lf-edge
CVE scans incorrectly claim that e.g., Alpine git package is included in EVE images
Describe the unexpected behaviour
CVE scanners which use the SBoM see that some version of git is included in the image. Turns out this is coming from lib/apk/db/installed which is collected by the linuxkit build and also placed in /lib/apk/db/installed in the final EVE image.
The particular issue with git has been tracked down to come from linuxkit/runc introduced by https://github.com/linuxkit/linuxkit/pull/3913 and there are similar ones where Alpine packages like gcc, make, etc appear in apk/db/installed even though there is no content from those packages included in the EVE image.
It is useful to have the information from the apk/db/installed since it include package versions, but in these cases it seems problematic to use it as the authoritative source of which package content is included in the containers.
This was addressed partially (sysctl) by https://github.com/lf-edge/eve/pull/5471 ; a second PR will be opened later today (runc, init), which should put this to rest.
This was addressed partially (sysctl) by #5471 ; a second PR will be opened later today (runc, init), which should put this to rest.
We should also inspect the lf-edge/eve-* containers before closing this. I have the raw data from all the containers which are pulled into the EVE-OS image, but still need to look at this.