Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom processing for RHACS container images #7

Open
dmc5179 opened this issue Mar 2, 2023 · 1 comment
Open

Add custom processing for RHACS container images #7

dmc5179 opened this issue Mar 2, 2023 · 1 comment

Comments

@dmc5179
Copy link

dmc5179 commented Mar 2, 2023

Using oc-mirror we can look at the images for Red Hat Advanced Cluster Security here:

registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:71c2b03f01b0af6cb349e06bc2dc035a81e10f420ffb6358a4fdc5494bb57171=openshift4/ose-kube-rbac-proxy:e4df3a11
registry.redhat.io/rh-acs/main@sha256:dc13e3ff268e45309dc6c674396094a3d8777111a612c0cb143049e44c6241f9=rh-acs/main:e88b9d8e
registry.redhat.io/rh-acs/scanner-db@sha256:0d27694909f67ee50f80077fac91cfbff4ff41cbf50a31e289c15b2838110f08=rh-acs/scanner-db:bb030383
registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle@sha256:0baed09effdbfc973515d7bdce444dbf97a72c913a0ae1d7403106439b6cba62=advanced-cluster-security/rhacs-operator-bundle:45c8e50f
registry.redhat.io/rh-acs/collector@sha256:0663df17c38644b3292cacf4aa039c3d10af9f0a368659b2c631fc6e68c39442=rh-acs/collector:5122a605
registry.redhat.io/rh-acs/scanner@sha256:07cebc1cbca22002d69dbcd2bae8e6033cb9020b047360347f16c5cb5305cc37=rh-acs/scanner:61f9774d
registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator@sha256:eb747779369b369f20c205afc3b3d462309bc54869adb926aed1e2f186dadb03=advanced-cluster-security/rhacs-rhel8-operator:6e57adf5
registry.redhat.io/rh-acs/collector@sha256:e5a9524efaf7adfb79341048ef2c4fa567e5efd64d208c15e5b26de1fd97e351=rh-acs/collector:e3687cd4

But it turns out that there is no longer a repo at registry.redhat.io/rh-acs
The images have all moved to registry.redhat.io/advanced-cluster-security/

Because of this, the cve-analyser is not able to lookup information about the RHACS images. As an example, here is a sample input:

CVE-2023-0361,rh-acs/main
CVE-2023-0361,rh-acs/main:3.74
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8:3.74

And sample output

CVE-2023-0361,rh-acs/main,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,rh-acs/main:3.74,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8,CVE Severity:Moderate,Not Found Any Information
CVE-2023-0361,advanced-cluster-security/rhacs-main-rhel8:3.74,CVE Severity:Moderate,(Red Hat Enterprise Linux 8|Product impact:moderate|Affected|gnutls)

Only in the case where the advanced-cluster-security repo is used along with the tag is processing completed. This is not a flaw in the cve-analyser but rather an issue with how the RHACS containers were moved in the registry vs how they are shown in the operator catalog. I intend to submit a BZ against RHACS to resolve this issue if possible.
@dmc5179
Copy link
Author

dmc5179 commented Mar 3, 2023

PR submitted for this issue: #8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmc5179