Comments (7)
But, the distros do provide a list of which packaged versions are vulnerable, which is what this tool is measuring. For things outside of the package manager, yes, it could use the databases you mention here, I'm sure pull requests will be gladly accepted :)
Anyway, this a great start, and one that has been sorely needed for a long time.
from clair.
Hi Greg! Distros provide a system-level package manager, agreed, but that is not the only package manager involved with a container in many cases.
In my experience, applications (unless they're C/C++) are often developed using both the system-level package manager (to manage system packages) and at least one language-specific package manager and repo. For example, if you develop in Javascript (especially server-side), there's a good chance you're using the Node Package Manager (npm). Perl users often use CPAN; Python users often use PyPI; Ruby users often use 'gem' or 'bundler' for Ruby gems; Common Lisp users increasingly use QuickLisp. If you develop in Java, there's an excellent chance you're bringing in packages from Maven Central. A summary across several languages is available here: http://www.modulecounts.com/.
The Clair description says that "Clair is a container vulnerability analysis service. It provides the list of vulnerabilities that threaten each container..." If Clair only looks at the system package manager, then it will miss the many vulnerabilities in the packages installed by other mechanisms, such as the language-specific package managers.
BTW, there's another somewhat similar project to Clair here, focused on Docker containers: https://github.com/banyanops/collector, which was referenced in this widely-cited paper: http://www.banyanops.com/blog/analyzing-docker-hub/.
And I completely agree with you - this is a great start, and this kind of tool is really needed. Welcome!
from clair.
Dependency-Check supports much more package managers:
https://github.com/jeremylong/DependencyCheck/tree/master/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer
It's written in Java and has different architecture comparing to Clair , so I think it is hard to "integrating" them.
But it is a big treasure, helps Clair to implement its 'analyzer' -- detectors/packages.
@Quentin-M is it possible to have a wiki package to list all the missing 'managers'?
from clair.
@liangchenye Definitely! Except if I'm mistaken, you should already have the permissions for that.
from clair.
@liangchenye @Quentin-M We should just file a bug for each desirable checker and make it "help wanted". Then it is easy to point people at a single source of places where they can help out.
from clair.
Has this integration been done? If yes how? Would love to know the current status on this one. We took a different approach i.e. just wrote a wrapper for dependency check + retirejs to scan container images layer by layer and now planning to integrate Clair as well. This is different from what was asked by OP from integration point of view but relevant hence thought of mentioning it here.
Take a look at https://hub.docker.com/r/deepfenceio/deepfence_depcheck/, very much a work in progress but basic functionality is usable.
from clair.
We’re declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!
from clair.
Related Issues (20)
- Documented updated.filters feature is not implemented HOT 1
- failed to scan all layer contents: rhel: unable to create a mappingFile object HOT 3
- vulnerabilities not matched for `node:12.22-buster` image
- Problems trying to integrate the clair notifier
- Running Clair locally is DOA HOT 2
- clair-matcher warning unable to parse python vulnerability range HOT 4
- docs: `--host` incorrectly documented as main command flag HOT 3
- Not finding any CVEs despite Trivy and Grype finding many HOT 9
- docs: cmd: document dropins scheme
- notifier: migrate to `amqp091` HOT 1
- docs: Add grafana and pyroscope to the testing.md docs HOT 1
- Verifying the Clair Installation HOT 3
- CVE-2023-38408 is not found on any images that other scanners show have it HOT 2
- CVE-2020-7712 is for node json package but clair false positives by flagging ruby json package as vulnerable HOT 1
- Clair Vulnerability Databases/Sources HOT 2
- config: lint for `jaeger` protocol & support for OTLP export HOT 1
- clairctl: export-updaters OOM issues HOT 7
- Incorrect old CVES are being report with COPY and python virtualenv HOT 1
- Error during the internal updaters process for rhel, alpine and ubuntu url HOT 1
- Graceful shutdown ... isn't HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clair.