Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Missing Documentation on Kernel Vulnerabilities
6 views
Skip to first unread message
Joseph Cauthen
Jul 5, 2024, 7:28:17 PM7/5/24
to clair-dev
I am researching container scanning solutions and there are a few products that are built on Clair. I plan to use this tool for compliance reporting, however, Clair reports kernel vulnerabilities. It appears that the Clair team is aware of this, and that they are also aware that this doesn't make much sense since containers share the host's kernel.
This piece of documentation has apparently been scrubbed from the Earth? Why? If you notice, that link is from the Wayback Machine. Some of the reported kernel vulnerabilities are high severity and critical findings. From a compliance perspective, these need to be justified and vendor documentation is one of the only acceptable ways to do that.
Has this documentation moved and I just can't find it? I have been searching for over an hour and I'm pretty good at Google-fu.
Any help is appreciated. Thanks in advance.
Hank Donnay
Jul 8, 2024, 5:43:22 PM7/8/24
to clai...@googlegroups.com
Hello,
On Fri, Jul 05, 2024 at 01:33:12PM -0700, Joseph Cauthen wrote:
>I am researching container scanning solutions and there are a few
>products that are built on Clair. I plan to use this tool for
>compliance reporting, however, Clair reports kernel vulnerabilities. It
>appears that the Clair team is aware of this, and that they are also
>aware that this doesn't make much sense since containers share the
>host's kernel.
>
>Ref: https://web.archive.org/web/20201016054531/https://github.com/quay/clair/blob/master/Documentation/running-clair.md
>
>This piece of documentation has apparently been scrubbed from the
>Earth? Why? If you notice, that link is from the Wayback Machine.
The linked documentation is for a previous version, which you can see in
the repository: https://github.com/quay/clair/blob/development-3.0/Documentation/running-clair.md
>Some of the reported kernel vulnerabilities are high severity and
>critical findings. From a compliance perspective, these need to be
>justified and vendor documentation is one of the only acceptable ways
>to do that.
I would recommend contacting your software vendor if their documentation
is lacking.
If you mean the documentation in the repo is lacking, then patches or
issues are welcome. Although, the project only has a relationship with
you as laid out in the LICENSE file, so who knows if that holds as much
water as a vendor contract.
Clair should be reporting the existence of kernel packages if they're
installed. This won't be changing, because projects like [bootc] want to
start shipping kernels that will be executed. I don't recall if our
data sources uniformly omit kernel vulnerability information or not. We
purposefully omit the OSV kernel vulnerability information, at least.
[bootc]: https://github.com/containers/bootc
--
hank
On Fri, Jul 05, 2024 at 01:33:12PM -0700, Joseph Cauthen wrote:
>I am researching container scanning solutions and there are a few
>products that are built on Clair. I plan to use this tool for
>compliance reporting, however, Clair reports kernel vulnerabilities. It
>appears that the Clair team is aware of this, and that they are also
>aware that this doesn't make much sense since containers share the
>host's kernel.
>
>Ref: https://web.archive.org/web/20201016054531/https://github.com/quay/clair/blob/master/Documentation/running-clair.md
>
>This piece of documentation has apparently been scrubbed from the
>Earth? Why? If you notice, that link is from the Wayback Machine.
the repository: https://github.com/quay/clair/blob/development-3.0/Documentation/running-clair.md
>Some of the reported kernel vulnerabilities are high severity and
>critical findings. From a compliance perspective, these need to be
>justified and vendor documentation is one of the only acceptable ways
>to do that.
is lacking.
If you mean the documentation in the repo is lacking, then patches or
issues are welcome. Although, the project only has a relationship with
you as laid out in the LICENSE file, so who knows if that holds as much
water as a vendor contract.
Clair should be reporting the existence of kernel packages if they're
installed. This won't be changing, because projects like [bootc] want to
start shipping kernels that will be executed. I don't recall if our
data sources uniformly omit kernel vulnerability information or not. We
purposefully omit the OSV kernel vulnerability information, at least.
[bootc]: https://github.com/containers/bootc
--
hank
Reply all
Reply to author
Forward
0 new messages