Description is unclear for vulnerabilities/stale_feed_data trigger/gate, when fired against an image with a distro/version that doesn't have a feed data source

[nurmi]

Currently, when a policy evaluation is performed against an image that reports a distro/version that doesn't match a synced (or existing) OS feed, the output to the user can be confusing - for example, using busybox:latest:

vulnerabilities        stale_feed_data                       The vulnerability feed for this image distro is older than MAXAGE (2) days                 warn          
vulnerabilities        vulnerability_data_unavailable        Feed data unavailable, cannot perform CVE scan for distro: busybox:v1.31.1                 warn    

first - the 'stale_feed_data' trigger while perhaps true, is misleading since there is no OS feed for the image's distro, and can be understandably interpreted as 'there is a feed, but it is out of date' instead of the more accurate 'there isn't a feed for this distro'. Suggest that this trigger not fire at all when there is no feed, meaning that the check should only fire if there is a feed and it is indeed stale.

second - the vulnerability_data_unavailable detail should be made more explicit to make it clear that this check is only for the OS feed types (as opposed to NVD, other), possibly by introducing additional checks for other feeds and make them more explicit about which type they're referring to.

[bhearn7]

@nurmi +1 on this issue. I was confused about these exact findings after scanning an image that used a multistage build with quay.io/prometheus/busybox:latest

[blang9238]

@nurmi +1 as well, affecting an enterprise customer's end users now.

[zhill]

Agreed, I think those triggers need a semantic review and update since we have multiple feeds that are relevant for any given image that are based on content type as much as distro.

[bhearn7]

+2, Rancher is seeing this on their images built FROM scratch

vulnerabilities | stale_feed_data                | The vulnerability feed for this image distro is older than MAXAGE (15) days | stop
vulnerabilities | vulnerability_data_unavailable | Feed data unavailable, cannot perform CVE scan for distro: Unknown:0        | stop

https://repo1.dso.mil/dsop/rancher-federal/rke2/rke2-runtime/-/jobs/1485122/artifacts/file/ci-artifacts/scan-results/csvs/rke2-runtime:v1.19.5-rke2r1-132189-justifications.xlsx

[tyranhenry]

+1 again on this, affecting another enterprise customer looking at using busybox based images.

[derba]

As @bhearn7 mentioned, the issue affects FROM scratch images, too. That is a highly important issue, I think, as developers using compiled languages, such as Go, create distroless images to reduce attack surface quite often. I get these warnings:

vulnerabilities	stale_feed_data	The vulnerability feed for this image distro is older than MAXAGE (2) days
vulnerabilities	vulnerability_data_unavailable	Distro-specific feed data not found for distro namespace: Unknown:0. Cannot perform CVE scan OS/distro packages