Container scanning is missing coverage for Oracle distributions
Summary
Container scanning currently does not detect any vulnerabilities in containers using Oracle Linux distributions.
Background
While implementing &7395 (closed) (container scanning database with GitLab advisory data), we did an audit of how the data sources used in the Trivy database where licensed. The Alpine and Oracle data sources had licensing restrictions which prohibited us from using them (see this comment for oracle licensing restriction details), so we had to remove both of those data sources when building the GitLab vulnerability DB. Due to very widespread usage of Alpine in containers, we worked urgently to restore coverage for alpine (#361763 (closed)). However, Oracle Linux was overlooked, and we never restored coverage for it.
Workaround
Container scanning also ships with the original Trivy database for free tier users. This database has coverage for Oracle. You can replace the EE database with it as a temporary workaround:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
before_script:
- cp -r /home/gitlab/.cache/trivy/ce/db /home/gitlab/.cache/trivy/ee/