From 78019c3203f11cefb381147e6d95d6f46789b1ad Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Tue, 14 Nov 2023 02:02:14 +0000 Subject: [PATCH 1/4] docs: add lower than required package error Signed-off-by: Sertac Ozercan --- website/docs/faq.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/website/docs/faq.md b/website/docs/faq.md index d1791991..b6c59e71 100644 --- a/website/docs/faq.md +++ b/website/docs/faq.md @@ -47,4 +47,19 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json > Tooling image for Debian-based images are `docker.io/library/debian:11-slim` and RPM-based repos are `mcr.microsoft.com/cbl-mariner/base/core:2.0`. -For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy). \ No newline at end of file +For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy). + +## I am getting "downloaded package version lower than required for update" error when trying to patch an image. What does this mean? + +This error means that the package manager is trying to install a version of the package that is lower than the version that was required from the scanner report. This can happen for a few reasons: + +- Package repositories are not updated to the latest version of the package. For example, sometimes there is a lag between when a CVE is detected by Trivy using Red Hat vulnerability database and when it is available in the package repositories for CentOS. + +- Scanner reports are not up to date. Make sure to run the scanner with the latest vulnerability database. + +To verify the package version discrepency, you can compare the package version provided by the package repositories and the scanner reports. + +If you are continuing to see this and the package repositories and vulnerability databases are not updated, you can either use copa's `--ignore-errors` flag or [filter the applicable vulnerability in the scanner](troubleshooting.md#filtering-vulnerabilities). + + + From 22e31dda0aa5f418d086c31e5455aa7397ae23a3 Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Tue, 5 Nov 2024 21:35:46 +0000 Subject: [PATCH 2/4] add to versioned Signed-off-by: Sertac Ozercan --- website/docs/faq.md | 2 +- website/versioned_docs/version-v0.9.x/faq.md | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/website/docs/faq.md b/website/docs/faq.md index 643edea9..53e0a2ae 100644 --- a/website/docs/faq.md +++ b/website/docs/faq.md @@ -90,7 +90,7 @@ This error means that the package manager is trying to install a version of the - Scanner reports are not up to date. Make sure to run the scanner with the latest vulnerability database. If you are using Trivy, it is recommended to pull the latest version of the Trivy DB, and not rely on cached or stale versions. -To verify the package version discrepencies, you can compare the package version provided by the package repositories and the scanner reports. Follow the Trivy documentation on [how to find the security advisory data sources](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection), and then compare the package version in the scanner report with the applicable security advisory, and applicable package repository. +To verify the package version discrepancies, you can compare the package version provided by the package repositories and the scanner reports. Follow the Trivy documentation on [how to find the security advisory data sources](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection), and then compare the package version in the scanner report with the applicable security advisory, and applicable package repository. If you are continuing to see this and the package repositories and vulnerability databases are not updated, you can either: diff --git a/website/versioned_docs/version-v0.9.x/faq.md b/website/versioned_docs/version-v0.9.x/faq.md index 5d70143f..53e0a2ae 100644 --- a/website/versioned_docs/version-v0.9.x/faq.md +++ b/website/versioned_docs/version-v0.9.x/faq.md @@ -82,6 +82,22 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy). +## I am getting "downloaded package version lower than required for update" error when trying to patch an image. What does this mean? + +This error means that the package manager is trying to install a version of the package that is lower than the version that was required from the scanner report. This can happen for a few reasons: + +- Package repositories are not updated to the latest version of the package. For example, sometimes there is a lag between when a CVE is detected by Trivy using Red Hat vulnerability database and when it is available in the package repositories for CentOS. + +- Scanner reports are not up to date. Make sure to run the scanner with the latest vulnerability database. If you are using Trivy, it is recommended to pull the latest version of the Trivy DB, and not rely on cached or stale versions. + +To verify the package version discrepancies, you can compare the package version provided by the package repositories and the scanner reports. Follow the Trivy documentation on [how to find the security advisory data sources](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection), and then compare the package version in the scanner report with the applicable security advisory, and applicable package repository. + +If you are continuing to see this and the package repositories and vulnerability databases are not updated, you can either: + +- use `--ignore-errors` flag or [filter the applicable vulnerability in the scanner](troubleshooting.md#filtering-vulnerabilities). + +- update all packages without any scanner reports. This can be done by not providing a scanner report to copa, and copa will update all packages to the latest version available in the package repositories. + ## Can I use Dependabot with Copa patched images? Yes, see [best practices](best-practices.md#dependabot) to learn more about using Dependabot with Copa patched images. From 49a8dfa1f6c7f9d7b8ef80474a11285b70fb385d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:24:43 -0800 Subject: [PATCH 3/4] Update website/docs/faq.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ashna Mehrotra Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- website/docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/faq.md b/website/docs/faq.md index 53e0a2ae..3dd54c15 100644 --- a/website/docs/faq.md +++ b/website/docs/faq.md @@ -96,7 +96,7 @@ If you are continuing to see this and the package repositories and vulnerability - use `--ignore-errors` flag or [filter the applicable vulnerability in the scanner](troubleshooting.md#filtering-vulnerabilities). -- update all packages without any scanner reports. This can be done by not providing a scanner report to copa, and copa will update all packages to the latest version available in the package repositories. +- update all packages without any scanner reports. This can be done by not providing a scanner report to Copa, and Copa will update all packages to the latest version available in the package repositories. ## Can I use Dependabot with Copa patched images? Yes, see [best practices](best-practices.md#dependabot) to learn more about using Dependabot with Copa patched images. From d8e77758e80185d87efd6424bc6ae0d13d5cacfc Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Tue, 5 Nov 2024 23:29:27 +0000 Subject: [PATCH 4/4] update title Signed-off-by: Sertac Ozercan --- website/docs/faq.md | 2 +- website/versioned_docs/version-v0.9.x/faq.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/faq.md b/website/docs/faq.md index 3dd54c15..a805cec5 100644 --- a/website/docs/faq.md +++ b/website/docs/faq.md @@ -82,7 +82,7 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy). -## I am getting "downloaded package version lower than required for update" error when trying to patch an image. What does this mean? +## I am getting `downloaded package ... version ... lower than required ... for update` error when trying to patch an image. What does this mean? This error means that the package manager is trying to install a version of the package that is lower than the version that was required from the scanner report. This can happen for a few reasons: diff --git a/website/versioned_docs/version-v0.9.x/faq.md b/website/versioned_docs/version-v0.9.x/faq.md index 53e0a2ae..ad753d6e 100644 --- a/website/versioned_docs/version-v0.9.x/faq.md +++ b/website/versioned_docs/version-v0.9.x/faq.md @@ -82,7 +82,7 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy). -## I am getting "downloaded package version lower than required for update" error when trying to patch an image. What does this mean? +## I am getting `downloaded package ... version ... lower than required ... for update` error when trying to patch an image. What does this mean? This error means that the package manager is trying to install a version of the package that is lower than the version that was required from the scanner report. This can happen for a few reasons: