profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/SofyaTavrovskaya/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
SofyaTavrovskaya Mirantis Kharkiv, Ukraine

SofyaTavrovskaya/clair 0

Vulnerability Static Analysis for Containers

SofyaTavrovskaya/claircore 0

foundation modules for scanning container packages and reporting vulnerabilities

SofyaTavrovskaya/exam2 0

Course_JS_DevPro

SofyaTavrovskaya/paclair 0

Paclair is a Python3 Cli tool to interact with Coreos's Clair (https://github.com/coreos/clair).

issue commentquay/clair

Clair does not detect Debian vulnerability

@apurvmahajan Nope, it's not resolve the whole issue with fixed_version: 0:0, OVAL database gets data from 2 resources:

  1. from data. json file: https://security-tracker.debian.org/tracker/data/json
  2. by parsing wml files with info about vulnerabilities in this directory: https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security.

My PR only fixes problem with incorrect parsing wml files, but it's not related to incorrect data in data.json. As you mentioned before CVE-2016-6309 in data.json has fixed_version is 0 and script gets this fixed_version: https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py#L135

iainduncani

comment created time in 9 days

issue commentquay/clair

Clair does not detect Debian vulnerability

@apurvmahajan Debian OVAL database seems to have a lot of problems. It is generated by code that hasn't been updated a very long period of time, it still uses python2.7 (https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py) . I found this conversation about issue in fixed_version: 0:0, but haven't found any PRs that resolve this problem: https://groups.google.com/g/linux.debian.security/c/zYqDWOAT8xQ. During investigation I found several bugs in script that generate OVAL.xml and created PR (https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/737) , but for today I haven't had any reviews or merge . Maybe, they don't support this script at all.

And I found issues in other projects that are used debian OVAL DB, for example, this one: https://github.com/wazuh/wazuh/issues/5271, where we can see such problem: "Apart from the packages that the OVAL marks as vulnerable for each CVE, there exist some cases where more than one package is affected and we are missing them because the OVAL doesn't provide the whole list of affected packages."

iainduncani

comment created time in 23 days

push eventSofyaTavrovskaya/claircore

SofyaTavrovskaya

commit sha c82a3fbaeaa70c12728cd976bed3208f8a92e91e

alpine: add new releases Add new Alpine releases 3.13 and 3.14

view details

push time in a month

push eventSofyaTavrovskaya/claircore

SofyaTavrovskaya

commit sha 4319d6fd68c4a5956d4c40150f8a11657b11f854

alpine: add new releases Add new Alpine releases 3.13 and 3.14

view details

push time in a month

push eventSofyaTavrovskaya/claircore

SofyaTavrovskaya

commit sha 993b3d410e2a13f617998dc017685a276455b9de

alpine: add new releases 3.13 and 3.14

view details

push time in a month

create barnchSofyaTavrovskaya/claircore

branch : add_new-alpine_releases

created branch time in a month

push eventSofyaTavrovskaya/claircore

stavrovska

commit sha e6e2310b90ff2bdff09e2f84575cc49764a26e4e

photon: add normalized severity Add normalized severity to vulnerabilities related to Photon OS

view details

Liu Bo

commit sha f639452bfe3872d730e11462e117f122a5fcde7a

alpine: fix typo of ecosystem s/dpkg/alpine/g

view details

Jan Zmeskal

commit sha f31eec798c64c1ecd81b54906d3b49ab28231ed1

libvulnhttp: add DisableBackgroundUpdates config option Signed-off-by: Jan Zmeskal <jzmeskal@redhat.com>

view details

ldelossa

commit sha 313c8c43e180b080c675b4e0629485c76f553cbd

indexer: filter scanners during manifest check This commit adds a filtering step in the CheckManifest state. Now, if a manifest reports being analyzed by a particular scanner that scanner will be omitted from all subsequent states. This is safe to do, if a manifest was analyzed by a particular scanner, this also means all it's layers were analyzed by the particular scanner. Thus, the scanner need not be included in the rest of the indexing process. This fixes a unique constraint issue in the IndexFinished state. Previous to this commit, an attempt to persist duplicate scanner ids was made in the aforementioned state. Signed-off-by: ldelossa <ldelossa@redhat.com>

view details

ldelossa

commit sha 5385f5d5b78486e6f73f00e70d2cd21d57a17827

updaters: consolidate into manager this commit consolidates updater filtering, getting defaults from the registry, configuring factories, configuring updaters, and running updaters in a loop into a single cohesive unit. Signed-off-by: ldelossa <ldelossa@redhat.com>

view details

Jan Zmeskal

commit sha 0cc6579839ec54e03e1456ac4a2444c269010795

postgres: fix update_operation response Signed-off-by: Jan Zmeskal <jzmeskal@redhat.com>

view details

Jan Zmeskal

commit sha 733d8f1560b6c3d48560f7cc170536578fa7b7ac

cicd: use quay.io/claircore/golang in CI Signed-off-by: Jan Zmeskal <jzmeskal@redhat.com>

view details

Hank Donnay

commit sha 4840e07d7f9b423084d450843d1f1b11048e1190

misc: go vet fixes These are some code problems flagged by `go vet` that shouldn't affect correctness at all. Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha 0615a7b0550e5326e06c69354cd0d00647b7abb6

layerscanner: return unused error Luckily, this doesn't seem to be a common error case. Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha 826aacbf6ed9abcd78529fedc91417a511743863

cctool: copy loop variable Make sure each goroutine is writing to the correct entry in the error slice. Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha bf73eb8663872ad42efe84852a0c1cc3bda07c44

libindex: return pointer to AffectedManifests The AffectedManifests type embeds a lock, meaning it can't be copied. This change returns a pointer instead of copying the struct. An alternative would be to audit usage of this type, and remove the lock. NB: This is a breaking API change! Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha 947e85375c6f53d23521fa0294cf0ea8fa575835

postgres: remove unused file Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha d84781f7800ffeb352303031e47776df7e56b411

postgres: remove indexer sqlx usage Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha e19e115e80c9040be0e2142eea37c4165f0eba22

postgres: remove test harness sqlx usage Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha ddb6b5951bf9e053b4e3dad686dc2792b9b33877

libindex: remove sqlx Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha 8017e8535c5c8f61f8fa6f92d25de1531ab72825

postgres: remove distlock sqlx implementation Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha e749f3b414416f823a545753419c9574cecaecc7

cicd: drop go1.13 support Upcoming `zlog` dependency needs go1.14 or later. Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

Hank Donnay

commit sha 3a4e3d3e053cd3856795565e1b674e2ba4b03900

all: logging switch This commit switches all the logging in this module over to use the `zlog` package, which was written to preserve our add-things-to-context flow while producing better-behaved JSON. From here forward, only `main` packages should import zerolog directly, and no package should import the zerolog global logger. Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

ldelossa

commit sha 886d62bdbee04ab01ce0237d69145907b33ee893

updaters: fix WithEnabled option previous to this commit the WithEnabled option did not implement the tristate necessary when configuring updaters. Signed-off-by: ldelossa <ldelossa@redhat.com>

view details

Hank Donnay

commit sha 5ac709b5fb90641ee0a0972faf9a826cba278063

fetch: turn layer fetcher into a generic fetcher The client now dynamically requests and caches auth headers as needed, instead of assuming they're always needed and have the same scope, realm, and service conventions as dockerhub. The token spec seems to have broken as of the time of commit, so here's a link into the Google cache for posterity: https://webcache.googleusercontent.com/search?q=cache:V8bYdqwzDeUJ:https://docs.docker.com/registry/spec/auth/token/ Signed-off-by: Hank Donnay <hdonnay@redhat.com>

view details

push time in a month

issue commentquay/clair

Missing vulnerabilities in debian based images

@apurvmahajan I still have the same problem with Debian images.

I try to explain the possible reason for this issue in #1270. And I'm not sure that Quay registry is using Clair V4, as far as I know, it's using Clair v2

SofyaTavrovskaya

comment created time in 2 months

issue commentquay/clair

Clair does not detect Debian vulnerability

By default for debian- and ubuntu-based images "package_kind" field is specifying like BINARY: https://github.com/quay/claircore/blob/v0.5.4/pkg/ovalutil/dpkg.go#L130

But, when matсher creates requests to clair-db, he tries to find vulnerabilities in vuln TABLE by 5 fields: "package_name", "package_kind", "dist_name", "dist_id", "dist_version".

So, for example, for package shadow Clair v4 never finds vulnerabilities, because in index report shadow package is specifying like "source":

"168": {
      "id": "168",
      "name": "passwd",
      "version": "1:4.5-1.1",
      "kind": "binary",
      "source": {
        "id": "157",
        "name": "shadow",
        "version": "1:4.5-1.1",
        "kind": "source"
      },
      "arch": "amd64"
    },

And query to clair-db always returns 0, if package_kind = 'source'. https://github.com/quay/claircore/blob/v0.5.4/internal/vulnstore/postgres/querybuilder.go#L97.

But vulnerabilities for shadow package are presented in Clair-db and in Oval DB.

Maybe, it's not correct to specify by default for all ubuntu and debian vulnerabilities package_kind like BINARY, because we can't get info about package kind (source or binary) from open DB: https://www.debian.org/security/oval/oval-definitions-buster.xml.

And It's not related only to Debian-based images, Ubuntu images are affected too.

iainduncani

comment created time in 2 months