Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
BUG: ProGet Vulnerablity Listing
-
Hi Guys,
Pretty sure this is a bug, I'm running ProGet v5.3.7 as a docker container.
Clicking on "Vulnerabilities" in the top navigation bar lists all discovered vulnerabilities. However in the package column it displays the package digest, not the name. It would be great if we could have the name instead.
Thanks
Simon
-
Hi @scroak_6473,
This works as designed. Clair attaches a vulnerability at the Docker image layer, not at the image itself. This also means that that vulnerability can exist across multiple images because Docker will share layers between images.
Thanks,
Rich
-
Thanks @rhessinger
If that is the case then perhaps this view could have an extra column detailing the package this layer (and vulnerability) exists in?
The use case I have:
- I've just connected my docker registry feed to a Vulnerablity scanner source
- I have no way of finding out a "summary" of which packages/images in my feed have Vulnerabilities in them without clicking each repo and then clicking the "Vulnerabilities" tab
- Additionally if a developer uploads an image to the repo, that contains a new vulnerability how do I see this / get notified of this without checking each repo manually?
Thanks
Simon
-
Thanks, you have have a pretty good point here. Finding where the vulnerabilities live is kind of difficult, but let's make it easier
First,
bc9ab73e5b14is a layer that's in one or more container images that has zero or more tags in a repository (in a registry/feed).What's actually useful information is registry (feed), then repository+tag (containername:version).
If all this added up to a single tag in a single registry + repository + tag combination, we could display that instead. But there are going to be a lot of container images using that layer...
Maybe clicking that page opens up a page that is like, "tags that use this layer" or something, and it displays Registry (Feed) and REpository+Tag in a simple list view?
The only way to get to this page would be clicking on a image hash like that, so perhaps it could be a modal-popup window instead?
Just brainstorming... what do you think?
-
Hi @atripp
I like your "tags that use this layer" suggestion, I was also thinking you could do something like this mock-up within the repo view:
In addition you could also improve the "feed view" with some more information about the number of tags/images & vulnerablities per repo like this:
Or even:
-
@scroak_6473 great suggestions, thanks!! The mockups will really help me to present a case :)
I see that the priority is on finding the unassessed vulnerabilities, which make sense. I don't know about a "mouseover" (we don't have this UI construct in our products like this to make this easily doable), but I can envision a modal window (popup) or a regular page that allows for quickly asessing those vulnerabilities
This isn't trivial, but it's not terribly complicated either. I'm going to try to get this submitted internally next week (I'll share what I write up), and from there we might be able to get this in the following or near-term maintence release
-
Amazing thanks @atripp
Let me know what version this appears in I would love to try it out.
Thanks
Simon
-
Great!! I've logged this as PG-1798, and it's planned for 5.3.10 (Aug 28), but may get delayed depending on other priories.
-
Hi @scroak_6473,
I just wanted to send over a few screenshots so you can see what is releasing tomorrow:
When you click on the layer digest on the Vulnerabilities, Repository Vulnerabilities, and Image Vulnerabilities pages, it now will show this modal dialog:
The List Repositories page now looks like this:
The All Tags for a Repository now looks like this:
The All Images for a Repository looks like this:
Thanks,
Rich
-
That's amazing! Thanks so much @rhessinger
You guys rock!
