Proposal to fix #144#165
Conversation
Underlying layers may have a vulnerability that is fixed in the top layers. With this code, we introduce a new variable that allows to only analyse the last layer
|
While I really believe this feature is needed, I'm not really sure this fix works as expected. Tried to verify this feature against the image rabbitmq:3.8.3-management - and it still reports warnings against packages that aren't present on the top layer. Not sure so if this is a problem of klar or clair - haven't debugged the running app. Using API v1 of clair. |
|
Hi @alaendle |
|
Regarding the image rabbitmq:3.8.3-mangement I would consider gnupg2 to be such a case. But please consider this statement with caution, because I haven't spent much time searching for the cause! |
|
Not sure how klar/clair detects it, but there is certainly something |
|
So please forgot everything I've said before. gpgv (containing sources from gnupg2 - this explains the link clair recognizes) is already included in ubuntu:18.04. I wrongly expected that the package "gnupg2" somehow got added/removed in some layers - because I couldn't find the reported package name (to the letter) on the top layer. The mistake was clearly mine. Everything works as expected. So once again thanks for adding this feature - and I really would enjoy to see this pull-request gets merged. |
This suggests a possible solution for #144.
Underlying layers of the image may have a vulnerability that is fixed in the top layers. With this code, we introduce a new variable that allows to only analyse the last layer