Containers-roadmap: [ECR][request] Image security scanning return 'undefined'

Thanks for reporting this @zanhsieh! In order for us to be able to reproduce this, can you share some more details, what image or repo are we talking about? (if you can't or don't want to share here in public, you could mail the info to me via [email protected]). Also, FWIW, we're in the process of testing the fix for https://github.com/coreos/clair/issues/863#issuecomment-545598609.

@mhausenblas
Email sent.

Here is the recap of email I sent to @mhausenblas on how to reproduce it using only public available resource:

I managed to find some way to reproduce "undefined" error.

Dockerfile.debian

FROM debian:jessie

RUN set -eux && \
apt-get update && \
apt-get install sqlite3=3.8.7.1-1+deb8u2 \
sqlite3=3.8.7.1-1+deb8u4

Build with:

docker build -t mingchin-test/debian:jessie -f Dockerfile.debian .

Then re-tag and push into ECR, select image, and click Scan. It suppose show "17 Low + 70 others (details)". Click "details" and scroll down to bottom of pages you should find lots of "undefined".

Same here. Majority of the vulnerabilities are UNDEFINED in my case for most of the images.

Thanks for bringing this to our attention. I have replicated this issue using @zanhsieh 's Dockerfile, and we identified a subset of vulnerabilities were not being correctly assigned a severity.

This is because the XML NVD Vulnerability data-feed has been deprecated. The following Clair commit fixes this issue: https://github.com/coreos/clair/commit/aab46f5658cf5a75262945033cb41d93af5f2131. We will submit a PR in the coming days to include this change in Clair's 2.0 release branch.

We are actively working to get this fix rolled out as quickly as possible which should result in a sharp decrease of UNDEFINED severities appearing in scans. I will update this issue once the fix has been applied.

We deployed a fix today that improves the vulnerability severity assignment. You should see a reduction in the number of UNDEFINED vulnerabilities for scanned images.