On Sun, Oct 6, 2019, 10:08 AM Scott McCarty <smccarty@redhat.com> wrote:
Bryan,
     What version of kernel-headers are you seeing in the image. I think this might be some kind of mistake with the scanning. I have a vague recollection that some scanners mess up kernel headers. The kernel headers is just code, so it can't really have vulnerabilities. If I understand the problem correctly:

1. You don't really have a security vulnerability problem
2.The scanner might be giving you a false positive
3. And/Or, the kernel-headers really might not be getting updated

It is also possible the scanner is picking up a low severity CVE that is actually unfixed still, but as Scott says it's still a false positive.

josh

On Sun, Oct 6, 2019 at 9:01 AM <bryan.hepworth@gmail.com> wrote:
Hi all

Not sure this is the best place to ask or not, scenario is as follows: -

building container with podman locally to check it does build - trying it in quay.io and I'm bumping up against a vulnerability I can't seem to correct which I'm thinking is something I'm doing.

I'm uploading a Dockerfile (for want of a better file name) to start the build, but it always finds a vulnerability in kernel-headers for ubi7 which I can't seem to get to update from the build despite yum -y update - it's the gcc package that it loads up.

Dockerfile looks like this: -

FROM registry.access.redhat.com/ubi7/ubi
RUN yum -y update && yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && yum -y update && yum -y install python2 && yum -y install make && yum -y install gcc && yum -y install redhat-rpm-config && yum -y install zlib-devel && yum -y install bzip2 && yum -y install xz-devel && yum -y install python2-devel && yum -y install git && yum -y install python2-pip && yum -y install wget && yum -y install sudo && yum -y install bash && yum clean all
CMD ["/bin/bash"]
USER 0
RUN curl -o miniconda.sh https://repo.continuum.io/miniconda/Miniconda2-latest-Linux-x86_64.sh
RUN bash miniconda.sh -b -p /opt/miniconda
RUN ln -s /opt/miniconda/bin/python /usr/local/bin/python
RUN ln -s /opt/miniconda/bin/pip /usr/local/bin/pip
RUN ln -s /opt/miniconda/bin/conda /usr/local/bin/conda
RUN conda config --add channels defaults
RUN conda config --add channels bioconda
RUN conda config --add channels conda-forge
RUN conda init bash
RUN echo y | conda create -n clairvoyante-conda-env -c bioconda clairvoyante

The quay.io creation is here: -

https://quay.io/repository/bryanhepworth/clairvoyante?tab=tags

Any help most gratefully received.

Bryan
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io


-- 
-- 
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty@redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com


Have questions on Red Hat UBI? Check out the official FAQ: https://red.ht/2yaUcez
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io