search

jgsqware / clairctl

Tracking container vulnerabilities with Clair Control for CoreOS Clair
Apache License 2.0
229 stars 83 forks source link

clairctl analyse finds vulnerabilities but generated reports is empty #25

Open frezbo opened 7 years ago

frezbo commented 7 years ago 
[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl analyze --local test

Image: /test:latest
 6 layers found

  ➜ Analysis [6abfdb537f90] found 1 vulnerabilities.
  ➜ Analysis [7474b11b9d82] found 1 vulnerabilities.
  ➜ Analysis [6648ba9ac357] found 1 vulnerabilities.
  ➜ Analysis [5ea7935d4b60] found 1 vulnerabilities.
  ➜ Analysis [dfa0bdb07945] found 0 vulnerabilities.
  ➜ Analysis [8866d07828be] found 0 vulnerabilities.
[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl report --local test
HTML report at reports/html/analysis-test-latest.html
[technoman@technoman openssl_mod]$

Here's my Dockerfile

FROM centos
MAINTAINER Frezbo <docker@frezbo.com>
ENV OPENSSL_VERSION="1.0.2h"
#from https://github.com/openssl/openssl/pull/872/files
COPY no-des.patch /opt
RUN yum -y update \
### Install tool for compiling
&& yum -y install gcc \
&& yum -y install make \
&& yum -y install wget \
&& yum -y install tar \
&& yum -y install perl \
&& yum -y install git \
&& yum -y install patch \
&& yum clean all
## BUILD OpenSSL
RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /opt/ \
&& cd /opt/ \
&& tar xzf openssl-${OPENSSL_VERSION}.tar.gz \
&& rm -f openssl-${OPENSSL_VERSION}.tar.gz \
&& git clone https://github.com/cloudflare/sslconfig.git \
&& cd openssl-${OPENSSL_VERSION} \
&& patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch \
&& mv /opt/no-des.patch /opt/openssl-${OPENSSL_VERSION} \
&& patch -p1 crypto/cms/cms_kari.c < no-des.patch
RUN mkdir -p /hab/pkgs
RUN cd /opt/openssl-${OPENSSL_VERSION} \
&& ./config --prefix=/hab/pkgs no-ssl3 no-rc4 no-camellia no-seed no-comp no-srp no-psk no-idea no-des no-descbcm no-dh \
&& make depend \
&& make \
#&& make test \ #make test fails when des is disabled
&& make install \
&& rm -rf /opt/openssl-${OPENSSL_VERSION} /opt/sslconfig

Generated report https://drive.google.com/file/d/0B84ansxoO-VOcFV0THF4YXRMMFE/view?usp=sharing

whiteadam commented 7 years ago

I thought this was an issue also, but I think what it is saying in the report is that there are no vulnerabilities in the running layer, make sense?

eg: ➜ Analysis [8866d07828be] found 0 vulnerabilities. has no vulnerabilities, so, I assume, if you ran the container, there would be no vulnerabilities, but I might be wrong.

I guess we can ask @jgsqware to clear this up for us :)

frezbo commented 7 years ago

@whiteadam I used Clair's official analyze-local-images tool and it exactly reported one vulnerability