Klar analysis always returns "contains NO unapproved vulnerabilities", even though the image has vulnerabilities
Summary
Klar analysis always returns "contains NO unapproved vulnerabilities", even though the image has vulnerabilities.
Steps to reproduce
Run the steps under: https://docs.gitlab.com/ee/user/application_security/container_scanning/#running-the-standalone-container-scanning-tool, but use an old version of UBI (that we know has vulnerabilities):
docker run \
--interactive --rm \
--volume "$PWD":/tmp/app \
-e CI_PROJECT_DIR=/tmp/app \
-e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@${LOCAL_MACHINE_IP_ADDRESS}:5432/postgres?sslmode=disable&statement_timeout=60000" \
-e CI_APPLICATION_REPOSITORY="registry.access.redhat.com/ubi7/ubi" \
-e CI_APPLICATION_TAG="7.6-239" \
registry.gitlab.com/gitlab-org/security-products/analyzers/klar
Link to this image's health: https://access.redhat.com/containers/?architecture=AMD64#/registry.access.redhat.com/ubi7/ubi/images/7.6-239
What is the current bug behavior?
No vulnerabilities are detected in the scanned image.
What is the expected correct behavior?
I should see the same vulnerabilities that Redhat's report specifies (3 important vulnerabilities, for example).
Relevant logs and/or screenshots
[INFO] ▶ GitLab klar analyzer v2.2.1
[WARN] ▶ Whitelist file with path 'clair-whitelist.yml' does not exist, skipping
[INFO] ▶ DOCKER_USER and DOCKER_PASSWORD environment variables have not been configured. Defaulting to DOCKER_USER=$CI_REGISTRY_USER and DOCKER_PASSWORD=$CI_REGISTRY_PASSWORD
[INFO] ▶ Successfully connected to the vulnerabilities database
[INFO] ▶ Started Clair server process with PID: 11
[INFO] ▶ Waiting for Clair API to start...
[WARN] ▶ Clair API not ready, waiting 2s before retrying. Retry 1 of 10
[WARN] ▶ Clair log contents:
{"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2020-03-19 21:58:38.889189"}
[WARN] ▶ Clair log contents:
{"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2020-03-19 21:58:38.895793"}
[WARN] ▶ Clair log contents:
{"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2020-03-19 21:58:38.896138"}
{"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2020-03-19 21:58:38.896175","port":6060}
{"Event":"starting health API","Level":"info","Location":"api.go:85","Time":"2020-03-19 21:58:38.896882","port":6061}
{"Event":"updater service is disabled.","Level":"info","Location":"updater.go:78","Time":"2020-03-19 21:58:38.896967"}
[INFO] ▶ Clair API started successfully.
[INFO] ▶ Scanning container from registry 'registry.access.redhat.com/ubi7/ubi:7.6-239' for vulnerabilities with severity level 'Unknown' or higher with klar '2.4.0' and clair 'v2.1.2'
[INFO] ▶ Shutting down Clair server with PID: 11
[INFO] ▶ Clair server shut down successfully
[WARN] ▶ Encountered error while reading Dockerfile for remediation, halting remediation processing. Error: Dockerfile does not exist
[INFO] ▶ Image [registry.access.redhat.com/ubi7/ubi:7.6-239] contains NO unapproved vulnerabilities
Output of checks
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)