feat(): supports distroless images

[davinkevin]

Hi,

Currently, when I try to scan images relying on Distroless (java in my case, but this happen in every distroless base image), the clair-scanner respond with the following element:

 clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_COMMIT_SHA}                                                                                                                      ║
  ║ 2019/01/21 10:38:31  ▶ Start clair-scanner                                                                                                                                                                                                                                                            ║
  ║ 2019/01/21 10:38:33  ▶ Server listening on port 9279                                                                                                                                                                                                                                                  ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 2bd5d818a479debbbf49c31a7fd62cdaca7490ca3412c531b193ce9e2e342e5a                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 6f2c029817652d184bffa480a2dc32c1a01c35747e4a1278a6064f18e92e3917                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 41caffa90d5a283dac94f170ccd82c7e23a17532392eea388627fb8700a352ae                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 74d2c2ab8fd47f8864c20d790950a67a95f793b934a1c986e18c7238138fa37c                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 556cb9d1211301811fcc9a0f2b2e1b483b570381da1863cd179fd1e321ce6852                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Analyzing 800d390ab06866c24814a6a283bed53bb63d908724995688fa0971ee6c7ecabb                                                                                                                                                                                                     ║
  ║ 2019/01/21 10:38:33  ▶ Could not fetch vulnerabilities. No features have been detected in the image. This usually means that the image isn't supported by Clair

The problem is the program ends up on error (exit code 1) due to this message and potentially breaks our CI pipeline.

This is caused by this line : https://github.com/arminc/clair-scanner/blob/871c1def37ac458cd812633fcf112ef4ade89393/clair.go#L84

I think the program shouldn't end on error in such case, because we don't have any distribution nor flaws in our container at the clair level.

Do you have a solution about this problem ? From my point of view, we could have a flag to allow this error to be Fatal or not.

Thanks

/cc @neonox31

[jbergstroem]

Distroless is built on debian, right? Perhaps map them.

[tisc0]

Hi guyz, I agree, it doesn't make sense exiting with an error, and breaking the CI/CD chain(s) for something that has not actually been scanned by clair. I'm trying to workaround this by excluding some images from scan with the whitelist file, but without success [yet?]. Would be great to consider either changing the core code, either create a proper option to manually exclude the [distroless] images we don't want to scan. Anyway, thanks again for the nice work on that tool ! +

[tisc0]

up

[tisc0]

Thanks a lot @aubm