Hi,
Are there any known limitations of the registry sync application and/or docker image scanner that would cause them to fail to find vulnerabilities for centos 6.9 images?
I’m asking because when I run scans against the official centos 6.9 image, the image scanners do not return any vulnerabilities. But I know for a fact that there are some vulnerabilities based on the versions of certain packages installed in the image.
Here are full steps to reproduce locally
docker pull centos:6.9@sha256:6fff0a9edc920968351eb357c5b84016000fec6956e6d745f695e5a34f18ecd2
docker save centos:6.9@sha256:6fff0a9edc920968351eb357c5b84016000fec6956e6d745f695e5a34f18ecd2 -o ./test_image_centos.tar
docker run -it -v "${PWD}/test_image_centos.tar":/newFile.tar rapid7/container-image-scanner:latest -f newFile.tar -k "${valid-key}" -r us
# notice that the image scanner finds 0 vulnerabilities
# now try it with trivy and see that it discovers 675 vulnerabilities
docker run --rm aquasec/trivy centos:6.9@sha256:6fff0a9edc920968351eb357c5b84016000fec6956e6d745f695e5a34f18ecd2
For instance, in this image, the installed version of yum-plugin-fastestmirror is 1.1.30-40.el6, there is a CVE associated with that version CVE-2018-10897. You can validate that this is the version installed with this command
docker run centos:6.9@sha256:6fff0a9edc920968351eb357c5b84016000fec6956e6d745f695e5a34f18ecd2 rpm -qa 'yum-plugin-fastestmirror'
Can someone help me understand why the image scanner is not working?
Note that this is true also for the image vulnerabilities hosted via the central InsightVM, here is a link to the centos:6.9 image there, it also incorrectly shows 0 vulnerabilities, and it was scanned back in March