Also use OWASP Dependency-Check about clair HOT 7 CLOSED

But, the distros do provide a list of which packaged versions are vulnerable, which is what this tool is measuring. For things outside of the package manager, yes, it could use the databases you mention here, I'm sure pull requests will be gladly accepted :)

Anyway, this a great start, and one that has been sorely needed for a long time.

from clair.

Hi Greg! Distros provide a system-level package manager, agreed, but that is not the only package manager involved with a container in many cases.

In my experience, applications (unless they're C/C++) are often developed using both the system-level package manager (to manage system packages) and at least one language-specific package manager and repo. For example, if you develop in Javascript (especially server-side), there's a good chance you're using the Node Package Manager (npm). Perl users often use CPAN; Python users often use PyPI; Ruby users often use 'gem' or 'bundler' for Ruby gems; Common Lisp users increasingly use QuickLisp. If you develop in Java, there's an excellent chance you're bringing in packages from Maven Central. A summary across several languages is available here: http://www.modulecounts.com/.

The Clair description says that "Clair is a container vulnerability analysis service. It provides the list of vulnerabilities that threaten each container..." If Clair only looks at the system package manager, then it will miss the many vulnerabilities in the packages installed by other mechanisms, such as the language-specific package managers.

BTW, there's another somewhat similar project to Clair here, focused on Docker containers: https://github.com/banyanops/collector, which was referenced in this widely-cited paper: http://www.banyanops.com/blog/analyzing-docker-hub/.

And I completely agree with you - this is a great start, and this kind of tool is really needed. Welcome!

from clair.

Dependency-Check supports much more package managers:
https://github.com/jeremylong/DependencyCheck/tree/master/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer
It's written in Java and has different architecture comparing to Clair , so I think it is hard to "integrating" them.

But it is a big treasure, helps Clair to implement its 'analyzer' -- detectors/packages.
@Quentin-M is it possible to have a wiki package to list all the missing 'managers'?

from clair.

@liangchenye Definitely! Except if I'm mistaken, you should already have the permissions for that.

from clair.

@liangchenye @Quentin-M We should just file a bug for each desirable checker and make it "help wanted". Then it is easy to point people at a single source of places where they can help out.

from clair.

Has this integration been done? If yes how? Would love to know the current status on this one. We took a different approach i.e. just wrote a wrapper for dependency check + retirejs to scan container images layer by layer and now planning to integrate Clair as well. This is different from what was asked by OP from integration point of view but relevant hence thought of mentioning it here.

Take a look at https://hub.docker.com/r/deepfenceio/deepfence_depcheck/, very much a work in progress but basic functionality is usable.

from clair.

We’re declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!

from clair.