Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version comparison incorrect #222

Closed
Djelibeybi opened this issue Jul 21, 2016 · 5 comments
Closed

Version comparison incorrect #222

Djelibeybi opened this issue Jul 21, 2016 · 5 comments
Labels
kind/bug things are not as they seem kind/design relates to the fundamental design of a component priority/urgent critical functionality

Comments

@Djelibeybi
Copy link
Contributor

Djelibeybi commented Jul 21, 2016
edited
Loading

Clair seems to think that our oraclelinux:6 has a vulnerability:

Clair report for image 175adfa05e40 (2016-07-21 21:20:35.75494941 +0000 UTC)
ELSA-2015-1699 (Medium)
    [3.14.3-23] - Pick up upstream freebl patch for CVE-2015-2730 - Check for P == Q
    or P ==-Q before adding P and Q

    Package:       nss-softokn @ 3.14.3-23.3.el6_8
    Fixed version: 3.14.3-23.el6_7
    Link:          http://linux.oracle.com/errata/ELSA-2015-1699.html
    Layer:         c83ca52f4077a59c5406bf6ba5f1eea85a1dd1c453da8e1c6e7db2680a5f72d0

However, if we check the RPM version inside the image:

$ docker run --rm -t -i oraclelinux:6 rpm -q --queryformat "%{NAME}-%{VERSION}-%{RELEASE}\n" nss-softokn
nss-softokn-3.14.3-23.3.el6_8

The version is actually greater in the image and thus not vulnerable.

The false positive is possibly due to the weirdness of the nss-softoken release versioning, as the increment in the release is el6_7 to el6_8. However, the installed release is still higher (-23.3.el6_8 vs -23.el6_7).
@Quentin-M
Copy link
Contributor

Quentin-M commented Aug 30, 2016
edited
Loading

Hi,

Thanks for the report.
Just encountered the issue too with 3.10.0-327.28.3.el7 < 3.10.0-327.el7.

@Quentin-M Quentin-M added kind/bug things are not as they seem priority/urgent critical functionality labels Aug 30, 2016
@jzelinskie
Copy link
Contributor

I think we're going to have to introduce version parsing for different data sources because while Debian's standard is super flexible, it clearly isn't handling everything.

@jzelinskie jzelinskie added the kind/design relates to the fundamental design of a component label Sep 7, 2016
@Djelibeybi
Copy link
Contributor Author

Now that #290 is merged, Quay.io is showing false positives because of this comparison bug: https://quay.io/repository/djelibeybi/oraclelinux/image/7b31330a68b63825b93ef774e79bbe32332d2f3fbd02da7508f27ce92411a697?tab=vulnerabilities

@Djelibeybi
Copy link
Contributor Author

BTW, I found a blog post on how RPM actually does version comparisons: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/

@Djelibeybi
Copy link
Contributor Author

(Adding this to the issue so it's not lost to IRC history)

It seems the only way that we can get this to work is a schema change on the features to store which detector was used to find each feature. That way, the comparison can be done with a feature-specific algorithm, i.e. the existing Debian one for dpkg/apk and a new RPM one for rpms.

This was referenced Dec 23, 2016
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug things are not as they seem kind/design relates to the fundamental design of a component priority/urgent critical functionality
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Djelibeybi @jzelinskie @Quentin-M