Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add lower than required package error #420

Merged
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion website/docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,19 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json

> Tooling image for Debian-based images are `docker.io/library/debian:11-slim` and RPM-based repos are `mcr.microsoft.com/cbl-mariner/base/core:2.0`.

For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy).
For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy).

## I am getting "downloaded package <name> version <version> lower than required <version> for update" error when trying to patch an image. What does this mean?

This error means that the package manager is trying to install a version of the package that is lower than the version that was required from the scanner report. This can happen for a few reasons:

- Package repositories are not updated to the latest version of the package. For example, sometimes there is a lag between when a CVE is detected by Trivy using Red Hat vulnerability database and when it is available in the package repositories for CentOS.

- Scanner reports are not up to date. Make sure to run the scanner with the latest vulnerability database.

To verify the package version discrepency, you can compare the package version provided by the package repositories and the scanner reports.

If you are continuing to see this and the package repositories and vulnerability databases are not updated, you can either use copa's `--ignore-errors` flag or [filter the applicable vulnerability in the scanner](troubleshooting.md#filtering-vulnerabilities).



Loading