From 3f51191d23c67c689a9e7d9976a0207463c48784 Mon Sep 17 00:00:00 2001 From: supereagle Date: Sat, 25 Feb 2017 23:08:50 +0800 Subject: [PATCH 01/21] configurable for TLS server's certificate chain and hostname verification when pulling layers --- cmd/clair/main.go | 8 ++++++++ ext/imagefmt/driver.go | 17 ++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/cmd/clair/main.go b/cmd/clair/main.go index 754e54e5..11f0de4c 100644 --- a/cmd/clair/main.go +++ b/cmd/clair/main.go @@ -30,6 +30,7 @@ import ( "github.com/coreos/clair" "github.com/coreos/clair/api" "github.com/coreos/clair/database" + "github.com/coreos/clair/ext/imagefmt" "github.com/coreos/clair/pkg/stopper" // Register database driver. @@ -123,6 +124,7 @@ func main() { flagConfigPath := flag.String("config", "/etc/clair/config.yaml", "Load configuration from the specified file.") flagCPUProfilePath := flag.String("cpu-profile", "", "Write a CPU profile to the specified file before exiting.") flagLogLevel := flag.String("log-level", "info", "Define the logging level.") + flagInsecureTLS := flag.Bool("insecure-tls", false, "Disable TLS server's certificate chain and hostname verification when pulling layers.") flag.Parse() // Check for dependencies. @@ -149,5 +151,11 @@ func main() { defer stopCPUProfiling(startCPUProfiling(*flagCPUProfilePath)) } + // Enable TLS server's certificate chain and hostname verification + // when pulling layers if specified + if *flagInsecureTLS { + imagefmt.SetInsecureTLS(*flagInsecureTLS) + } + Boot(config) } diff --git a/ext/imagefmt/driver.go b/ext/imagefmt/driver.go index 6b14f48e..97f3bf79 100644 --- a/ext/imagefmt/driver.go +++ b/ext/imagefmt/driver.go @@ -21,6 +21,7 @@ package imagefmt import ( + "crypto/tls" "fmt" "io" "math" @@ -38,6 +39,10 @@ var ( // ErrCouldNotFindLayer is returned when we could not download or open the layer file. ErrCouldNotFindLayer = commonerr.NewBadRequestError("could not find layer") + // insecureTLS controls whether TLS server's certificate chain and hostname are verified + // when pulling layers, verified in default. + insecureTLS = false + log = capnslog.NewPackageLogger("github.com/coreos/clair", "ext/imagefmt") extractorsM sync.RWMutex @@ -116,7 +121,11 @@ func Extract(format, path string, headers map[string]string, toExtract []string) } // Send the request and handle the response. - r, err := http.DefaultClient.Do(request) + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS}, + } + client := &http.Client{Transport: tr} + r, err := client.Do(request) if err != nil { log.Warningf("could not download layer: %s", err) return nil, ErrCouldNotFindLayer @@ -148,3 +157,9 @@ func Extract(format, path string, headers map[string]string, toExtract []string) return nil, commonerr.NewBadRequestError(fmt.Sprintf("unsupported image format '%s'", format)) } + +// SetInsecureTLS sets the insecureTLS to control whether TLS server's certificate chain +// and hostname are verified when pulling layers. +func SetInsecureTLS(insecure bool) { + insecureTLS = insecure +} From 3f78744bcc26518c4441711ed9477366e4b1c4a2 Mon Sep 17 00:00:00 2001 From: supereagle Date: Tue, 28 Feb 2017 13:41:09 +0800 Subject: [PATCH 02/21] remove MAINTAINER from Dockerfile --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ac0b81c1..151c3deb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,6 @@ FROM golang:1.8-alpine -MAINTAINER Quentin Machu - VOLUME /config EXPOSE 6060 6061 From 300fe980ef44134d23b21afd643fa9336210c0f2 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 28 Feb 2017 12:55:54 -0500 Subject: [PATCH 03/21] ext/vulnsrc/ubuntu: add missing version format --- ext/vulnsrc/ubuntu/ubuntu.go | 7 +++++-- ext/vulnsrc/ubuntu/ubuntu_test.go | 22 ++++++++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/ext/vulnsrc/ubuntu/ubuntu.go b/ext/vulnsrc/ubuntu/ubuntu.go index 70602e6c..6ef3633a 100644 --- a/ext/vulnsrc/ubuntu/ubuntu.go +++ b/ext/vulnsrc/ubuntu/ubuntu.go @@ -377,8 +377,11 @@ func parseUbuntuCVE(fileContent io.Reader) (vulnerability database.Vulnerability // Create and add the new package. featureVersion := database.FeatureVersion{ Feature: database.Feature{ - Namespace: database.Namespace{Name: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]]}, - Name: md["package"], + Namespace: database.Namespace{ + Name: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]], + VersionFormat: dpkg.ParserName, + }, + Name: md["package"], }, Version: version, } diff --git a/ext/vulnsrc/ubuntu/ubuntu_test.go b/ext/vulnsrc/ubuntu/ubuntu_test.go index 3b9fd2ae..5cdbd9a4 100644 --- a/ext/vulnsrc/ubuntu/ubuntu_test.go +++ b/ext/vulnsrc/ubuntu/ubuntu_test.go @@ -24,6 +24,7 @@ import ( "github.com/coreos/clair/database" "github.com/coreos/clair/ext/versionfmt" + "github.com/coreos/clair/ext/versionfmt/dpkg" ) func TestUbuntuParser(t *testing.T) { @@ -46,22 +47,31 @@ func TestUbuntuParser(t *testing.T) { expectedFeatureVersions := []database.FeatureVersion{ { Feature: database.Feature{ - Namespace: database.Namespace{Name: "ubuntu:14.04"}, - Name: "libmspack", + Namespace: database.Namespace{ + Name: "ubuntu:14.04", + VersionFormat: dpkg.ParserName, + }, + Name: "libmspack", }, Version: versionfmt.MaxVersion, }, { Feature: database.Feature{ - Namespace: database.Namespace{Name: "ubuntu:15.04"}, - Name: "libmspack", + Namespace: database.Namespace{ + Name: "ubuntu:15.04", + VersionFormat: dpkg.ParserName, + }, + Name: "libmspack", }, Version: "0.4-3", }, { Feature: database.Feature{ - Namespace: database.Namespace{Name: "ubuntu:15.10"}, - Name: "libmspack-anotherpkg", + Namespace: database.Namespace{ + Name: "ubuntu:15.10", + VersionFormat: dpkg.ParserName, + }, + Name: "libmspack-anotherpkg", }, Version: "0.1", }, From 212d08547c925b8713b7550c759789575bba1981 Mon Sep 17 00:00:00 2001 From: Paul Burt Date: Fri, 3 Mar 2017 13:45:25 -0500 Subject: [PATCH 04/21] Adding production users and integrations pages --- Documentation/integrations.md | 19 +++++++++++++++++++ Documentation/production-users.md | 8 ++++++++ README.md | 10 ++++------ 3 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 Documentation/integrations.md create mode 100644 Documentation/production-users.md diff --git a/Documentation/integrations.md b/Documentation/integrations.md new file mode 100644 index 00000000..b02f53c6 --- /dev/null +++ b/Documentation/integrations.md @@ -0,0 +1,19 @@ +# Integrations +This document tracks projects that integrate with Clair. [Join the community](https://github.com/coreos/clair/), and help us keep the list up-to-date. + +## Projects + +[Quay.io](https://quay.io/): the first container registry to integrate with Clair. + +[Dockyard](https://github.com/Huawei/dockyard): an open source container registry with Clair integration. + +[Clairctl](https://github.com/jgsqware/clairctl): a lightweight command-line tool for working locally with Clair and generate HTML report. + +[Clair-SQS](https://github.com/zalando-incubator/clair-sqs): a container containing Clair and additional processes that integrate Clair with [Amazon SQS][sqs]. + +[Klar](https://github.com/optiopay/klar): a simple command-line integration of Clair and Docker registry, designed to be used in scripts and CI. + +[reg](https://github.com/jessfraz/reg#vulnerability-reports): a docker registry CLI, which also runs Clair. + + +[sqs]: https://aws.amazon.com/sqs/ \ No newline at end of file diff --git a/Documentation/production-users.md b/Documentation/production-users.md new file mode 100644 index 00000000..f74d9bfc --- /dev/null +++ b/Documentation/production-users.md @@ -0,0 +1,8 @@ +# Production users + +This document tracks people and use cases for Clair in production. [Join the community](https://github.com/coreos/Clair/), and help us keep the list up-to-date. + +## [Quay.io](https://quay.io/) + +Quay is CoreOS' enterprise-ready container registry. It displays the results of a Clair security scan on each hosted image's page. + diff --git a/README.md b/README.md index a0a2aca0..1ca6ff5e 100644 --- a/README.md +++ b/README.md @@ -204,10 +204,8 @@ To expose the new behavior, unqualified imports to the package must be added in - _Clair: A Container Image Security Analyzer @ Microservices NYC_ - [Event](https://www.meetup.com/Microservices-NYC/events/230023492/) [Video](https://www.youtube.com/watch?v=ynwKi2yhIX4) [Slides](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc) - _Clair: A Container Image Security Analyzer @ Container Orchestration NYC_ - [Event](https://www.meetup.com/Container-Orchestration-NYC/events/229779466/) [Video](https://www.youtube.com/watch?v=wTfCOUDNV_M) [Slides](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc) -### Projects Integrating with Clair +### Integrations and Production Users + +- [Projects integrating with Clair](https://github.com/coreos/clair/blob/master/Documentation/integrations.md) +- [Production users](https://github.com/coreos/clair/blob/master/Documentation/production-users.md) -- [Quay](https://quay.io): the first container registry to integrate with Clair -- [Dockyard](https://github.com/containerops/dockyard): an open source container registry with Clair integration -- [Clairctl](https://github.com/jgsqware/clairctl): a lightweight command-line tool for working locally with Clair and generate HTML report -- [Clair w/ SQS](https://github.com/zalando/clair-sqs): a container containing Clair and additional processes that integrate Clair with [Amazon SQS](https://aws.amazon.com/sqs) -- [Klar](https://github.com/optiopay/klar): a simple command-line integration of Clair and Docker registry, designed to be used in scripts and CI From a5b92feb46dd12244672ed2ddf27350046ae2c1d Mon Sep 17 00:00:00 2001 From: Brandon Philips Date: Sun, 5 Mar 2017 14:26:02 -0800 Subject: [PATCH 05/21] integrations: add quay enterprise as well --- Documentation/integrations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/integrations.md b/Documentation/integrations.md index b02f53c6..ec9007e3 100644 --- a/Documentation/integrations.md +++ b/Documentation/integrations.md @@ -3,7 +3,7 @@ This document tracks projects that integrate with Clair. [Join the community](ht ## Projects -[Quay.io](https://quay.io/): the first container registry to integrate with Clair. +[Quay.io](https://quay.io/) and [Quay Enterprise](https://quay.io/plans/?tab=enterprise): Quay was the first container registry to integrate with Clair. [Dockyard](https://github.com/Huawei/dockyard): an open source container registry with Clair integration. @@ -16,4 +16,4 @@ This document tracks projects that integrate with Clair. [Join the community](ht [reg](https://github.com/jessfraz/reg#vulnerability-reports): a docker registry CLI, which also runs Clair. -[sqs]: https://aws.amazon.com/sqs/ \ No newline at end of file +[sqs]: https://aws.amazon.com/sqs/ From aeecaed8963ed61a0634d285858bb75e51248558 Mon Sep 17 00:00:00 2001 From: Robin Alster Date: Mon, 6 Mar 2017 16:32:10 +0100 Subject: [PATCH 06/21] add Alpine 3.5 Data Source Readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1ca6ff5e..bd618931 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ By indexing the features of an image into the database, images only need to be r | [Ubuntu CVE Tracker] | Ubuntu 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 namespaces | [dpkg] | [GPLv2] | | [Red Hat Security Data] | CentOS 5, 6, 7 namespaces | [rpm] | [CVRF] | | [Oracle Linux Security Data] | Oracle Linux 5, 6, 7 namespaces | [rpm] | [CVRF] | -| [Alpine SecDB] | Alpine 3.3, Alpine 3.4 namespaces | [apk] | [MIT] | +| [Alpine SecDB] | Alpine 3.3, Alpine 3.4, Alpine 3.5 namespaces | [apk] | [MIT] | | [NIST NVD] | Generic Vulnerability Metadata | N/A | [Public Domain] | [Debian Security Bug Tracker]: https://security-tracker.debian.org/tracker From cca55ed7640c58410ddda591b9234aae267ed060 Mon Sep 17 00:00:00 2001 From: "ruokai.lai" Date: Tue, 7 Mar 2017 12:11:20 +1100 Subject: [PATCH 07/21] add in a sum for total errors. 0 return 1 when there are any errors, so that it can break our CI pipeline when needed --- contrib/analyze-local-images/main.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/analyze-local-images/main.go b/contrib/analyze-local-images/main.go index f36526e2..9852f880 100644 --- a/contrib/analyze-local-images/main.go +++ b/contrib/analyze-local-images/main.go @@ -270,7 +270,10 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m fmt.Printf("%s No vulnerabilities were detected in your image\n", color.GreenString("Success!")) } else if !hasVisibleVulnerabilities { fmt.Printf("%s No vulnerabilities matching the minimum severity level were detected in your image\n", color.YellowString("NOTE:")) - } + } else { + errorTotal := errors.New("total Errors: "+strconv.Itoa(len(vulnerabilities))) + return errorTotal + } return nil } From 121611834f8f3bdd73f9516f87c1eedd89108e1c Mon Sep 17 00:00:00 2001 From: "ruokai.lai" Date: Tue, 7 Mar 2017 17:24:15 +1100 Subject: [PATCH 08/21] make it one sentence --- contrib/analyze-local-images/main.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/contrib/analyze-local-images/main.go b/contrib/analyze-local-images/main.go index 9852f880..f3c836b8 100644 --- a/contrib/analyze-local-images/main.go +++ b/contrib/analyze-local-images/main.go @@ -271,8 +271,7 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m } else if !hasVisibleVulnerabilities { fmt.Printf("%s No vulnerabilities matching the minimum severity level were detected in your image\n", color.YellowString("NOTE:")) } else { - errorTotal := errors.New("total Errors: "+strconv.Itoa(len(vulnerabilities))) - return errorTotal + return fmt.Errorf("A total of %d vulnerabilities have been detected in your image", len(vulnerabilities)) } return nil From 324ad5f2435d02a10211e3134fb3353aeb62c55d Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 15 Mar 2017 16:05:31 -0400 Subject: [PATCH 09/21] *: move all references in README to HEAD This change also points the Docker Compose file use HEAD. --- README.md | 34 ++++++++++++---------------------- docker-compose.yml | 2 +- 2 files changed, 13 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index bd618931..9f7dbf04 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Please use [releases] instead of the `master` branch in order to get stable bina ![Clair Logo](https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png) -Clair is an open source project for the static analysis of vulnerabilities in [appc] and [docker] containers. +Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including [appc] and [docker]). Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, a notification can be delivered, and the API queried to provide the previous state and new state of the vulnerability along with the images affected by both. @@ -50,12 +50,13 @@ Clair detects some vulnerabilities and sends a webhook to your continuous deploy During the first run, Clair will bootstrap its database with vulnerability data from its data sources. It can take several minutes before the database has been fully populated. -**NOTE:** These setups are not meant for production workloads, but as a quick way to get started. +**NOTE:** These setups are meant for running HEAD and not production workloads; please use a stable release in production. ### Kubernetes -An easy way to run Clair is with Kubernetes 1.2+. -If you are using the [CoreOS Kubernetes single-node instructions][single-node] for Vagrant you will be able to access the Clair's API at http://172.17.4.99:30060/ after following these instructions. +If you don't have a local Kubernetes cluster already, check out [minikube]. + +[minikube]: https://github.com/kubernetes/minikube ``` git clone https://github.com/coreos/clair @@ -64,18 +65,13 @@ kubectl create secret generic clairsecret --from-file=./config.yaml kubectl create -f clair-kubernetes.yaml ``` -[single-node]: https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html ### Docker Compose -Another easy way to get an instance of Clair running is to use Docker Compose to run everything locally. -This runs a PostgreSQL database insecurely and locally in a container. -This method should only be used for testing. - ```sh -$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/docker-compose.yml -o $HOME/docker-compose.yml +$ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yml -o $HOME/docker-compose.yml $ mkdir $HOME/clair_config -$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/config.example.yaml -o $HOME/clair_config/config.yaml +$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $HOME/clair_config/config.yaml $ $EDITOR $HOME/clair_config/config.yaml # Edit database source to be postgresql://postgres:password@postgres:5432?sslmode=disable $ docker-compose -f $HOME/docker-compose.yml up -d ``` @@ -83,19 +79,13 @@ $ docker-compose -f $HOME/docker-compose.yml up -d Docker Compose may start Clair before Postgres which will raise an error. If this error is raised, manually execute `docker-compose start clair`. - ### Docker -This method assumes you already have a [PostgreSQL 9.4+] database running. -This is the recommended method for production deployments. - -[PostgreSQL 9.4+]: http://postgresql.org - ```sh -$ mkdir $HOME/clair_config -$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/config.example.yaml -o $HOME/clair_config/config.yaml -$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database -$ docker run -d -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair:v1.2. -config=/config/config.yaml +$ mkdir $PWD/clair_config +$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $PWD/clair_config/config.yaml +$ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6 +$ docker run -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair-git:latest -config=/config/config.yaml ``` ### Source @@ -115,7 +105,7 @@ In addition, Clair requires that [git], [bzr], [rpm], and [xz] be available on t $ go get github.com/coreos/clair $ go install github.com/coreos/clair/cmd/clair $ $EDITOR config.yaml # Add the URI for your postgres database -$ ./$GOBIN/clair -config=config.yaml +$ ./$GOPATH/bin/clair -config=config.yaml ``` ### Container images diff --git a/docker-compose.yml b/docker-compose.yml index 39f9096b..17df0ff3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,7 +9,7 @@ services: clair: container_name: clair_clair - image: quay.io/coreos/clair:v1.2.2 + image: quay.io/coreos/clair-git:latest restart: unless-stopped depends_on: - postgres From 257e84212d4521d91abe80e11c12458b48cceca6 Mon Sep 17 00:00:00 2001 From: supereagle Date: Thu, 16 Mar 2017 10:18:18 +0800 Subject: [PATCH 10/21] update docker image spec url --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bd618931..46b59742 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Our goal is to enable a more transparent view of the security of container-based Thus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*. [appc]: https://github.com/appc/spec -[docker]: https://github.com/docker/docker/blob/master/image/spec/v1.md +[docker]: https://github.com/docker/docker/blob/master/image/spec/v1.2.md [extended programmatically]: #customization [releases]: https://github.com/coreos/clair/releases From 6a50bbb8b89cb78e38a9cb13b3cfc3fff277739c Mon Sep 17 00:00:00 2001 From: Kevin Burke Date: Mon, 3 Apr 2017 16:08:18 -0700 Subject: [PATCH 11/21] api: fix 404 error logging The first value is an integer and the second value is a string and the format string has these backwards, leading to %!s(int=404) appearing in the logs instead of "404". --- api/router.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/router.go b/api/router.go index 76d9b827..74658814 100644 --- a/api/router.go +++ b/api/router.go @@ -52,7 +52,7 @@ func (rtr router) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } - log.Infof("%s %d %s %s", http.StatusNotFound, r.Method, r.RequestURI, r.RemoteAddr) + log.Infof("%d %s %s %s", http.StatusNotFound, r.Method, r.RequestURI, r.RemoteAddr) http.NotFound(w, r) } From b398a221a4d965e72f392b2e4ee79a393eb46614 Mon Sep 17 00:00:00 2001 From: Kevin Burke Date: Mon, 3 Apr 2017 16:23:00 -0700 Subject: [PATCH 12/21] Update heading in the README I was trying to audit some images I use locally at the command line. I missed the relevant instructions until the third time I read the README. Hopefully this new heading and text make it easier to catch the reader's eye. For more on README readability, please see https://www.youtube.com/watch?v=sQP_hUNCrcE. --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 732265a9..97d6da8d 100644 --- a/README.md +++ b/README.md @@ -27,12 +27,12 @@ Thus, the project was named `Clair` after the French term which translates to *c ## Common Use Cases -### Manual Auditing +### Audit a single Docker image locally You're building an application and want to depend on a third-party container image that you found by searching the internet. To make sure that you do not knowingly introduce a new vulnerability into your production service, you decide to scan the container for vulnerabilities. -You `docker pull` the container to your development machine and start an instance of Clair. -Once it finishes updating, you use the [local image analysis tool] to analyze the container. +Run `docker pull` to put the image on your development machine and then start an instance of Clair. +Once it finishes updating, use the [local image analysis tool] to analyze the container. You realize this container is vulnerable to many critical CVEs, so you decide to use another one. [local image analysis tool]: https://github.com/coreos/clair/tree/master/contrib/analyze-local-images @@ -198,4 +198,3 @@ To expose the new behavior, unqualified imports to the package must be added in - [Projects integrating with Clair](https://github.com/coreos/clair/blob/master/Documentation/integrations.md) - [Production users](https://github.com/coreos/clair/blob/master/Documentation/production-users.md) - From 3b2c4e5e92aaa49d2e90a5c2ab39fb79cbed4117 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Mon, 10 Apr 2017 16:30:25 -0400 Subject: [PATCH 13/21] README: improve readability This change takes into consideration the points from @kevinburke's talk on readability. --- README.md | 139 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 77 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index 97d6da8d..fd5b9c5d 100644 --- a/README.md +++ b/README.md @@ -13,9 +13,10 @@ Please use [releases] instead of the `master` branch in order to get stable bina Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including [appc] and [docker]). -Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. -When vulnerability data changes upstream, a notification can be delivered, and the API queried to provide the previous state and new state of the vulnerability along with the images affected by both. -All major components can be [extended programmatically] at compile-time without forking the project. +1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database. +2. Clients use the Clair API to index their container images; this parses a list of installed _source packages_ stores them in the database. +3. Clients use the Clair API to query the database; combining this data is done in real time, rather than a cached result that needs re-scanning. +4. When updates to vulnerability metadata occur, a webhook can be configured to page or block deployments. Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*. @@ -25,34 +26,50 @@ Thus, the project was named `Clair` after the French term which translates to *c [extended programmatically]: #customization [releases]: https://github.com/coreos/clair/releases -## Common Use Cases +## When would I use Clair? -### Audit a single Docker image locally +* You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. +* You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software. -You're building an application and want to depend on a third-party container image that you found by searching the internet. -To make sure that you do not knowingly introduce a new vulnerability into your production service, you decide to scan the container for vulnerabilities. -Run `docker pull` to put the image on your development machine and then start an instance of Clair. -Once it finishes updating, use the [local image analysis tool] to analyze the container. -You realize this container is vulnerable to many critical CVEs, so you decide to use another one. +## Documentation -[local image analysis tool]: https://github.com/coreos/clair/tree/master/contrib/analyze-local-images +The latest stable documentation can be found [on the CoreOS website]. +Documentation for the current branch can be found [inside the Documentation directory][docs-dir] at the root of the project's source code. -### Container Registry Integration +[on the CoreOS website]: https://coreos.com/clair/docs/latest/ +[docs-dir]: /Documentation -Your company has a continuous-integration pipeline and you want to stop deployments if they introduce a dangerous vulnerability. -A developer merges some code into the master branch of your codebase. -The first step of your continuous-integration pipeline automates the testing and building of your container and pushes a new container to your container registry. -Your container registry notifies Clair which causes the download and indexing of the images for the new container. -Clair detects some vulnerabilities and sends a webhook to your continuous deployment tool to prevent this vulnerable build from seeing the light of day. +## How do I deploy Clair? -## Hello Heartbleed +### Container Repositories -During the first run, Clair will bootstrap its database with vulnerability data from its data sources. -It can take several minutes before the database has been fully populated. +Clair is officially packaged and released as a container. -**NOTE:** These setups are meant for running HEAD and not production workloads; please use a stable release in production. +* Stable releases can be found at [quay.io/coreos/clair] +* Stable releases with an embedded instance of [jwtproxy] can be found at [quay.io/coreos/clair-jwt] +* Development releases can be found at [quay.io/coreos/clair-git] -### Kubernetes +[quay.io/coreos/clair]: https://quay.io/repository/coreos/clair +[jwtproxy]: https://github.com/coreos/jwtproxy +[quay.io/coreos/clair-jwt]: https://quay.io/repository/coreos/clair-jwt +[quay.io/coreos/clair-git]: https://quay.io/repository/coreos/clair-git + +### Production Supported + +Clair is professionally supported as a data source for the [Quay] Security Scanning feature. +The setup documentation for using Clair for this environment can be found on the [Quay documentation] on the [CoreOS] website. +Be sure to adjust the version of the documentation to the version of Quay being used in your deployment. + +[Quay]: https://quay.io +[Quay documentation]: https://coreos.com/quay-enterprise/docs/latest/clair.html +[CoreOS]: https://coreos.com + +### Community Supported + +The following are community supported instructions to run Clair in a variety of ways. +**NOTE:** These instructions demonstrate running HEAD and not stable versions. + +#### Kubernetes If you don't have a local Kubernetes cluster already, check out [minikube]. @@ -65,8 +82,7 @@ kubectl create secret generic clairsecret --from-file=./config.yaml kubectl create -f clair-kubernetes.yaml ``` - -### Docker Compose +#### Docker Compose ```sh $ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yml -o $HOME/docker-compose.yml @@ -79,7 +95,7 @@ $ docker-compose -f $HOME/docker-compose.yml up -d Docker Compose may start Clair before Postgres which will raise an error. If this error is raised, manually execute `docker-compose start clair`. -### Docker +#### Docker ```sh $ mkdir $PWD/clair_config @@ -88,10 +104,15 @@ $ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6 $ docker run -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair-git:latest -config=/config/config.yaml ``` -### Source +#### Source To build Clair, you need to latest stable version of [Go] and a working [Go environment]. -In addition, Clair requires that [git], [bzr], [rpm], and [xz] be available on the system [$PATH]. +In addition, Clair requires some additional binaries be installed on the system [$PATH]: + +* [git] +* [bzr] +* [rpm] +* [xz] [Go]: https://github.com/golang/go/releases [Go environment]: https://golang.org/doc/code.html @@ -108,35 +129,16 @@ $ $EDITOR config.yaml # Add the URI for your postgres database $ ./$GOPATH/bin/clair -config=config.yaml ``` -### Container images +## Frequently Asked Questions -While container images for every releases are available at [quay.io/repository/coreos/clair], container images built on the latest available source code are available at [quay.io/repository/coreos/clair-git]. +### Who's using Clair? -[quay.io/repository/coreos/clair]: https://quay.io/repository/coreos/clair -[quay.io/repository/coreos/clair-git]: https://quay.io/repository/coreos/clair-git +You can find [production users] and third party [integrations] documented in their respective pages of the local documentation. -## Documentation +[production users]: https://github.com/coreos/clair/blob/master/Documentation/production-users.md +[integrations]: https://github.com/coreos/clair/blob/master/Documentation/integrations.md -The latest stable documentation can be found [on the CoreOS website]. -Documentation for the current branch can be found [inside the Documentation directory][docs-dir] at the root of the project's source code. - -[on the CoreOS website]: https://coreos.com/clair/docs/latest/ -[docs-dir]: /Documentation - -### Architecture at a Glance - -![Simple Clair Diagram](https://cloud.githubusercontent.com/assets/343539/21630809/c1adfbd2-d202-11e6-9dfe-9024139d0a28.png) - -### Terminology - -- *Image* - a tarball of the contents of a container -- *Layer* - an *appc* or *Docker* image that may or maybe not be dependent on another image -- *Feature* - anything that when present could be an indication of a *vulnerability* (e.g. the presence of a file or an installed software package) -- *Feature Namespace* - a context around *features* and *vulnerabilities* (e.g. an operating system) -- *Vulnerability Updater* - a Go package that tracks upstream vulnerability data and imports them into Clair -- *Vulnerability Metadata Appender* - a Go package that tracks upstream vulnerability metadata and appends them into vulnerabilities managed by Clair - -### Vulnerability Analysis +### What do you mean by static analysis? There are two major ways to perform analysis of programs: [Static Analysis] and [Dynamic Analysis]. Clair has been designed to perform *static analysis*; containers never need to be executed. @@ -146,7 +148,7 @@ By indexing the features of an image into the database, images only need to be r [Static Analysis]: https://en.wikipedia.org/wiki/Static_program_analysis [Dynamic Analysis]: https://en.wikipedia.org/wiki/Dynamic_program_analysis -### Default Data Sources +### What data sources does Clair currently support? | Data Source | Data Collected | Format | License | |-------------------------------|--------------------------------------------------------------------------|--------|-----------------| @@ -172,8 +174,28 @@ By indexing the features of an image into the database, images only need to be r [apk]: http://git.alpinelinux.org/cgit/apk-tools/ [MIT]: https://gist.github.com/jzelinskie/6da1e2da728424d88518be2adbd76979 +### What do most deployments look like? -### Customization +From a high-level, most deployments integrate with the registry workflow rather than manual API usage by a human. +They typically take up a form similar to the following diagram: + +![Simple Clair Diagram](https://cloud.githubusercontent.com/assets/343539/21630809/c1adfbd2-d202-11e6-9dfe-9024139d0a28.png) + +### I just started up Clair and nothing appears to be working, what's the deal? + +During the first run, Clair will bootstrap its database with vulnerability data from the configured data sources. +It can take several minutes before the database has been fully populated, but once this data is stored in the database, subsequent updates will take far less time. + +### What terminology do I need to understand to work with Clair internals? + +- *Image* - a tarball of the contents of a container +- *Layer* - an *appc* or *Docker* image that may or maybe not be dependent on another image +- *Feature* - anything that when present could be an indication of a *vulnerability* (e.g. the presence of a file or an installed software package) +- *Feature Namespace* - a context around *features* and *vulnerabilities* (e.g. an operating system) +- *Vulnerability Updater* - a Go package that tracks upstream vulnerability data and imports them into Clair +- *Vulnerability Metadata Appender* - a Go package that tracks upstream vulnerability metadata and appends them into vulnerabilities managed by Clair + +### How can I customize Clair? The major components of Clair are all programmatically extensible in the same way Go's standard [database/sql] package is extensible. Everything extendable is located in the `ext` directory. @@ -185,16 +207,9 @@ To expose the new behavior, unqualified imports to the package must be added in [init()]: https://golang.org/doc/effective_go.html#init [main.go]: https://github.com/coreos/clair/blob/master/cmd/clair/main.go -## Related Links - -### Talks & Slides +### Are there any public presentations on Clair? - _Clair: The Container Image Security Analyzer @ ContainerDays Boston 2016_ - [Event](http://dynamicinfradays.org/events/2016-boston/) [Video](https://www.youtube.com/watch?v=Kri67PtPv6s) [Slides](https://docs.google.com/presentation/d/1ExQGZs-pQ56TpW_ifcUl2l_ml87fpCMY6-wdug87OFU) - _Identifying Common Vulnerabilities and Exposures in Containers with Clair @ CoreOS Fest 2016_ - [Event](https://coreos.com/fest/) [Video](https://www.youtube.com/watch?v=YDCa51BK2q0) [Slides](https://docs.google.com/presentation/d/1pHSI_5LcjnZzZBPiL1cFTZ4LvhzKtzh86eE010XWNLY) - _Clair: A Container Image Security Analyzer @ Microservices NYC_ - [Event](https://www.meetup.com/Microservices-NYC/events/230023492/) [Video](https://www.youtube.com/watch?v=ynwKi2yhIX4) [Slides](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc) - _Clair: A Container Image Security Analyzer @ Container Orchestration NYC_ - [Event](https://www.meetup.com/Container-Orchestration-NYC/events/229779466/) [Video](https://www.youtube.com/watch?v=wTfCOUDNV_M) [Slides](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc) - -### Integrations and Production Users - -- [Projects integrating with Clair](https://github.com/coreos/clair/blob/master/Documentation/integrations.md) -- [Production users](https://github.com/coreos/clair/blob/master/Documentation/production-users.md) From 41f77f495a39b098d6a2e491e8ead146c5d083f7 Mon Sep 17 00:00:00 2001 From: Mats Linander Date: Tue, 11 Apr 2017 11:39:33 -0400 Subject: [PATCH 14/21] minor correction s/maybe/may/ --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fd5b9c5d..452c4c1a 100644 --- a/README.md +++ b/README.md @@ -189,7 +189,7 @@ It can take several minutes before the database has been fully populated, but on ### What terminology do I need to understand to work with Clair internals? - *Image* - a tarball of the contents of a container -- *Layer* - an *appc* or *Docker* image that may or maybe not be dependent on another image +- *Layer* - an *appc* or *Docker* image that may or may not be dependent on another image - *Feature* - anything that when present could be an indication of a *vulnerability* (e.g. the presence of a file or an installed software package) - *Feature Namespace* - a context around *features* and *vulnerabilities* (e.g. an operating system) - *Vulnerability Updater* - a Go package that tracks upstream vulnerability data and imports them into Clair From f36aa12024ad430843110ca2a23140664f6c621d Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 11 Apr 2017 14:57:11 -0400 Subject: [PATCH 15/21] README: clean up after README refactor --- README.md | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 452c4c1a..4b434cae 100644 --- a/README.md +++ b/README.md @@ -14,16 +14,15 @@ Please use [releases] instead of the `master` branch in order to get stable bina Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including [appc] and [docker]). 1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database. -2. Clients use the Clair API to index their container images; this parses a list of installed _source packages_ stores them in the database. -3. Clients use the Clair API to query the database; combining this data is done in real time, rather than a cached result that needs re-scanning. -4. When updates to vulnerability metadata occur, a webhook can be configured to page or block deployments. +2. Clients use the Clair API to index their container images; this parses a list of installed _source packages_ and stores them in the database. +3. Clients use the Clair API to query the database; correlating data is done in real time, rather than a cached result that needs re-scanning. +4. When updates to vulnerability metadata occur, a webhook containg the affected images can be configured to page or block deployments. Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*. [appc]: https://github.com/appc/spec [docker]: https://github.com/docker/docker/blob/master/image/spec/v1.2.md -[extended programmatically]: #customization [releases]: https://github.com/coreos/clair/releases ## When would I use Clair? @@ -33,28 +32,28 @@ Thus, the project was named `Clair` after the French term which translates to *c ## Documentation -The latest stable documentation can be found [on the CoreOS website]. -Documentation for the current branch can be found [inside the Documentation directory][docs-dir] at the root of the project's source code. +* [The CoreOS website] has a rendered version of the latest stable documentation +* [Inside the Documentation directory] is the source markdown files for documentation -[on the CoreOS website]: https://coreos.com/clair/docs/latest/ -[docs-dir]: /Documentation +[The CoreOS website]: https://coreos.com/clair/docs/latest/ +[Inside the Documentation directory]: /Documentation -## How do I deploy Clair? +## Deploying Clair ### Container Repositories Clair is officially packaged and released as a container. -* Stable releases can be found at [quay.io/coreos/clair] -* Stable releases with an embedded instance of [jwtproxy] can be found at [quay.io/coreos/clair-jwt] -* Development releases can be found at [quay.io/coreos/clair-git] +* [quay.io/coreos/clair] - Stable releases +* [quay.io/coreos/clair-jwt] - Stable releases with an embedded instance of [jwtproxy] +* [quay.io/coreos/clair-git] - Development releases [quay.io/coreos/clair]: https://quay.io/repository/coreos/clair [jwtproxy]: https://github.com/coreos/jwtproxy [quay.io/coreos/clair-jwt]: https://quay.io/repository/coreos/clair-jwt [quay.io/coreos/clair-git]: https://quay.io/repository/coreos/clair-git -### Production Supported +### Commercially Supported Clair is professionally supported as a data source for the [Quay] Security Scanning feature. The setup documentation for using Clair for this environment can be found on the [Quay documentation] on the [CoreOS] website. @@ -66,9 +65,19 @@ Be sure to adjust the version of the documentation to the version of Quay being ### Community Supported -The following are community supported instructions to run Clair in a variety of ways. **NOTE:** These instructions demonstrate running HEAD and not stable versions. +The following are community supported instructions to run Clair in a variety of ways. +A database instance is required for all instructions. + +Clair currently supports and tests against: + +* [Postgres] 9.4 +* [Postgres] 9.5 +* [Postgres] 9.6 + +[Postgres]: https://www.postgresql.org + #### Kubernetes If you don't have a local Kubernetes cluster already, check out [minikube]. @@ -107,7 +116,7 @@ $ docker run -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/core #### Source To build Clair, you need to latest stable version of [Go] and a working [Go environment]. -In addition, Clair requires some additional binaries be installed on the system [$PATH]: +In addition, Clair requires some additional binaries be installed on the system [$PATH] as runtime dependencies: * [git] * [bzr] @@ -198,7 +207,7 @@ It can take several minutes before the database has been fully populated, but on ### How can I customize Clair? The major components of Clair are all programmatically extensible in the same way Go's standard [database/sql] package is extensible. -Everything extendable is located in the `ext` directory. +Everything extensible is located in the `ext` directory. Custom behavior can be accomplished by creating a package that contains a type that implements an interface declared in Clair and registering that interface in [init()]. To expose the new behavior, unqualified imports to the package must be added in your own custom [main.go], which should then start Clair using `Boot(*config.Config)`. From 590e7e2602526dd5ae1c08436ab98b299e3cd69d Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 11 Apr 2017 15:44:20 -0400 Subject: [PATCH 16/21] ext/featurefmt/dpkg: handle malformed packages --- ext/featurefmt/dpkg/dpkg.go | 3 +++ ext/featurefmt/dpkg/testdata/status | 2 ++ 2 files changed, 5 insertions(+) diff --git a/ext/featurefmt/dpkg/dpkg.go b/ext/featurefmt/dpkg/dpkg.go index 4e72dfc7..e2ebc428 100644 --- a/ext/featurefmt/dpkg/dpkg.go +++ b/ext/featurefmt/dpkg/dpkg.go @@ -97,6 +97,9 @@ func (l lister) ListFeatures(files tarutil.FilesMap) ([]database.FeatureVersion, } else { pkg.Version = version } + } else if line == "" { + pkg.Feature.Name = "" + pkg.Version = "" } // Add the package to the result array if we have all the informations diff --git a/ext/featurefmt/dpkg/testdata/status b/ext/featurefmt/dpkg/testdata/status index d19e2500..153163b8 100644 --- a/ext/featurefmt/dpkg/testdata/status +++ b/ext/featurefmt/dpkg/testdata/status @@ -60,6 +60,8 @@ This package is not necessary for most modern Linux systems, where the udev subsystem provides a more dynamic mechanism for device file management. Original-Maintainer: Debian QA Group +Package: brokenPackageWithNoVersionThatShouldGetThrownOut + Package: libgcc1 Status: install ok installed Priority: required From b2f2b2c854b4e3e15e53616ca221f7953bdc38eb Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 11 Apr 2017 15:48:11 -0400 Subject: [PATCH 17/21] ext/featurefmt/apk: handle malformed packages --- ext/featurefmt/apk/apk.go | 4 ++++ ext/featurefmt/apk/testdata/installed | 2 ++ 2 files changed, 6 insertions(+) diff --git a/ext/featurefmt/apk/apk.go b/ext/featurefmt/apk/apk.go index 2da9ebc6..f8357ba4 100644 --- a/ext/featurefmt/apk/apk.go +++ b/ext/featurefmt/apk/apk.go @@ -66,6 +66,10 @@ func (l lister) ListFeatures(files tarutil.FilesMap) ([]database.FeatureVersion, } else { ipkg.Version = version } + case line == "": + // Restart if the parser reaches another package definition before + // creating a valid package. + ipkg = database.FeatureVersion{} } // If we have a whole feature, store it in the set and try to parse a new diff --git a/ext/featurefmt/apk/testdata/installed b/ext/featurefmt/apk/testdata/installed index 747555d6..712e9465 100644 --- a/ext/featurefmt/apk/testdata/installed +++ b/ext/featurefmt/apk/testdata/installed @@ -20,6 +20,8 @@ R:ld-musl-x86_64.so.1 a:0:0:755 Z:Q1KUwsFGLHn/enpN9+QIpK/FmixtQ= +P:invalidPackageWithoutAVersion + C:Q1yhJHGSZ80L7cL0y4UKKGrBPwrUQ= P:busybox V:1.24.2-r9 From 9a5341724a9bc7870062cfd9c772c9bea31095ad Mon Sep 17 00:00:00 2001 From: David Xia Date: Wed, 12 Apr 2017 10:13:41 -0400 Subject: [PATCH 18/21] Fix typo in API V1 docs --- Documentation/api_v1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/api_v1.md b/Documentation/api_v1.md index 7797d72b..fadea85f 100644 --- a/Documentation/api_v1.md +++ b/Documentation/api_v1.md @@ -26,7 +26,7 @@ #### Description Every route can optionally provide an `Error` property on the response object. -The HTTP status code of the response should indicate what type of failure occurred and how the client should reaction. +The HTTP status code of the response should indicate what type of failure occurred and how the client should react. #### Client Retry Behavior From e9eb761db6d4093a2cbb907c14a0a99ae4c5982c Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 11 Apr 2017 15:37:54 -0400 Subject: [PATCH 19/21] ROADMAP: refresh with current priorities --- ROADMAP.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ROADMAP.md b/ROADMAP.md index 1bbdcefd..135d898d 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -7,10 +7,9 @@ The [milestones defined in GitHub](https://github.com/coreos/clair/milestones) r The roadmap below outlines new features that will be added to Clair, and while subject to change, define what future stable will look like. -### Clair 2.0 (July) - -- Standardize component registration -- Revisit database implementation -- Improve release distribution -- Address client UX -- Expand detection capabilities +- Support multiple namespaces per image + - This enables language-level package managers (e.g. npm, pip) +- Improve coverage and readability of documentation +- Decouple the project from Postgres +- gRPC API supporting direct uploads of images +- Support operating Clair without internet access From bcf47f53ee704892483f4d3b1c29f306b1eb6dcf Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 19 Apr 2017 13:13:46 -0400 Subject: [PATCH 20/21] ext/vulnsrc/oracle: fix ELSA version comparison Previously we naively compared integers. However, not all versions have the same length. --- ext/vulnsrc/oracle/oracle.go | 32 ++++++++++++++++++++++++++++++- ext/vulnsrc/oracle/oracle_test.go | 20 +++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/ext/vulnsrc/oracle/oracle.go b/ext/vulnsrc/oracle/oracle.go index 40704096..30363416 100644 --- a/ext/vulnsrc/oracle/oracle.go +++ b/ext/vulnsrc/oracle/oracle.go @@ -85,6 +85,36 @@ func init() { vulnsrc.RegisterUpdater("oracle", &updater{}) } +func compareELSA(left, right int) int { + // Fast path equals. + if right == left { + return 0 + } + + lstr := strconv.Itoa(left) + rstr := strconv.Itoa(right) + + for i := range lstr { + // If right is too short to be indexed, left is greater. + if i >= len(rstr) { + return 1 + } + + ldigit, _ := strconv.Atoi(string(lstr[i])) + rdigit, _ := strconv.Atoi(string(rstr[i])) + + if ldigit > rdigit { + return 1 + } else if ldigit < rdigit { + return -1 + } + continue + } + + // Everything the length of left is the same. + return len(lstr) - len(rstr) +} + func (u *updater) Update(datastore database.Datastore) (resp vulnsrc.UpdateResponse, err error) { log.Info("fetching Oracle Linux vulnerabilities") @@ -115,7 +145,7 @@ func (u *updater) Update(datastore database.Datastore) (resp vulnsrc.UpdateRespo r := elsaRegexp.FindStringSubmatch(line) if len(r) == 2 { elsaNo, _ := strconv.Atoi(r[1]) - if elsaNo > firstELSA { + if compareELSA(elsaNo, firstELSA) > 0 { elsaList = append(elsaList, elsaNo) } } diff --git a/ext/vulnsrc/oracle/oracle_test.go b/ext/vulnsrc/oracle/oracle_test.go index 63d3b7ee..bab98bcc 100644 --- a/ext/vulnsrc/oracle/oracle_test.go +++ b/ext/vulnsrc/oracle/oracle_test.go @@ -115,3 +115,23 @@ func TestOracleParser(t *testing.T) { } } } + +func TestELSAComparison(t *testing.T) { + var table = []struct { + left int + right int + expected int + }{ + {20170935, 20170935, 0}, + {20170934, 20170935, -1}, + {20170936, 20170935, 1}, + + {20170935, 201709331, 1}, + {201709351, 20170935, 1}, + {201709331, 20170935, -1}, + } + + for _, tt := range table { + assert.Equal(t, tt.expected, compareELSA(tt.left, tt.right)) + } +} From e772be5f6f75af54bff1c2febd3c863308d53956 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 19 Apr 2017 16:23:23 -0400 Subject: [PATCH 21/21] contrib: only extract layers from history This tool was written before v2 existed and deduplicated and listed layers out of order in their manifests. --- contrib/analyze-local-images/main.go | 34 ++-------------------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/contrib/analyze-local-images/main.go b/contrib/analyze-local-images/main.go index f3c836b8..10e571a6 100644 --- a/contrib/analyze-local-images/main.go +++ b/contrib/analyze-local-images/main.go @@ -154,10 +154,7 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m // Retrieve history. log.Println("Retrieving image history") - layerIDs, err := historyFromManifest(tmpPath) - if err != nil { - layerIDs, err = historyFromCommand(imageName) - } + layerIDs, err = historyFromCommand(imageName) if err != nil || len(layerIDs) == 0 { return fmt.Errorf("Could not get image's history: %s", err) } @@ -272,7 +269,7 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m fmt.Printf("%s No vulnerabilities matching the minimum severity level were detected in your image\n", color.YellowString("NOTE:")) } else { return fmt.Errorf("A total of %d vulnerabilities have been detected in your image", len(vulnerabilities)) - } + } return nil } @@ -309,33 +306,6 @@ func save(imageName, path string) error { return nil } -func historyFromManifest(path string) ([]string, error) { - mf, err := os.Open(path + "/manifest.json") - if err != nil { - return nil, err - } - defer mf.Close() - - // https://github.com/docker/docker/blob/master/image/tarexport/tarexport.go#L17 - type manifestItem struct { - Config string - RepoTags []string - Layers []string - } - - var manifest []manifestItem - if err = json.NewDecoder(mf).Decode(&manifest); err != nil { - return nil, err - } else if len(manifest) != 1 { - return nil, err - } - var layers []string - for _, layer := range manifest[0].Layers { - layers = append(layers, strings.TrimSuffix(layer, "/layer.tar")) - } - return layers, nil -} - func historyFromCommand(imageName string) ([]string, error) { var stderr bytes.Buffer cmd := exec.Command("docker", "history", "-q", "--no-trunc", imageName)