Bug 1368896

Summary: atomic scan can't find CVEs for all of container images
Product: Red Hat Enterprise Linux 7 Reporter: Alex Jia <ajia>
Component: atomicAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 7.4CC: bbaude, dwalsh, mhaicman, mpreisle, openscap-maint
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1386358 (view as bug list) Environment:
Last Closed: 2016-12-06 17:41:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1386358    

Comment 2 Martin Preisler 2016-09-02 19:23:43 UTC 
Brent Baude and I debugged and discussed this issue today. First we suspected it was in openscap-daemon but openscap-daemon runs the right commands with the right paths.

Turns out it is some sort of a race condition between multiple oscap processes being spawned. Using "--jobs 1" or "-j1" when running oscapd-evaluate fixes these issues. My guess is that oscap processes talk to probes that don't belong to them and get the wrong results.

As an interim workaround I suggest we append "-j 1" to:
https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap#L8
and 
https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap#L11

This option can be removed after we figure out the race between multiple oscap processes in OpenSCAP.

We will circle back to this on Tuesday 2016-09-06.
Comment 3 Daniel Walsh 2016-10-10 14:46:35 UTC 
Should this bug be moved to openscap?
Comment 4 Brent Baude 2016-10-10 17:22:36 UTC 
Yes, it is a racey type thing.
Comment 5 Brent Baude 2016-10-18 17:39:36 UTC 
Fixed upstream -> https://github.com/projectatomic/atomic/pull/692
Comment 6 Brent Baude 2016-10-18 17:42:53 UTC 
This should be fixed in atomic-1.13.1-2.el7
Comment 7 Brent Baude 2016-10-18 18:31:50 UTC 
The openscap folks cloned this for tracking of the race condition which will require a longer examination.  Reassigning this bz back to atomic.
Comment 9 Alex Jia 2016-11-02 04:11:17 UTC 
(In reply to Brent Baude from comment #6)
> This should be fixed in atomic-1.13.1-2.el7

I can find expected CVEs bugs in atomic-1.13.1-2.el7 and latest atomic-1.13.6-1.el7, so move the bug to VERIFIED status.
Comment 11 errata-xmlrpc 2016-12-06 17:41:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2857.html