FAQ for Vulnerability Advisor

Frequently asked questions for the Vulnerability Advisor component of IBM Cloud® Container Registry.

For frequently asked questions about Container Registry, see FAQ for Container Registry.

How do I manage any vulnerabilities?

You can use the Vulnerability Advisor component of IBM Cloud Container Registry to manage image security and vulnerabilities.

For more information, see Managing image security with Vulnerability Advisor.

How can I view all the vulnerabilities?

To view all the vulnerabilities that are found by the Vulnerability Advisor component of IBM Cloud Container Registry, you need to access the dashboard. The dashboard provides an overview and assessment of the security for an image. The dashboard displays details about any vulnerable packages and nonsecure container or app configurations.

Encrypted images are not scanned by Vulnerability Advisor.

To see the vulnerabilities in an image and address any vulnerabilities before you deploy the image, complete the following steps:

Log in to the IBM Cloud console.
Navigate to Container Registry by clicking the Navigation menu icon and selecting Container Registry.
View a list of your images along with their security status by clicking Images.
If you see any issues, click the Issues by type tab to see the Vulnerabilities table. The Vulnerabilities table displays the Vulnerability ID, policy status, affected packages, and resolution steps for each issue.
To get more information about a specific issue, expand the corresponding row, which shows a summary of the issue along with a link to the vendor security notice.
Complete the corrective action for each issue and then rebuild the image.

For more information, see Reviewing a vulnerability report and About Vulnerability Advisor.

How much does Vulnerability Advisor cost?

The cost of Vulnerability Advisor is built into the pricing for IBM Cloud Container Registry. For more information, see Billing for storage and pull traffic.

Can images from other registries be scanned by Vulnerability Advisor?

Vulnerability Advisor scans images from IBM Cloud Container Registry only.

How is a Vulnerability Advisor scan triggered?

For more information about how the scanning of an image by the Vulnerability Advisor component of IBM Cloud Container Registry is triggered, see Vulnerable packages.

Why doesn't my image scan in Vulnerability Advisor v4?

If your image isn't being scanned by the Vulnerability Advisor component of IBM Cloud Container Registry, check that it has a tag. In Vulnerability Advisor version 4, images are scanned only if they have a tag.

Why doesn't a new image scan in Vulnerability Advisor?

If you get the vulnerability report immediately after you add the image to the registryA storage and distribution service that contains public or private images that are used to create containers., you might receive the following error, where <imagename> is the name of your image:

BXNVA0009E:  <imagename> has not been scanned. Try again later.
If this issue persists, contact support for help;
see https://cloud.ibm.com/docs/get-support?topic=get-support-getting-customer-support#getting-customer-support

You receive this message because the images are scanned asynchronously to the requests for results, and the scanning process takes a while to complete. During normal operation, the scan completes within the first few minutes after you add the image to the registry. The time that it takes to complete depends on variables like the proportions of the image and the amount of traffic that the registry is receiving.

If you get this message as part of a build pipeline and you see this error regularly, try adding some retry logic that contains a short pause.

If you still see unacceptable performance, contact support, see Getting help and support for Container Registry.

How often are the security notices updated in Vulnerability Advisor?

Security notices for Vulnerability Advisor are loaded from the vendors' operating system sites approximately every 12 hours.

How do I get notified about the security status of an image?

You can see the security status of your images within the Vulnerability Advisor dashboard. You cannot set up notifications.

Which version of a package is installed in my image?

To determine the version of a package that is installed in your image, use the relevant package manager command for your operating system.

Alpine package manager commands

On Alpine, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME is the name of your package.

To list the metadata for a specific installed package, run the following command:
```
apk info PACKAGE_NAME
```
To list all installed packages and their versions, run the following command:
```
apk list
```

Debian and Ubuntu package manager commands

On Debian and Ubuntu, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME is the name of your package.

To list the metadata for a specific installed package, run either of the following commands:
```
apt show PACKAGE_NAME
```
```
dpkg-query -l PACKAGE_NAME
```
To list all installed packages and their versions, run either of the following commands:
```
apt list
```
```
dpkg-query -W
```

Red Hat and CentOS package manager commands

On Red Hat® OpenShift® and CentOS, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME is the name of your package.

To list the metadata for a specific installed package, run either of the following commands:
```
rpm -qi PACKAGE_NAME
```
```
yum info PACKAGE_NAME
```
To list all installed packages and their versions, run either of the following commands:
```
rpm -qa
```
```
yum list installed
```

Does Vulnerability Advisor have versions?

Vulnerability Advisor version 4 is the only version available. For more information, see Managing image security with Vulnerability Advisor.