[CentOS-devel] Help Clair Support CentOS

Fri Apr 9 15:27:40 UTC 2021
Louis DeLosSantos <ldelossa at redhat.com>

Hello,

My name is Louis and I'm the core maintainer of Clar:
https://github.com/quay/clair

Clair is a project for scanning containers for vulnerabilities.

We'd like to support CentOS but we need a little help in the form of
information gathering.

For Clair to properly support a distribution we typically require it to
have an official upstream vulnerability database. For example, RHEL has
their own Oval 2 feeds as does
Ubuntu, Suse, etc...

What we are trying to determine is how we can extract packages from CentOS
containers and match against known vulnerabilities.

We have the first half worked out already, we have generic RPM database
scanners which extract package names and versions.

The second half is where we need some more information.

A few questions:
* Does CentOS maintain its own security database for packages in its
downstream repositories ?
* If not, can we reliably treat any CentOS packages (name, versions)
identical to the way we treat RHEL packages. (For instance if we find
package A with version B can we attempt to match this against RHEL's Oval
v2 stream?)
* Can you provide any information on package naming, versioning, and
packaging that creates a difference between RHEL packages and CentOS?

Thank you for your time, I look forward to hearing back.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210409/97510a6a/attachment-0004.html>