Investigate vuln scans

[maeve-fpf]

Here's the scan Quay ran on the latest CI-built image for gke-gs-bucket-backup from this repo: https://quay.io/repository/freedomofpress/gke-gs-bucket-backup/manifest/sha256:b28507c41e51ae64bb95d13e89a5c502061eb0a99043e76bdd3b47de038fdb90?tab=vulnerabilities (that's tag master_680c45a). There's a lot there! You can check the packages in the container with:

docker run --entrypoint /bin/sh quay.io/freedomofpress/gke-gs-bucket-backup:master_680c45a -c 'dpkg -l' | less

And you can see that the critical warnings for linux is because linux-libc-dev, the kernel headers which are built from the linux source package, are installed. Obviously a kernel is not installed.

So, let's research how to make these scans more useful - it sounds like this is probably an issue many Quay users have encountered and may have solutions for.

[conorsch]

Having trouble loading any of the scans right now:

Based on prior output I've seen, there's definitely a ton of noise in those scan reports. Granted, we took a while to update our images, but I've also seen quay complaining about old package versions without taking into account backported security fixes, e.g. from Canonical for ubuntu images. Looks like Quay runs "Clair" to handle the scanning:

• https://coreos.com/blog/quay-security-scanner-now-powered-clair-10
• https://github.com/quay/clair

So optimistic that we could learn more about how folks manage these alerts.