Last time I played with Clair, it would say my image had numerous vulnerabilities even though I would update the base image. Turns out, it was reporting older layers were vulnerable even though the issue was patched in a newer layer. Does anyone know if that's the case? I can't seem to find any information on the matter.
I have never heard of that. Could you please try again? If you can repro, open an issue and I'll be glad to fix it. Clair now tells the layer in which a vulnerability has been detected, the package name and version that cause it and how it can be fixed. It should definitely help.
openscap has been able to do this either on an installed system or on a chroot for years. But "containers", so it's all new and exciting, and definitely nothing like chroot/jails.
8 comments
[ 3.1 ms ] story [ 42.4 ms ] threadhttps://martin.preisler.me/2015/11/atomic-scan-and-openscap-...