clair: False positive for jq (CVE-2016-4074)
Description of Problem / Feature Request
Clair scanner is flagging CVE-2016-4074 if container image contains jq 1.6-r0 even thoughthe NVD information for CVE-2016-4074 mentions that it is applicable in jq version <= 1.5.
Expected Outcome
As jq version 1.6-ro is not vulnerable as per CVE-2016-4074, it should not be shows as a finding.
Actual Outcome
Clair scanner is flagging CVE-2016-4074 if container image contains jq 1.6-r0 even thoughthe NVD information for CVE-2016-4074 mentions that it is applicable in jq version <= 1.5.
Environment
- Clair version/image: image: quay.io/coreos/clair:v2.0.7
- Clair client name/version: Clairctl version 1.2.8
- Host OS: CentOS 7
- Kernel (e.g.
uname -a): Linux <<server-name>> 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux - Kubernetes version (use
kubectl version): NA. Using docker-compose. - Helm version (use
helm version): NA. - Network/Firewall setup: No restrictions.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 16
- Comments: 15 (2 by maintainers)
Commits related to this issue
- Remove unnecessary jq due to CVE-2016-407 Clair check reporting that jq contains critical CVE-2016-407 https://nvd.nist.gov/vuln/detail/CVE-2016-4074 This might be false-positive https://github.com/q... — committed to noskovao/mega-linter by noskovao 3 years ago
- Remove unnecessary jq due to CVE-2016-407 Clair check reporting that jq contains critical CVE-2016-407 https://nvd.nist.gov/vuln/detail/CVE-2016-4074 This might be false-positive https://github.com/q... — committed to noskovao/mega-linter by noskovao 3 years ago
- Remove unnecessary jq due to CVE-2016-407 (#771) Clair check reporting that jq contains critical CVE-2016-407 https://nvd.nist.gov/vuln/detail/CVE-2016-4074 This might be false-positive https://git... — committed to oxsecurity/megalinter by noskovao 3 years ago
We’re having the same issue on Alpine Linux 3.10 reported by the AWS ECR scanner running Clair, but I don’t believe we can set any whitelist in AWS ECR (at least I can’t find it). Is there any chance this could be fixed?
Also noticed this, was apparently resolved in 1.6, but is still being flagged.
Logged JIRA Bug PROJQUAY-1031 (https://issues.redhat.com/browse/PROJQUAY-1031) in the new system for tracking.
As that Jira issue says, we’re not going to work on this for v2. We’re available to review any patches the best we can.
The new version of Clair is very near its first release, that’s where we’ve been concentrating our efforts.
The whitelisting feature of clair comes handy here. We could add to the whitelist file, as this is a clear case of Bug in clair so that it doesn’t show up in subsequent scans.