Bug 1368896 - atomic scan can't find CVEs for all of container images
Summary: atomic scan can't find CVEs for all of container images
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic
Version: 7.4
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1386358
TreeView+ depends on / blocked
 
Reported: 2016-08-22 04:06 UTC by Alex Jia
Modified: 2016-12-06 17:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1386358 (view as bug list)
Environment:
Last Closed: 2016-12-06 17:41:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2857 0 normal SHIPPED_LIVE atomic bug fix and enhancement update 2016-12-06 22:40:27 UTC

Comment 2 Martin Preisler 2016-09-02 19:23:43 UTC
Brent Baude and I debugged and discussed this issue today. First we suspected it was in openscap-daemon but openscap-daemon runs the right commands with the right paths.

Turns out it is some sort of a race condition between multiple oscap processes being spawned. Using "--jobs 1" or "-j1" when running oscapd-evaluate fixes these issues. My guess is that oscap processes talk to probes that don't belong to them and get the wrong results.

As an interim workaround I suggest we append "-j 1" to:
https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap#L8
and 
https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap#L11

This option can be removed after we figure out the race between multiple oscap processes in OpenSCAP.

We will circle back to this on Tuesday 2016-09-06.

Comment 3 Daniel Walsh 2016-10-10 14:46:35 UTC
Should this bug be moved to openscap?

Comment 4 Brent Baude 2016-10-10 17:22:36 UTC
Yes, it is a racey type thing.

Comment 5 Brent Baude 2016-10-18 17:39:36 UTC
Fixed upstream -> https://github.com/projectatomic/atomic/pull/692

Comment 6 Brent Baude 2016-10-18 17:42:53 UTC
This should be fixed in atomic-1.13.1-2.el7

Comment 7 Brent Baude 2016-10-18 18:31:50 UTC
The openscap folks cloned this for tracking of the race condition which will require a longer examination.  Reassigning this bz back to atomic.

Comment 9 Alex Jia 2016-11-02 04:11:17 UTC
(In reply to Brent Baude from comment #6)
> This should be fixed in atomic-1.13.1-2.el7

I can find expected CVEs bugs in atomic-1.13.1-2.el7 and latest atomic-1.13.6-1.el7, so move the bug to VERIFIED status.

Comment 11 errata-xmlrpc 2016-12-06 17:41:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2857.html


Note You need to log in before you can comment on or make changes to this bug.