Published on May 22nd, 2016 📆 | 2165 Views ⚑
0Clair – Vulnerability Static Analysis for Containers
Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers.
Clair
after the French term which translates to clear , bright , transparent .docker pull
the container to your development machine and start an instance of Clair. Once it finishes updating, you use the local image analysis tool to analyze the container. You realize this container is vulnerable to many critical CVEs, so you decide to use another one.git clone https://github.com/coreos/clair
cd clair/contrib/k8s
kubectl create secret generic clairsecret --from-file=./config.yaml
kubectl create -f clair-kubernetes.yaml
Docker Compose
Another easy way to get an instance of Clair running is to use Docker Compose to run everything locally. This runs a PostgreSQL database insecurely and locally in a container. This method should only be used for testing.
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yml -o $HOME/docker-compose.yml
$ mkdir $HOME/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $HOME/clair_config/config.yaml
$ $EDITOR $HOME/clair_config/config.yaml # Edit database source to be postgresql://postgres:password@postgres:5432?sslmode=disable
$ docker-compose -f $HOME/docker-compose.yml up -d
Docker Compose may start Clair before Postgres which will raise an error. If this error is raised, manually execute docker start clair_clair
.
Docker
This method assumes you already have a PostgreSQL 9.4+ database running. This is the recommended method for production deployments.
$ mkdir $HOME/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $HOME/clair_config/config.yaml
$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
$ docker run -d -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair -config=/config/config.yaml
Source
To build Clair, you need to latest stable version of Go and a working Go environment . In addition, Clair requires that bzr ,rpm , and xz be available on the system $PATH .
$ go get github.com/coreos/clair
$ go install github.com/coreos/clair/cmd/clair
$ $EDITOR config.yaml # Add the URI for your postgres database
$ ./$GOBIN/clair -config=config.yaml
Documentation
Documentation can be found in a README.md
file located in the directory of the component.
Architecture at a Glance
Terminology
- Image - a tarball of the contents of a container
- Layer - an appc or Docker image that may or maybe not be dependent on another image
- Detector - a Go package that identifies the content, namespaces and features from a layer
- Namespace - a context around features and vulnerabilities (e.g. an operating system)
- Feature - anything that when present could be an indication of a vulnerability (e.g. the presence of a file or an installed software package)
- Fetcher - a Go package that tracks an upstream vulnerability database and imports them into Clair
[adsense size='1']
Vulnerability Analysis
There are two major ways to perform analysis of programs: Static Analysis and Dynamic Analysis . Clair has been designed to perform static analysis ; containers never need to be executed. Rather, the filesystem of the container image is inspected and features are indexed into a database. By indexing the features of an image into the database, images only need to be rescanned when new detectors are added.
Default Data Sources
Data Source | Versions | Format |
---|---|---|
Debian Security Bug Tracker | 6, 7, 8, unstable | dpkg |
Ubuntu CVE Tracker | 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 | dpkg |
Red Hat Security Data | 5, 6, 7 | rpm |
Customization
The major components of Clair are all programmatically extensible in the same way Go's standard database/sql package is extensible.
Custom behavior can be accomplished by creating a package that contains a type that implements an interface declared in Clair and registering that interface in init() . To expose the new behavior, unqualified imports to the package must be added in your main.go , which should then start Clair using Boot(*config.Config)
.
The following interfaces can have custom implementations registered via init() at compile time:
Datastore
- the backing storageNotifier
- the means by which endpoints are notified of vulnerability changesFetcher
- the sources of vulnerability data that is automatically importedMetadataFetcher
- the sources of vulnerability metadata that is automatically added to known vulnerabilitiesDataDetector
- the means by which contents of an image are detectedFeatureDetector
- the means by which features are identified from a layerNamespaceDetector
- the means by which a namespace is identified from a layer
Related Links
- Talk and Slides @ ContainerDays NYC 2015
- Quay : the first container registry to integrate with Clair
- Dockyard : an open source container registry with Clair integration
Gloss