search

arminc / clair-scanner

Docker containers vulnerability scan
Apache License 2.0
848 stars 154 forks source link

Clair returns code 5 on scanning docker.io/openpolicyagent/opa:0.22.0-rootless #107

Open egbertarp opened 4 years ago

egbertarp commented 4 years ago

Within ING bank we have integrated Clair scanning in our global tooling. We have succesfully scanned thousands of containers already. However for the docker.io/openpolicyagent/opa:0.22.0-rootless Clair returns:

docker.io/openpolicyagent/opa:0.22.0-rootless 5d118133328b6416fd87c50190fd3e21654e4c14428d476f19386eb4f36f0155 85770d28fdfd0ecec87939e37bdc49a9a4f7467ee32d231350f1da4055c10224 2020/08/27 12:24:43 [INFO] ▶ Start clair-scanner 2020/08/27 12:24:44 [INFO] ▶ Server listening on port 9279 2020/08/27 12:24:44 [INFO] ▶ Analyzing ed87301cd861106ceeb911493259feaa133630ee7ed9655562840da69fcc0834 2020/08/27 12:24:44 [INFO] ▶ Analyzing 2b012ab21ac13b59d43ae3f65b586c2b9294be5f1dde81f00233f5b5a4ab5c89

2020/08/27 12:24:44 [INFO] ▶ Analyzing 2b012ab21ac13b59d43ae3f65b586c2b9294be5f1dde81f00233f5b5a4ab5c89

##[error]Bash exited with code '5'.

this is roughly our setup:

steps:
- script: |
    docker pull arminc/clair-db:latest
    docker pull arminc/clair-local-scan:latest

    docker inspect -s arminc/clair-db:latest
    docker inspect -s arminc/clair-local-scan:latest

    wget https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64
    ls -la ./
    chmod 755 ./clair-scanner_linux_amd64
    ./clair-scanner_linux_amd64 -h

    docker pull openpolicyagent/opa:0.22.0-rootless

    docker run -d --name clair-db arminc/clair-db:latest
    docker run -p 6060:6060 --link clair-db:postgres -d --name clair arminc/clair-local-scan:latest

    ./clair-scanner_linux_amd64 --ip 172.17.0.1 openpolicyagent/opa:0.22.0-rootless

@arminc hope you can shed some light on what is happening in _clair-scanner_linuxamd64 Cheers!

Egbert

korzio commented 4 years ago

Probably it's because the image is distroless

➜  clair-scanner git:(master) ✗ ./clair-scanner --log="./test.json" --exit-when-no-features=true --reportAll=true --clair=http://0.0.0.0:6060 --ip host.docker.internal local-opa                                                         
2020/08/27 15:32:17 [INFO] ▶ Start clair-scanner
2020/08/27 15:32:18 [INFO] ▶ Server listening on port 9279
2020/08/27 15:32:18 [INFO] ▶ Analyzing 0ec8650cf1a11343424217b2377e494643b0f33d017d60fcf87f953d59295042
2020/08/27 15:32:18 [INFO] ▶ Analyzing f5683da5f14a936c3f8bb424a6e5a5ae3099ed2c24b3ddaad7844b92418c0807
2020/08/27 15:32:18 [INFO] ▶ image has what %!s(int=0)
2020/08/27 15:32:18 [CRIT] ▶ Could not fetch vulnerabilities. No features have been detected in the image. This usually means that the image isn't supported by Clair

➜  clair-scanner git:(master) ✗ ./clair-scanner --log="./test.json" --exit-when-no-features=true --reportAll=true --clair=http://0.0.0.0:6060 --ip host.docker.internal gcr.io/distroless/base
2020/08/27 15:31:13 [INFO] ▶ Start clair-scanner
2020/08/27 15:31:14 [INFO] ▶ Server listening on port 9279
2020/08/27 15:31:14 [INFO] ▶ Analyzing 9ab058527498877d681029363f2eca8fda7bd5c153e1fbf0e76c5afbef9528ab
2020/08/27 15:31:14 [INFO] ▶ Analyzing 8ce5be9df2ac0ea26766e9a3e6bc27d22922ff7332bf3c44d41f2c1c5ee9bf10
2020/08/27 15:31:15 [INFO] ▶ image has what %!s(int=0)
2020/08/27 15:31:15 [CRIT] ▶ Could not fetch vulnerabilities. No features have been detected in the image. This usually means that the image isn't supported by Clair
DieBauer commented 4 years ago

Related claircore issue: https://github.com/quay/claircore/issues/181