Bug 1464410 - CloudForms Container Scanner is delivering false results - RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
CloudForms Container Scanner is delivering false results - RHSA-2017:0372: ke...
Status: ASSIGNED
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: SmartState Analysis (Show other bugs)
5.8.0
Unspecified Unspecified
low Severity low
: GA
: 5.8.3
Assigned To: Federico Simoncelli
Einat Pacifici
container:smartstate
: TestOnly
Depends On: 1444716
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 07:29 EDT by Lutz Lange
Modified: 2017-10-17 09:02 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management


Attachments (Terms of Use)

  None (edit)
Description Lutz Lange 2017-06-23 07:29:35 EDT
Description of problem:
CloudForms does offer a Container Scanner functionality with OpenSCAP. This is currently broken as we get false positives.

Scanning a Ruby Container Image that is based on rhscl/ruby-23-rhel7 builder image release 6.9.

This is listed as having no Advisories today in our Red Hat Container Catalog.

However the OpenSCAP based Container Scanner keeps finding this :

RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
This is not relevant and thus the scanner is broken. 

Version-Release number of selected component (if applicable):
CF 4.5 and OCP 3.5

How reproducible:
Build a test workload with the latest ruby 23 builder image.
Run the poliy check.

Expected results:
No Advisories found.
Comment 2 Lutz Lange 2017-06-23 07:31:38 EDT
As we are running on x86 this should not matter at all.
Comment 6 Dave Johnson 2017-07-13 23:00:51 EDT
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set it to Low/Low.
Comment 7 Lutz Lange 2017-07-14 03:58:24 EDT
This is essentially blocking practial usefulness of Container Scanns. You always get on high priority false positive. It is important that this is fixed quickly.
Comment 8 Federico Simoncelli 2017-07-14 04:24:14 EDT
(In reply to Lutz Lange from comment #7)
> This is essentially blocking practial usefulness of Container Scanns. You
> always get on high priority false positive. It is important that this is
> fixed quickly.

Even if we keep this BZ for tracking purpose (as you see it is TestOnly) the real fix will happen in bug 1444716.

So for the real prioritization please refer to bug 1444716.

Currently there's nothing for us to fix here.
Comment 9 Federico Simoncelli 2017-08-22 08:54:10 EDT
Postponing as this BZ is just for tracking progress of bug 1444716.

Note You need to log in before you can comment on or make changes to this bug.