1464410 – CloudForms Container Scanner is delivering false results - RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)

Bug 1464410 - CloudForms Container Scanner is delivering false results - RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)

Summary: CloudForms Container Scanner is delivering false results - RHSA-2017:0372: ke...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	SmartState Analysis
Sub Component:
Version:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	GA
Target Release:	5.8.3
Assignee:	Barak
QA Contact:	Einat Pacifici
Docs Contact:
URL:
Whiteboard:	container:smartstate
Depends On:	1444716
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-23 11:29 UTC by Lutz Lange
Modified:	2018-03-01 02:15 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-28 14:14:34 UTC
Category:	---
Cloudforms Team:	Container Management
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Lutz Lange 2017-06-23 11:29:35 UTC

Description of problem:
CloudForms does offer a Container Scanner functionality with OpenSCAP. This is currently broken as we get false positives.

Scanning a Ruby Container Image that is based on rhscl/ruby-23-rhel7 builder image release 6.9.

This is listed as having no Advisories today in our Red Hat Container Catalog.

However the OpenSCAP based Container Scanner keeps finding this :

RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
This is not relevant and thus the scanner is broken. 

Version-Release number of selected component (if applicable):
CF 4.5 and OCP 3.5

How reproducible:
Build a test workload with the latest ruby 23 builder image.
Run the poliy check.

Expected results:
No Advisories found.

Comment 2 Lutz Lange 2017-06-23 11:31:38 UTC

As we are running on x86 this should not matter at all.

Comment 6 Dave Johnson 2017-07-14 03:00:51 UTC

Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set it to Low/Low.

Comment 7 Lutz Lange 2017-07-14 07:58:24 UTC

This is essentially blocking practial usefulness of Container Scanns. You always get on high priority false positive. It is important that this is fixed quickly.

Comment 8 Federico Simoncelli 2017-07-14 08:24:14 UTC

(In reply to Lutz Lange from comment #7)
> This is essentially blocking practial usefulness of Container Scanns. You
> always get on high priority false positive. It is important that this is
> fixed quickly.

Even if we keep this BZ for tracking purpose (as you see it is TestOnly) the real fix will happen in bug 1444716.

So for the real prioritization please refer to bug 1444716.

Currently there's nothing for us to fix here.

Comment 9 Federico Simoncelli 2017-08-22 12:54:10 UTC

Postponing as this BZ is just for tracking progress of bug 1444716.

Comment 14 Einat Pacifici 2018-02-05 10:35:44 UTC

Openscap was tested and is verified.

Note You need to log in before you can comment on or make changes to this bug.