aws/containers-roadmap

[ECR] [request]: Support for Alpine 3.21 on Basic Vulnerability Scan - claircore

Closed this issue ยท 2 comments

rgoltz commented

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Using Vulnerability Scans with for latest Alpine release.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
At 05.12.2024, Alpine Linux 3.21 has been released (please see https://gallery.ecr.aws/docker/library/alpine and https://alpinelinux.org/posts/Alpine-3.21.0-released.html).
We are using the "old"/legacy AWS ECR Basic (Image) Scanning to check for vulnerabilities.

Once you using the latest (= 3.21) image-tag of Alpine, you will get the following output in ECR:
image

Status: Not supported UnsupportedImageError: The operating system 'alpine' version 'v3.21' is not supported.

At the same moment, Alpine SecDB also already added version 3.21, please see https://secdb.alpinelinux.org/v3.21/ (supporting vulnerability data)

Are you currently working around this issue?
We could switch to "new" Basic-Scanning, called "improved version of basic scanning". In this case the image-scan is working (Great! - ๐Ÿฅ‡)
The 2nd option would not work: Switch to Enhanced Scan (AWS Inspector), since this mode is facing the same issue: #2490

Additional context
Based on my last check in claircore github, the hard-coded reference for a Alpine OS version is not there anymore, but AWS maybe using an own/older version of clair/claircore. I'm aware that the "old" Basic-Scanning (Clair) is not in focus anymore and will be replaced at some "new" Basic-Scanning (AWS native technology). Since both are still available, please add Alpine Linux 3.21 to your "old" Basic-Scanning as well. Thanks :-)

bradg-aws commented

Thanks for raising this.

ECR's AWS native basic scanning now supports Alpine 3.21, as you called out, and docs should be updated soon.

Clair basic scanning is essentially end of life and will not be updated with new version support. It will also not be available in AWS regions launched after September 2024 and will no longer be supported in any region as of October 1, 2025.

Doc for deprecation and version support (Alpine 3.21 still pending update): https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html