Clair does not detect CVE for centos images

[bluefriday]

Description of Problem / Feature Request

I scanned for using clairctl and clair latest version about centos image But clair returned no CVEs result. The results were the same even when using a different version of Claire, and no vulnerability was found even if the Centos version was changed.

Expected Outcome

Clair detect CVEs about centos image.

Actual Outcome

Clair does not detect CVEs about centos image.

Environment

• Clair version/image: 4.3.6 / 4.3.0 / 4.2.0
• Clair client name/version: clairctl version 0.2.0
• Host OS: Debian GNU/Linux 10 (buster)
• Kernel (e.g. uname -a): Linux clair-vm 4.19.0-18-cloud-amd64 Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
• Kubernetes version (use kubectl version): Only use docker. (Docker 20.10.12)
• Network/Firewall setup: No firewall (In GCP)

clairctl command result (after clairctl manifest)

root@clair-vm:/home/deppaas# clairctl -c /etc/clairv4/config/config.yaml report centos:7.7.1908
centos:7.7.1908 ok
root@clair-vm:/home/deppaas# clairctl -c /etc/clairv4/config/config.yaml report centos:8.3.2011
centos:8.3.2011 ok
root@clair-vm:/home/deppaas#

clairctl -o json command result (after clairctl manifest)

{"manifest_hash":"sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875","packages":{"154":{"id":"154","name":"npth","version":"1.5-4.el8","kind":"binary",
"source":{"id":"153","name":"npth","version":"1.5-4.el8","kind":"source"},"arch":"x86_64"},"42":{"id":"42","name":"chkconfig","version":"1.13-2.el8","kind":"binary",
"source":{"id":"41","name":"chkconfig","version":"1.13-2.el8","kind":"source"},"arch":"x86_64"},"240":{"id":"240","name":"gdbm-libs","version":"1:1.18-1.el8","kind":"binary",
"source":{"id":"89","name":"gdbm","version":"1.18-1.el8","kind":"source"},"arch":"x86_64"},"282":{"id":"282","name":"libmnl","version":"1.0.4-6.el8","kind":"binary","source":
{"id":"281","name":"libmnl","version":"1.0.4-6.el8","kind":"source"},"arch":"x86_64"},"292":{"id":"292","name":"libtirpc","version":"1.1.4-4.el8","kind":"binary","source":
{"id":"291","name":"libtirpc","version":"1.1.4-4.el8","kind":"source"},"arch":"x86_64"},"158":{"id":"158","name":"libdnf","version":"0.48.0-5.el8","kind":"binary","source":
{"id":"157","name":"libdnf","version":"0.48.0-5.el8","kind":"source"},"arch":"x86_64"},"100":{"id":"100","name":"glib2","version":"2.56.4-8.el8","kind":"binary","source":
{"id":"99","name":"glib2","version":"2.56.4-8.el8","kind":"source"},"arch":"x86_64"},"346":{"id":"346","name":"langpacks-en","version":"1.0-12.el8","kind":"binary","source":
{"id":"345","name":"langpacks","version":"1.0-12.el8","kind":"source"},"arch":"noarch"},"328":{"id":"328","name":"gnupg2","version":"2.2.20-2.el8","kind":"binary","source":
...
{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null}],"32":
[{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null},
{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null}],"154":
[{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null},
{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null}],"210":
[{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null},
{"package_db":"/var/lib/rpm","introduced_in":"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621","distribution_id":"","repository_ids":null}]},
"vulnerabilities":{},"package_vulnerabilities":{},"enrichments":{}}

clair container log

6:22AM INF manifest already scanned component=internal/indexer/controller/Controller.Index manifest=sha256:8f2c78ca3141051eef77fb083066222abf20330a2345c970a5a61427aeb2dc7b state=CheckManifest
6:22AM INF index request done component=libindex/Libindex.Index manifest=sha256:8f2c78ca3141051eef77fb083066222abf20330a2345c970a5a61427aeb2dc7b
6:22AM INF handled HTTP request component=httptransport/New method=POST remote_addr=172.18.0.1:60570 request_uri=/indexer/api/v1/index_report status=201
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=aws-matcher records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=rhel records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=ubuntu-matcher records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=alpine-matcher records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=debian-matcher records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=photon records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=oracle records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=4 matcher=crda-pypi records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=suse records=298
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=crda-maven records=298
6:22AM DBG request component=crda/Matcher.QueryRemoteMatcher matcher=crda-pypi records=4
6:22AM DBG interest component=internal/matcher/Controller.Match interested=4 matcher=python records=298
6:22AM DBG version filter compatible? authoritative=false component=internal/matcher/Controller.Match matcher=python opt-in=false
6:22AM DBG query component=internal/matcher/Controller.Match matcher=python vulnerabilities=1
6:22AM DBG filtered component=internal/matcher/Controller.Match filtered=4 matcher=python
6:22AM DBG response component=crda/Matcher.QueryRemoteMatcher matcher=crda-pypi vulnerabilities=4
6:22AM DBG enricher reported nothing, skipping component=httptransport/New name=clair.cvss
6:22AM INF handled HTTP request component=httptransport/New method=GET remote_addr=172.18.0.1:60570 request_uri=/matcher/api/v1/vulnerability_report/sha256:8f2c78ca3141051eef77fb083066222abf20330a2345c970a5a61427aeb2dc7b status=200
6:22AM INF handled HTTP request component=httptransport/New method=GET remote_addr=172.18.0.1:60584 request_uri=/indexer/api/v1/index_report/sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 status=200
6:22AM INF handled HTTP request component=httptransport/New method=GET remote_addr=172.18.0.1:60590 request_uri=/indexer/api/v1/index_report/sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 status=200
6:22AM INF index request start component=libindex/Libindex.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875
6:22AM DBG configured search API URL api=https://search.maven.org/solrsearch/select component=java/Scanner.Configure manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 version=3
6:22AM DBG attempting fetch of repo2cpe mapping file component=rhel/repo2cpe/UpdatingMapper.do manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 url=https://access.redhat.com/security/data/metrics/repository-to-cpe.json version=1.1
6:22AM DBG atomic update of local mapping file complete component=rhel/repo2cpe/UpdatingMapper.do manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 url=https://access.redhat.com/security/data/metrics/repository-to-cpe.json version=1.1
6:22AM DBG locking attempt component=libindex/Libindex.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875
6:22AM DBG locking OK component=libindex/Libindex.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875
6:22AM INF starting scan component=internal/indexer/controller/Controller.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875
6:22AM INF manifest already scanned component=internal/indexer/controller/Controller.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba
499c8b0bb7f86875 state=CheckManifest
6:22AM INF index request done component=libindex/Libindex.Index manifest=sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875
6:22AM INF handled HTTP request component=httptransport/New method=POST remote_addr=172.18.0.1:60594 request_uri=/indexer/api/v1/index_report status=201
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=oracle records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=aws-matcher records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=debian-matcher records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=rhel records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=alpine-matcher records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=photon records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=1 matcher=crda-pypi records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=ubuntu-matcher records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=suse records=345
6:22AM DBG interest component=internal/matcher/Controller.Match interested=0 matcher=crda-maven records=345
6:22AM DBG request component=crda/Matcher.QueryRemoteMatcher matcher=crda-pypi records=1
6:22AM DBG interest component=internal/matcher/Controller.Match interested=1 matcher=python records=345
6:22AM DBG version filter compatible? authoritative=false component=internal/matcher/Controller.Match matcher=python opt-in=false
6:22AM DBG query component=internal/matcher/Controller.Match matcher=python vulnerabilities=1
6:22AM DBG filtered component=internal/matcher/Controller.Match filtered=1 matcher=python
6:22AM DBG response component=crda/Matcher.QueryRemoteMatcher matcher=crda-pypi vulnerabilities=1
6:22AM DBG enricher reported nothing, skipping component=httptransport/New name=clair.cvss
6:22AM INF handled HTTP request component=httptransport/New method=GET remote_addr=172.18.0.1:60594 request_uri=/matcher/api/v1/vulnerability_report/sha256:dbbacecc49b088458781c16f3775f2a2ec7521079034a7ba499c8b0bb7f86875 status=200

clair config

root@clair-vm:/home/deppaas# cat /etc/clairv4/config/config.yaml 
introspection_addr: :8089
http_listen_addr: :6060
log_level: debug-color
indexer:
  connstring: host=db port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=db port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  max_conn_pool: 100
  run: ""
  migrations: true
  indexer_addr: clairv4
  disable_updaters: false
notifier:
  connstring: host=db port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  migrations: true
  indexer_addr: clairv4
  matcher_addr: clairv4
  poll_interval: 60m
root@clair-vm:/home/deppaas#

[hdonnay]

CentOS does not publish any sort of security database, so these are the expected results.

[odoucet]

Hello, why not using RHEL7 security database on CENTOS7 distributions ? versions are exactly the same. Same applies for RHEL6 and RHEL8.

[hdonnay]

According to the CentOS maintainers, they are not the same.