-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1600667Z    * downloaded package perl-Unicode-Normalize version 1.28-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1601513Z    * downloaded package perl-Unicode-UCD version 0.75-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1622960Z    * downloaded package perl-User-pwent version 1.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1623858Z    * downloaded package perl-autodie version 2.34-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1624530Z    * downloaded package perl-autouse version 1.11-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1626398Z    * downloaded package perl-base version 2.27-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1627170Z    * downloaded package perl-bignum version 0.51-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1627833Z    * downloaded package perl-blib version 1.07-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1628657Z    * downloaded package perl-constant version 1.33-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1630638Z    * downloaded package perl-debugger version 1.60-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1631870Z    * downloaded package perl-deprecate version 0.04-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1632603Z    * downloaded package perl-diagnostics version 1.37-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1633425Z    * downloaded package perl-doc version 5.34.1-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1634289Z    * downloaded package perl-encoding-warnings version 0.13-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1635717Z    * downloaded package perl-experimental version 0.024-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1636869Z    * downloaded package perl-fields version 2.27-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1637568Z    * downloaded package perl-filetest version 1.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1638392Z    * downloaded package perl-if version 0.60.900-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1639203Z    * downloaded package perl-less version 0.03-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1640599Z    * downloaded package perl-lib version 0.65-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1642709Z    * downloaded package perl-libnet version 3.13-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1643600Z    * downloaded package perl-locale version 1.10-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1644804Z    * downloaded package perl-meta-notation version 5.34.1-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1645456Z    * downloaded package perl-mro version 1.25-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1646473Z    * downloaded package perl-open version 1.12-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1647165Z    * downloaded package perl-overload version 1.33-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1647856Z    * downloaded package perl-overloading version 0.02-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1648688Z    * downloaded package perl-ph version 5.34.1-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1649504Z    * downloaded package perl-sigtrap version 1.09-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1650124Z    * downloaded package perl-sort version 2.04-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1650917Z    * downloaded package perl-subs version 1.04-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1651560Z    * downloaded package perl-threads-shared version 1.62-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1652196Z    * downloaded package perl-utils version 5.34.1-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1652807Z    * downloaded package perl-vars version 1.05-488.cm2 lower than required 5.34.1-489.cm2 for update
2024-04-09T14:04:23.1653435Z    * downloaded package perl-vmsish version 1.04-488.cm2 lower than required 5.34.1-489.cm2 for update
sozercan commented 7 months ago

@Miller-Kyle change is due to dynamic nature of the package repos, CVE DBs and vulnerabilities. I have a WIP PR #420 to help users debug these errors, I am looking for a good example if you can share your image and/or Dockerfile.

For debugging, best place you can start is to look at the trivy json, find the datasource corresponding to that package/CVE and go from there. Similar to https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection

You can also look at https://project-copacetic.github.io/copacetic/website/troubleshooting on how to ignore specific packages or CVEs or all errors with --ignore-errors

sozercan commented 6 months ago

Closing this since this is due to factors outside of copa, feel free to re-open if you have further questions.