atomic scan exits with error when scanning RHEL docker image in offline environment

[matusmarhefka]

Reproducer (I simulate offline env using a network namespace which has only loopback device):

# ip netns add ns1
# ip netns exec ns1 atomic scan registry.stage.redhat.com/rhel:latest --verbose
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-15-04-11-30-663912:/scanin -v /var/lib/atomic/openscap/2017-09-15-04-11-30-663912:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap_base oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
ERROR:Failed to scan target 'chroot:///scanin/4a974767fba69453003f076889906df7531ecdff0a0190797aec49387108fffc' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 144, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/evaluation_spec.py", line 506, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/evaluation_spec.py", line 503, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/oscap_helpers.py", line 304, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/oscap_helpers.py", line 279, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python3.6/site-packages/openscap_daemon/evaluation_spec.py", line 474, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python3.6/site-packages/openscap_daemon/config.py", line 459, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in cpe:/o:suse:linux_enterprise_server:11, cpe:/o:suse:linux_enterprise_desktop:11
INFO:[100.00%] Scanned target 'chroot:///scanin/4a974767fba69453003f076889906df7531ecdff0a0190797aec49387108fffc'

registry.access.stage.redhat.com/rhel:latest (4a974767fba6945)

     registry.access.stage.redhat.com/rhel:latest is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2017-09-15-04-11-30-663912.

The error message is very misleading, it looks like unhandled exception in function get_rhel_cve_feed in openscap_daemon/cve_feed_manager.py.

[matejak]

As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1498859 this seems to be a openscap scanner bug that misleads the openscap-daemon running in the container.

[dahaic]

@matusmarhefka is this issue actionable? For example making openscap-daemon more stable and not producing so confusing RuntimeError? If you don't see need for any action on daemon side, please close the issue :)

[matusmarhefka]

Closing the issue, in this case openscap-daemon correctly reports the error about CPEs which are incorrectly reported by openscap scanner.