Clair镜像扫描社区版持续探索

Posted ericnie

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Clair镜像扫描社区版持续探索相关的知识,希望对你有一定的参考价值。

Clair地址

https://github.com/quay/clair/blob/master/Documentation/running-clair.md

claricli地址

https://github.com/joelee2012/claircli

  • 安装配置

mkdir $PWD/clair_config

curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml

docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres

docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config  quay.io/coreos/clair:latest -config=/config/config.yaml

启动后clair会下载漏洞库然后放到postgres数据库中。需要等待一段时间,fetching结束

[root@mirror ~]# docker logs -f 0a4aa93eb96b 
{"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2020-01-27 07:48:23.835691"}
{"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2020-01-27 07:48:23.840739"}
{"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2020-01-27 07:48:23.840913"}
{"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2020-01-27 07:48:23.840946","port":6060}
{"Event":"starting health API","Level":"info","Location":"api.go:85","Time":"2020-01-27 07:48:23.841310","port":6061}
{"Event":"updater service started","Level":"info","Location":"updater.go:83","Time":"2020-01-27 07:48:23.841383","lock identifier":"07fb180b-49f7-4f40-80ca-013b6587807a"}
{"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2020-01-27 07:50:09.745914","elapsed time":361665425,"method":"DELETE","remote addr":"192.168.56.108:56760","request uri":"/v1/layers/sha256:bc9ab73e5b14b9fbd3687a4d8c1f1360533d6ee9ffc3f5ecc6630794b40257b7","status":"404"}
{"Event":"failed to write response","Level":"warning","Location":"routes.go:94","Time":"2020-01-27 07:54:46.354907","error":"http: Handler timeout"}
{"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2020-01-27 07:54:46.354942","elapsed time":276604498860,"method":"POST","remote addr":"192.168.56.108:56762","request uri":"/v1/layers","status":"201"}
{"Event":"updating vulnerabilities","Level":"info","Location":"updater.go:192","Time":"2020-01-27 07:55:54.897757"}
{"Event":"fetching vulnerability updates","Level":"info","Location":"updater.go:239","Time":"2020-01-27 07:55:54.897791"}
{"Event":"Start fetching vulnerabilities","Level":"info","Location":"ubuntu.go:85","Time":"2020-01-27 07:55:54.897816","package":"Ubuntu"}
{"Event":"Start fetching vulnerabilities","Level":"info","Location":"alpine.go:52","Time":"2020-01-27 07:55:54.921575","package":"Alpine"}
{"Event":"Start fetching vulnerabilities","Level":"info","Location":"debian.go:63","Time":"2020-01-27 07:55:54.943595","package":"Debian"}
{"Event":"Start fetching vulnerabilities","Level":"info","Location":"oracle.go:119","Time":"2020-01-27 07:55:54.944000","package":"Oracle Linux"}
{"Event":"Start fetching vulnerabilities","Level":"info","Location":"rhel.go:92","Time":"2020-01-27 07:55:54.944082","package":"RHEL"}
{"Event":"finished fetching","Level":"info","Location":"updater.go:253","Time":"2020-01-27 07:56:25.455733","updater name":"alpine"}
{"Event":"finished fetching","Level":"info","Location":"updater.go:253","Time":"2020-01-27 07:57:55.854087","updater name":"rhel"}
{"Event":"could not unmarshal Debian‘s JSON","Level":"error","Location":"debian.go:115","Time":"2020-01-27 08:01:06.093947","error":"read tcp 10.0.3.15:34708-u003e23.111.9.35:443: read: connection reset by peer"}
{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2020-01-27 08:01:06.094057","error":"updater/fetchers: could not parse","updater name":"debian"}

 

 

  • 安装claircli

curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"

python get-pip.py

pip install claircli

 

  • 扫描

[root@mirror images]# claircli -c http://mirror.redhat.ren:6060 docker.io/debian:9.5
2020-01-27 15:28:12,685|INFO|*****************************1******************************
2020-01-27 15:28:12,686|INFO|Analyzing <Image: docker.io/debian:9.5>
2020-01-27 15:28:17,951|INFO|Push layer [1/1]: sha256:bc9ab73e5b14b9fbd3687a4d8c1f1360533d6ee9ffc3f5ecc6630794b40257b7
2020-01-27 15:28:47,134|INFO|Fetch vulnerabilities for <Image: docker.io/debian:9.5>
2020-01-27 15:28:47,207|INFO|Defcon1    : 0
2020-01-27 15:28:47,207|INFO|Critical   : 0
2020-01-27 15:28:47,208|INFO|High       : 0
2020-01-27 15:28:47,208|INFO|Medium     : 0
2020-01-27 15:28:47,208|WARNING|Low        : 26
2020-01-27 15:28:47,208|WARNING|Negligible : 42
2020-01-27 15:28:47,208|WARNING|Unknown    : 30
2020-01-27 15:28:47,208|INFO|Generate html report for docker.io/debian:9.5
2020-01-27 15:28:47,265|INFO|Location: /root/images/clair-docker.io_debian_9.5.html
2020-01-27 15:28:47,265|INFO|============================================================
2020-01-27 15:28:47,265|INFO|            CLAIR ANALYSIS REPORTS: (1) IN TOTAL            
2020-01-27 15:28:47,265|INFO|============================================================
2020-01-27 15:28:47,266|ERROR|IMAGES WITH DETECTED VULNERABILITIES (1)
2020-01-27 15:28:47,266|ERROR|docker.io/debian:9.5

会在当前目录生成一个html文件,打开文件是一个报告。

技术图片

 

 

扫描私有镜像库和离线包暂时还有点问题,需要继续研究。

 

以上是关于Clair镜像扫描社区版持续探索的主要内容,如果未能解决你的问题,请参考以下文章

开源容器镜像漏洞扫描工具anchore的实践

开源镜像漏洞扫描器

Harbor 2.1安装配置,以支持helm charts管理及clair安全扫描

IDEA社区版2020相关内容——持续更新

Linux系统各发行版镜像下载(持续更新)

GitLab中文社区版Docker镜像安装启动及配置