Explain that using CS_IGNORE_STATUSES may cause false negatives
Problem to solve
As discussed and explained in this confidential thread, using a Container Scanning filter such as CS_IGNORE_STATUSES=will_not_fix may cause false negatives. That is, findings that do exist on the scanned target will not be reported.
Further details
Summary of @jhebden's explanation:
For a little more context, RHEL (and UBI by extension) suites are really tricky when it comes to determining fix availability.
The information you see on the RHEL website is a generalisation of the situation typically, and in this case the prefixes you see (
ruby:3.1for example) represent entirely different yum/dnf repos therubypackage could have come from.So, it's not like on other distros where you just have different
rubypackages of different versions which comes from the same repo, meaning simple version-based matching can be done, the packages and the advisory data is all keyed to the repos and packages and have to be matched that way to get the correct availability information.Additionally, even with this logic in place, when querying
rpminformation in the image we getrubyas a package name, yum/dnf metadata needs to be present in the image to be able to determine more than that (i.e. which suite/reporubycomes from). In the advisory data, the status is present based on the different suites but also requires some additional logic to match up.Given how rare this situation is, adding more logic to make this matching more accurate hasn't been prioritised. I've checked the image and it is indeed Ruby 3.1 so we can assume the fix is not released yet. I also checked and the yum/dnf metadata and tools have been removed from the image so I suspect that's also part of why Trivy might not be able to tell these apart as well.
Proposal
Add a footnote to the CS CI variables section for CS_IGNORE_STATUSES.
We probably don't need to get into specific details for RHEL/UBI. A disclosure that using this setting may cause false positives for certain packages and operating systems.