Not finding the same CVEs with claircore v1.5.26 and v1.5.30

[zregvart]

I'm reporting this here instead clair-action because as far as I can understand the change in updater from Red Hat OVAL to Red Hat VEX might be the cause for the issue I'm seeing.

I have created a deliberately vulnerable image:

quay.io/zregvart_redhat/vuln@sha256:b339dacf8a9e6312d9343ed8049d1e270a949d1d2ba43114d92e9eb7f0363049

I've run clair-action with two different versions of claircore. One built from https://github.com/quay/clair-action at 26a067cffe5e75ef7365c084c699021577232448 using claircore v1.5.30, and the prebuilt quay.io/projectquay/clair-action:v0.0.8 using claircore v1.5.26. I've ran the updater to populate the database and saved the populated database together with clair-action to the images. The two images I've used are:

• quay.io/redhat-appstudio/clair-in-ci@sha256:bbe08d35ea6a99260ca56284963450aff030d0fcb34fbb7e461dd1fc11e70e12 running clair-action v0.0.8 and claircore v1.5.26
• quay.io/zregvart_redhat/clair-in-ci@sha256:ef2973e456f853377985e2e43ae842e222b5df1da26e828195b39e0a16f55da2 running clair-action at 26a067cffe5e75ef7365c084c699021577232448 and claircore v1.5.30

Both images have populated databases in /tmp/matcher.db.

If I run the clair-action report against the vulnerable image above, the report will contain 84 vulnerabilities with v1.5.26 and none with v1.5.30. In particular, I've installed a vulnerable subscription-manager package (version 1.29.33.1-1.el9_2), that I was expecting to be reported.

I can see that the data imported from the Red Hat VEX, resulted in 334 rows in the database, so the data seems to be present.

[zregvart]

I've bisected to find that the change seems to have occurred with 8dd6a35, and that brought me to quay/clair-action#183.

[zregvart]

I'm going to close this quay/clair-action#183 seems to have helped.