Clair v4 creates CVEs duplicates in database #354
Description
Description of Problem / Feature Request
In ubuntu:bionic image Clair v4 finds CVE duplicates in package libzstd1:
$ ./clairctl report ubuntu:bionic
ubuntu:bionic found passwd 1:4.5-1ubuntu2 CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found passwd 1:4.5-1ubuntu2 CVE-2018-7169 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2009-5155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2015-8985 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2016-10228 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2016-10739 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-25013 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-6096 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2021-3326 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2018-20796 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010022 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010023 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010024 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-6488 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-7309 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2021-27645 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found gpgv 2.2.4-1ubuntu1.4 CVE-2019-13050 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found login 1:4.5-1ubuntu2 CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found login 1:4.5-1ubuntu2 CVE-2018-7169 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2018-20839 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2019-9619 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2020-13776 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libnettle6 3.4-1 CVE-2018-16869 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found liblz4-1 0.0~r131-2ubuntu3 CVE-2019-17543 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgcrypt20 1.8.1-4ubuntu1.2 CVE-2019-12904 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found bash 4.4.18-2ubuntu1.2 CVE-2019-18276 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2018-16868 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2021-20231 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2021-20232 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2018-20839 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2019-9619 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2020-13776 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2009-5155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2015-8985 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2016-10228 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2016-10739 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-25013 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-6096 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2021-3326 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2018-20796 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010022 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010023 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010024 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-6488 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-7309 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2021-27645 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2017-11164 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2019-20838 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2020-14155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found coreutils 8.28-1ubuntu1 CVE-2016-2781 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found coreutils 8.28-1ubuntu1 CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found tar 1.29b-2ubuntu0.2 CVE-2021-20193 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libtasn1-6 4.13-2 CVE-2018-1000654 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libhogweed4 3.4-1 CVE-2018-16869 on Ubuntu 18.04 LTS (bionic) - low.
This CVE duplicates are presented in database with different IDs and have differences in fields: fixed_in_version and description:
[ RECORD 3 ]----------+----------------------------------------------------------------------------------------------------------------------------------
id | 168079564
hash_kind | md5
hash | \x12c86ca1844458d93764b733beb604d6
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | zstd adds read permissions to files while being compressed or uncompressed
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html http://bugs.debian.org/cgi-bi
n/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version |
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 11 ]---------+----------------------------------------------------------------------------------------------------------------------------------
id | 229026487
hash_kind | md5
hash | \x483176d55a10232efd722a7a3bd1523b
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | zstd adds read permissions to files while being compressed or uncompressed
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html https://usn.ubuntu.com/usn/us
n-4760-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:1.3.3+dfsg-2ubuntu1.2
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 17 ]---------+----------------------------------------------------------------------------------------------------------------------------------
id | 244074097
hash_kind | md5
hash | \x6e56deaf1e258356e6d52a18e7f4e58f
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only b
e set at completion time. Output files could therefore be readable or writable to unintended parties.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html https://usn.ubuntu.com/usn/us
n-4760-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:1.3.3+dfsg-2ubuntu1.2
arch_operation | invalid
vulnerable_range | empty
version_kind |
Environment
Clair version/image: v4.0
Clair client name/version:
Host OS: ubuntu:bionic
Kernel (e.g. uname -a):
Kubernetes version (use kubectl version):
Network/Firewall setup: