Ubuntu VulnSrc filters Linux kernel packages

[domcar]

Description of Problem: Regarding the CVE-2017-5754 Clair gives information that only the package firefox-locale fixes the Bug altough there are many other packages that should be there.

Expected Outcome:

{
  "Vulnerability": {
    "Name": "CVE-2017-5754",
    "NamespaceName": "ubuntu:16.04",
    "Description": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.",
    "Link": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5754",
    "Severity": "Critical",
    "FixedIn": [
      {
        "Name": "firefox",
        "NamespaceName": "ubuntu:16.04",
        "VersionFormat": "dpkg",
        "Version": "57.0.4+build1-0ubuntu0.16.04.1"
      }
    ]
  }
}

and all other packages as described here: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html In the 16.04 for example this is missing: Package source linux released (4.4.0-108.131)

Actual Outcome: Only firefox-57.0.4

Environment:

• Clair version/image: 2.0.0

• Host OS: Ubuntu 16.04

• Kernel (e.g. uname -a): 4.4.0-97-generic

[jzelinskie]

In this case it looks like we're filtering Linux kernel results, which is inconsistent to how the rest of Clair works.

[hdonnay]

We’re declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!