You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grype returns indirect vulnerability matches on 'kernel' source rpms for the 'kernel-headers' rpm for container images that don't have the kernel
#1762
Closed
zhill opened this issue
Mar 20, 2024
· 5 comments
· Fixed by #1787
What happened:
Build an image with gcc installed from RedHat/UBI 8, and scan it with Grype and note vulnerabilities found on the 'kernel-headers' package that are matched via indirect lookups on the 'kernel' source RPM.
What you expected to happen:
I don't expect to see CVEs on the kernel-headers package since it does not contain the actual kernel.
How to reproduce it (as minimally and precisely as possible):
Build an image with this Dockerfile:
FROM registry.access.redhat.com/ubi8/ubi
RUN yum -y install --setopt=tsflags=nodocs gcc
If possible, I'd prefer to filter to ignored matches rather than opaquely dropping, since the matches are valid based on the data. The issue is the semantics of those specific packages and their known relationships.
I've started working on something here to add a new built-in set of ignore rules that would apply by default but able to be skipped via a config option.
I've looked into the debian-based case and it looks like the kernel headers packages are less stably-named there so I'll focus my efforts initially on RPM/redhat-based solution and then we can discuss things like if we want to support ignore rules that do a package-name wildcard match (e.g. "linux-headers-*" since debian uses "linux-headers-amd64" and "linux-headers-arm64") so the issue manifests a little bit differently in those distros.
What happened:
Build an image with
gcc
installed from RedHat/UBI 8, and scan it with Grype and note vulnerabilities found on the 'kernel-headers' package that are matched via indirect lookups on the 'kernel' source RPM.What you expected to happen:
I don't expect to see CVEs on the kernel-headers package since it does not contain the actual kernel.
How to reproduce it (as minimally and precisely as possible):
Build an image with this Dockerfile:
Match Details:
Anything else we need to know?:
Environment:
grype version
:cat /etc/os-release
or similar):MacOS
The text was updated successfully, but these errors were encountered: