search

arminc / clair-scanner

Docker containers vulnerability scan
Apache License 2.0
849 stars 153 forks source link

Unknown issues with debian buster #116

Closed HacKanCuBa closed 3 years ago

HacKanCuBa commented 3 years ago

I'm running clair against an image built based on python:3.9-slim which in turn is based on debian buster. The issue is that clair is reporting a ton of vulns that are not there:

Digest: sha256:1b80f32abe0bd20d0b4fad943e84413f3a53f24eafcc12dc1d08e2367c7dd47a
Status: Downloaded newer image for objectiflibre/clair-scanner:latest
2021/05/03 00:52:03 [INFO] ▶ Start clair-scanner
2021/05/03 00:52:10 [INFO] ▶ Server listening on port 9279
2021/05/03 00:52:10 [INFO] ▶ Analyzing 88a5033f64e4b323c387d762ec17331f9ce8f501b4ad690dbd0776bd36ab04c8
2021/05/03 00:52:17 [INFO] ▶ Analyzing 240f33e375e6857121e6de2c39d59d48ea9ee38c83bd9194953c87359a114cc3
2021/05/03 00:52:18 [INFO] ▶ Analyzing a34d2b4f899901b24bac5e12edf9c017934e853fb0736438d0b599e1c01fc1db
2021/05/03 00:52:18 [INFO] ▶ Analyzing d634b671ceef7f6a52deac8e3ee1b0dc2851d7675481557b4652c8d806a50004
2021/05/03 00:52:18 [INFO] ▶ Analyzing 7c6d6709f625e00641902ead5f725a6ba176a3debc339900161180784bdaa14f
2021/05/03 00:52:18 [INFO] ▶ Analyzing 8fbdbe4e5eacb28bf4a924bc2fd557064b3d91a839f5137b0a5962be1e513cdd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 0571676387e8b74eedfe2d6af9c4ab795ffeb5790b573fa05b6c9e0b5fb4eafd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 2565eda99944164ade39790f49df228d2fe748018e8592ceb5579bd95d1b83c7
2021/05/03 00:52:19 [INFO] ▶ Analyzing d99c63c4ba88b3b03367f41999d6e3f1b81bbe6d2447763e4df15dfdd5e8b66b
2021/05/03 00:52:19 [INFO] ▶ Analyzing b8183782c14f08e6ae295fab4b3f669e845ef066d09db4dc85ff99e39b932891
2021/05/03 00:52:19 [WARN] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 total vulnerabilities
2021/05/03 00:52:19 [ERRO] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 unapproved vulnerabilities

You can see the whole output attached: job.log. The base image is: https://gitlab.com/nevrona/public/poetry-docker/-/blob/0d02321d6751486a69ee7c37c6b1ddfba78b07e8/Dockerfile

Currently I can only disable the scan to bypass it but this would defeat the entire purpose of scanning with clair. What should I do?

HacKanCuBa commented 3 years ago

Apparently, this is a thing: https://pythonspeed.com/articles/docker-security-scanner/

So I'm closing this.