FAQ for Vulnerability Advisor
Frequently asked questions for the Vulnerability Advisor component of IBM Cloud® Container Registry.
For frequently asked questions about Container Registry, see FAQ for Container Registry.
How do I manage vulnerabilities?
You can use Vulnerability Advisor to manage image security and vulnerabilities.
For more information, see Managing image security with Vulnerability Advisor.
How much does Vulnerability Advisor cost?
The cost of Vulnerability Advisor is built into the pricing for IBM Cloud Container Registry. For more information, see Billing for storage and pull traffic.
Can images from other registries be scanned by Vulnerability Advisor?
Vulnerability Advisor scans images from IBM Cloud Container Registry only.
How is a Vulnerability Advisor scan triggered?
For more information about how the scanning of an image is triggered, see Vulnerable packages.
Why doesn't my image scan in Vulnerability Advisor v4?
If your image isn't being scanned, check that it has a tag. In Vulnerability Advisor version 4, images are scanned only if they have a tag.
Why doesn't a new image scan in Vulnerability Advisor?
If you get the vulnerability report immediately after you add the image to the registryA storage and distribution service that contains public or private images that are used to create containers., you might receive the following error:
BXNVA0009E: <imagename> has not been scanned. Try again later.
If this issue persists, contact support for help;
see https://cloud.ibm.com/docs/get-support?topic=get-support-getting-customer-support#getting-customer-support
You receive this message because the images are scanned asynchronously to the requests for results, and the scanning process takes a while to complete. During normal operation, the scan completes within the first few minutes after you add the image to the registry. The time that it takes to complete depends on variables like the proportions of the image and the amount of traffic that the registry is receiving.
If you get this message as part of a build pipeline and you see this error regularly, try adding some retry logic that contains a short pause.
If you still see unacceptable performance, contact support, see Getting help and support for Container Registry.
How often are the security notices updated in Vulnerability Advisor?
Security notices for Vulnerability Advisor are loaded from the vendors' operating system sites approximately every 12 hours.
How do I get notified about the security status of an image?
You can see the security status of your images within the Vulnerability Advisor dashboard. You cannot set up notifications.
Which version of a package is installed in my image?
To determine the version of a package that is installed in your image, use the relevant package manager command for your operating system.
Alpine package manager commands
On Alpine, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME
is the name of your package.
-
To list the metadata for a specific installed package, run the following command:
apk info PACKAGE_NAME
-
To list all installed packages and their versions, run the following command:
apk list
Debian and Ubuntu package manager commands
On Debian and Ubuntu, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME
is the name of your package.
-
To list the metadata for a specific installed package, run either of the following commands:
apt show PACKAGE_NAME
dpkg-query -l PACKAGE_NAME
-
To list all installed packages and their versions, run either of the following commands:
apt list
dpkg-query -W
Red Hat and CentOS package manager commands
On Red Hat® OpenShift® and CentOS, to determine the version of a package that is installed in your image, you can use the following commands, where PACKAGE_NAME
is the name of your package.
-
To list the metadata for a specific installed package, run either of the following commands:
rpm -qi PACKAGE_NAME
yum info PACKAGE_NAME
-
To list all installed packages and their versions, run either of the following commands:
rpm -qa
yum list installed
Does Vulnerability Advisor have versions?
Vulnerability Advisor version 4 is the only version available. For more information, see Managing image security with Vulnerability Advisor.
Vulnerability Advisor version 3 is discontinued from 13 November 2023. For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.