Identification and RPM
Identify Red Hat package version
In order to accurately identify the Red Hat package version, taking into consideration backporting fixes, use the RPM commands to examine the packages from a container image.
Example:
In this example we are listing all "Log4j" packages from container image: "registry.redhat.io/openshift3/jenkins-agent-maven-35-rhel7:v3.11.232"
The rpm -qa command is used to list all installed packages:
One of the packages listed in this example is following:
package name= rh-maven35-log4j12, package version = 1.2.17-19.2.el7.noarch which includes
Version= 1.2.17 ; The version of the open source project used to make this package
Extra Version= 19.2.el7; The extra version being applied by the Red Hat maintainer of this RPM as a result of backporting fixes
Architecture= noarch; The CPU type the binaries contained in this package are compiled for. "noarch" indicates that the package is architecture neutral.
In open-source communities and in Red Hat; the developers will not update the package version in the manifest (MANIFEST.MF) during backporting fixes. Hence using manifest inspection or identification by file name, as shown in the following output, will result in false positives.
The rpm -ql command is used to list all the files in the package:
Partner vulnerability scanners unable to use RPM and the ones that haven't implemented fingerprinting comparisons, will most likely lead to vulnerability discrepancies for non-OS type packages, like Java JARs, nodejs, and python.
Such partner scanners can achieve certification by documenting this caveat; to make it easily known to customers of this possibility and outlining the steps on how to triage the discrepancies.
Please refer to following Red Hat published KCS solution for more diagnostic steps https://access.redhat.com/solutions/6002741.
Clair v4 Implementation: Clair RPM command, and RPM query format
Resources
Last updated
