-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version comparison incorrect #222
Comments
Hi, Thanks for the report. |
I think we're going to have to introduce version parsing for different data sources because while Debian's standard is super flexible, it clearly isn't handling everything. |
Now that #290 is merged, Quay.io is showing false positives because of this comparison bug: https://quay.io/repository/djelibeybi/oraclelinux/image/7b31330a68b63825b93ef774e79bbe32332d2f3fbd02da7508f27ce92411a697?tab=vulnerabilities |
BTW, I found a blog post on how RPM actually does version comparisons: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/ |
(Adding this to the issue so it's not lost to IRC history) It seems the only way that we can get this to work is a schema change on the features to store which detector was used to find each feature. That way, the comparison can be done with a feature-specific algorithm, i.e. the existing Debian one for dpkg/apk and a new RPM one for rpms. |
Clair seems to think that our
oraclelinux:6
has a vulnerability:However, if we check the RPM version inside the image:
The version is actually greater in the image and thus not vulnerable.
The false positive is possibly due to the weirdness of the
nss-softoken
release versioning, as the increment in the release isel6_7
toel6_8
. However, the installed release is still higher (-23.3.el6_8
vs-23.el6_7
).The text was updated successfully, but these errors were encountered: