Failing to detect CentOS 5 packages

[ScalockScanner]

Clair wont find any vulnerabilities in Cenots 5.
This version is part of the supported systems

[Quentin-M]

Hi,

Have you waited for the initial update to occur? You can try to debug what Clair knows about your image/layers using the API. There are few other related issues out there, you can probably dig in and see examples on how to figure out what's going on.

[ScalockScanner]

Hi Quentin,
I know about the update time issue, and its not that. I tested many images
centos 6 and centos 7 on several deployments configurations.
Centos 5 returns always clean

just to make sure I checked in my DB that the update process had ended when
the vulnerability table stops going up ~90,000 vulns..

So all the the DB is defiantly updated.

Were there any positive tests with Centos 5?

Thanks

On Thu, Jul 14, 2016 at 5:31 PM, Quentin Machu notifications@github.com
wrote:

Hi,

Have you waited for the initial update to occur? You can try to debug what
Clair knows about your image/layers using the API. There are few other
related issues out there, you can probably dig in and see examples on how
to figure out what's going on.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#215 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/APdTE4yo8bZMZQKy2c6pAUwoy6YtXwL2ks5qVkhWgaJpZM4JMZmr
.

[Quentin-M]

Hi,

Here is why CentOS 5 returns clean as you pointed it out:

• updater/fetchers/rhel/rhel.go#36
• updater/fetchers/rhel/rhel.go#293

The RHEL updater currently ignores vulnerabilities for CentOS <= 5. As the naming of the constant firstConsideredRHEL suggests it, it should actually considers CentOS 5 and ignores CentOS < 5.

Thanks for the report!

[Quentin-M]

@ScalockScanner Clair v1.2.3 contains the fix to your issue.

[ScalockScanner]

Hi,
Thanks I saw the fix. Sorry for the late response. looks good.

Eli

On Tue, Jul 19, 2016 at 1:11 AM, Quentin Machu notifications@github.com
wrote:

@ScalockScanner https://github.com/ScalockScanner Clair v1.2.3 contain
the fix to your issue.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#215 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/APdTEw-VJlmT9xFBHtIuvS7WwDO6n41Yks5qW_osgaJpZM4JMZmr
.

[ScalockScanner]

Hi Quentin,
Having some more issues with centos 5 scanning after the fix. getting an
error when updating the db with cves, ERROR:

2016-08-02 13:13:51.875583 E | pgsql: insertVulnerabilityFixedInFeature:
pq: duplicate key value violates unique constraint
"vulnerability_fixedin_feature_vulnerability_id_feature_id_key"
database.Vulnerability{Model:database.Model{ID:0}, Name:"RHSA-2009:0382",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"},
Description:"libvirt is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems. libvirt
also provides tools for remotely managing virtualized systems. The libvirtd
daemon was discovered to not properly check user connection permissions
before performing certain privileged actions, such as requesting migration
of an unprivileged guest domain to another system. A local user able to
establish a read-only connection to libvirtd could use this flaw to perform
actions that should be restricted to read-write connections.
(CVE-2008-5086) libvirt_proxy, a setuid helper application allowing
non-privileged users to communicate with the hypervisor, was discovered to
not properly validate user requests. Local users could use this flaw to
cause a stack-based buffer overflow in libvirt_proxy, possibly allowing
them to run arbitrary code with root privileges. (CVE-2009-0036) All users
are advised to upgrade to these updated packages, which contain backported
patches which resolve these issues. After installing the update, libvirtd
must be restarted manually (for example, by issuing a "service libvirtd
restart" command), and guest systems rebooted, for this change to take
effect.", Link:"https://rhn.redhat.com/errata/RHSA-2009-0382.html",
Severity:"Medium", Metadata:database.MetadataMap(nil),
FixedIn:[]database.FeatureVersion{database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt-devel",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}},
database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}},
database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt-python",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}},
database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt-devel",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}},
database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}},
database.FeatureVersion{Model:database.Model{ID:0},
Feature:database.Feature{Model:database.Model{ID:0}, Name:"libvirt-python",
Namespace:database.Namespace{Model:database.Model{ID:0}, Name:"centos:5"}},
Version:types.Version{epoch:0, version:"0.3.3", revision:"14.el5_3.1"},
AffectedBy:[]database.Vulnerability(nil),
AddedBy:database.Layer{Model:database.Model{ID:0}, Name:"",
EngineVersion:0, Parent:(_database.Layer)(nil),
Namespace:(_database.Namespace)(nil),
Features:[]database.FeatureVersion(nil)}}},
LayersIntroducingVulnerability:[]database.Layer(nil),
FixedBy:types.Version{epoch:0, version:"", revision:""}}

it seems that a cve belongs to Centos 5 violates uniqueness of an existing
cve

On Tue, Jul 19, 2016 at 1:11 AM, Quentin Machu notifications@github.com
wrote:

@ScalockScanner https://github.com/ScalockScanner Clair v1.2.3 contain
the fix to your issue.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#215 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/APdTEw-VJlmT9xFBHtIuvS7WwDO6n41Yks5qW_osgaJpZM4JMZmr
.