Identification and RPM

Identify Red Hat package version

In order to accurately identify the Red Hat package version, taking into consideration backporting fixes, use the RPM commands to examine the packages from a container image.

Example:

In this example we are listing all "Log4j" packages from container image: "registry.redhat.io/openshift3/jenkins-agent-maven-35-rhel7:v3.11.232"

The rpm -qa command is used to list all installed packages:

One of the packages listed in this example is following:

package name= rh-maven35-log4j12, package version = 1.2.17-19.2.el7.noarch which includes

• Version= 1.2.17 ; The version of the open source project used to make this package

• Extra Version= 19.2.el7; The extra version being applied by the Red Hat maintainer of this RPM as a result of backporting fixes

• Architecture= noarch; The CPU type the binaries contained in this package are compiled for. "noarch" indicates that the package is architecture neutral.

In open-source communities and in Red Hat; the developers will not update the package version in the manifest (MANIFEST.MF) during backporting fixes. Hence using manifest inspection or identification by file name, as shown in the following output, will result in false positives.

The rpm -ql command is used to list all the files in the package:

Partner vulnerability scanners unable to use RPM and the ones that haven't implemented fingerprinting comparisons, will most likely lead to vulnerability discrepancies for non-OS type packages, like Java JARs, nodejs, and python.

Such partner scanners can achieve certification by documenting this caveat; to make it easily known to customers of this possibility and outlining the steps on how to triage the discrepancies.

Please refer to following Red Hat published KCS solution for more diagnostic steps https://access.redhat.com/solutions/6002741.

Clair v4 Implementation: Clair RPM command, and RPM query format

Resources

[1] Getting information about packages (rpm -qa)