Vulnerability Static Analysis for Containers
Go to file
Quentin Machu 1202a25b46 Merge pull request #89 from Quentin-M/fv_find_before_lock
database: Find the FeatureVersion we try to insert before doing any lock
2016-03-03 14:33:54 -05:00
api readme: make API description consistence 2016-02-26 15:54:59 +08:00
cmd/clair *: add metadata support along with NVD CVSS 2016-02-24 16:36:45 -05:00
config api: implement fernet encryption of pagination tokens 2016-02-24 16:36:45 -05:00
contrib various: gofmt -s 2016-02-24 19:29:36 -05:00
database database: Find the FeatureVersion we try to insert before doing any lock 2016-03-03 14:15:06 -05:00
Godeps *: refresh godeps 2016-02-24 16:36:45 -05:00
img README: add diagram & custom data sources 2016-02-24 16:40:40 -05:00
notifier readme: clarify "marked as read" notifications 2016-02-25 13:49:24 -05:00
updater various: gofmt -s 2016-02-24 19:29:36 -05:00
utils *: add metadata support along with NVD CVSS 2016-02-24 16:36:45 -05:00
vendor *: refresh godeps 2016-02-24 16:36:45 -05:00
worker various: gofmt -s 2016-02-24 19:29:36 -05:00
.dockerignore Initial commit 2015-11-13 14:11:28 -05:00
.travis.yml *: add postgres 9.4 to travis 2016-02-24 16:36:45 -05:00
clair.go api: implement fernet encryption of pagination tokens 2016-02-24 16:36:45 -05:00
config.example.yaml config: better document example 2016-02-24 16:40:40 -05:00
CONTRIBUTING.md Initial commit 2015-11-13 14:11:28 -05:00
DCO Initial commit 2015-11-13 14:11:28 -05:00
Dockerfile Dockerfile: remove useless volume 2016-02-24 16:39:25 -05:00
grafana.json prometheus: fix grafana's updater notes graph 2016-02-24 16:36:45 -05:00
LICENSE Initial commit 2015-11-13 14:11:28 -05:00
NOTICE Initial commit 2015-11-13 14:11:28 -05:00
README.md README: Add FeatureDetector and NamespaceDetector 2016-02-27 21:19:36 -05:00

Clair

Build Status Docker Repository on Quay Go Report Card GoDoc IRC Channel

Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers.

Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be [customized programmatically] at compile-time without forking the project.

Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named Clair after the French term which translates to clear, bright, transparent.

Common Use Cases

Manual Auditing

You're building an application and want to depend on a third-party container image that you found by searching the internet. To make sure that you do not knowingly introduce a new vulnerability into your production service, you decide to scan the container for vulnerabilities. You docker pull the container to your development machine and start an instance of Clair. Once it finishes updating, you use the local image analysis tool to analyze the container. You realize this container is vulnerable to many critical CVEs, so you decide to use another one.

Container Registry Integration

Your company has a continuous-integration pipeline and you want to stop deployments if they introduce a dangerous vulnerability. A developer merges some code into the master branch of your codebase. The first step of your continuous-integration pipeline automates the testing and building of your container and pushes a new container to your container registry. Your container registry notifies Clair which causes the download and indexing of the images for the new container. Clair detects some vulnerabilities and sends a webhook to your continuous deployment tool to prevent this vulnerable build from seeing the light of day.

Hello Heartbleed

Requirements

An instance of PostgreSQL 9.4+ is required. All instructions assume the user has already setup this instance. During the first run, Clair will bootstrap its database with vulnerability data from its data sources. This can take several minutes.

Docker

The easiest way to get an instance of Clair running is to simply pull down the latest copy from Quay.

$ mkdir $HOME/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/config.example.yaml -o $HOME/clair_config/config.yaml
$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
$ docker run -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair -config=/config/config.yaml

Source

To build Clair, you need to latest stable version of Go and a working Go environment.

$ go get github.com/coreos/clair
$ go install github.com/coreos/clair/cmd/clair
$ $EDITOR config.yaml # Add the URI for your postgres database
$ ./$GOBIN/clair -config=config.yaml

Documentation

Documentation can be found in a README.md file located in the directory of the component.

Architecture at a Glance

Simple Clair Diagram

Terminology

  • Image - a tarball of the contents of a container
  • Layer - an appc or Docker image that may or maybe not be dependent on another image
  • Detector - a Go package that identifies the content, namespaces and features from a layer
  • Namespace - a context around features and vulnerabilities (e.g. an operating system)
  • Feature - anything that when present could be an indication of a vulnerability (e.g. the presence of a file or an installed software package)
  • Fetcher - a Go package that tracks an upstream vulnerability database and imports them into Clair

Vulnerability Analysis

There are two major ways to perform analysis of programs: Static Analysis and Dynamic Analysis. Clair has been designed to perform static analysis; containers never need to be executed. Rather, the filesystem of the container image is inspected and features are indexed into a database. By indexing the features of an image into the database, images only need to be rescanned when new detectors are added.

Default Data Sources

Data Source Versions Format
Debian Security Bug Tracker 6, 7, 8, unstable dpkg
Ubuntu CVE Tracker 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 dpkg
Red Hat Security Data 5, 6, 7 rpm

Customization

The major components of Clair are all programmatically extensible in the same way Go's standard database/sql package is extensible.

Custom behavior can be accomplished by creating a package that contains a type that implements an interface declared in Clair and registering that interface in init(). To expose the new behavior, unqualified imports to the package must be added in your main.go, which should then start Clair using Boot(*config.Config).

The following interfaces can have custom implementations registered via init() at compile time:

  • Datastore - the backing storage
  • Notifier - the means by which endpoints are notified of vulnerability changes
  • Fetcher - the sources of vulnerability data that is automatically imported
  • MetadataFetcher - the sources of vulnerability metadata that is automatically added to known vulnerabilities
  • DataDetector - the means by which contents of an image are detected
  • FeatureDetector - the means by which features are identified from a layer
  • NamespaceDetector - the means by which a namespace is identified from a layer
  • Talk and Slides @ ContainerDays NYC 2015
  • Quay: the first container registry to integrate with Clair
  • Dockyard: an open source container registry with Clair integration