为什么Clair发现了比Docker Hub更多的漏洞？

Question

我已经开始使用Clair来扫描我的图像中的漏洞。我注意到，根据clair，标准的docker hub Python和Debian拉伸图像在它们中有很多漏洞。在docker hub上，这些图像仅提及zlib中的漏洞。为什么会有这样的差异？

Docker hub：https://hub.docker.com/r/library/python/tags/3.6-slim-stretch/

Clair（通过clair-scanner）：

$ clair-scanner --ip "$local_ip" python:3.6-slim-stretch
2018/02/09 09:50:09 [INFO] ▶ Start clair-scanner
2018/02/09 09:50:11 [INFO] ▶ Server listening on port 9279
2018/02/09 09:50:11 [INFO] ▶ Analyzing c7549efd5dc0e5ae0c658deb653375fd2314224e1add79f9e94517a3aaa3fd9d
2018/02/09 09:50:13 [INFO] ▶ Analyzing 526e7e1b9f95c059ce50995de300dac4b8b9351340ee6ea09f9dcf782fd5af34
2018/02/09 09:50:13 [INFO] ▶ Analyzing 6b5b41e64517319f9013f245d0f8afb5612bd30766e3e4c65a418f6120186089
2018/02/09 09:50:15 [INFO] ▶ Analyzing 066fe932e0cbb6207e05383d7063cbaafc115f75416b2364281166fa4fa2df7f
2018/02/09 09:50:15 [INFO] ▶ Analyzing 476923b051f9d157ea4903f1b1e5c694dcbb3edb91e4159918b125b350a0f349
2018/02/09 09:50:15 [WARN] ▶ Image [python:3.6-slim-stretch] contains 42 total vulnerabilities
2018/02/09 09:50:15 [ERRO] ▶ Image [python:3.6-slim-stretch] contains 42 unapproved vulnerabilities

clair-scanner发现了蟒蛇中的42个漏洞：3.6-slim-stretch图像。使用clairctl时的情况相同：

$ docker pull python:3.6-slim-stretch
3.6-slim-stretch: Pulling from library/python
Digest: sha256:5dc3fa18a0fab0326052a95bada5582c08d324bfc24ced84aeb7ae681b93d2e5
Status: Image is up to date for python:3.6-slim-stretch
$ clairctl push -l python:3.6-slim-stretch 
python:3.6-slim-stretch has been pushed to Clair
$ clairctl analyze -l python:3.6-slim-stretch

Image: docker.io/python:3.6-slim-stretch

 Unknown: 6
 Negligible: 22
 Low: 4
 Medium: 7
 High: 4
 Critical: 0
 Defcon1: 0

然而，当尝试升级它时，没有包：

$ docker run --rm -it python:3.6-slim-stretch bash
root@243dfeabc84b:/# apt-get update
...
root@243dfeabc84b:/# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  sensible-utils
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 kB of archives.
After this operation, 49.2 kB disk space will be freed.
Do you want to continue? [Y/n] n

那么克莱尔为什么会发现许多假阳性？