hashmap
commented
6 years ago Can you telnet or curl 10.90.1.78:443 from a machine with Klar? It seems that your private registry is unreachable. Also does it have HTTPS enabled?
Open prasenforu opened 6 years ago
hashmap
commented
6 years ago Can you telnet or curl 10.90.1.78:443 from a machine with Klar? It seems that your private registry is unreachable. Also does it have HTTPS enabled?
prasenforu
commented
6 years ago If you look my post that I am able to download images from private registry that mean it's reachable.
And my private registry is insecured.
khba
commented
6 years ago Same here, scan works ok for an image on docker hub, but not if I pull the image locally and give its ID to Klar or if I push the image to our private registry and try to scan it from there:
CASE1: With Docker hub => Works OK: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar debian:latest
CASE2: Local image ID => it seems to look for the image ID on docker hub instead of locally and therefore can't find/pull it: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar 9a5d7185d3a6 ----> HTTP REQUEST: GET /v2/library/9a5d7185d3a6/manifests/latest HTTP/1.1 Host: registry-1.docker.io
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/9a5d7185d3a6","Action":"pull"}]}]}
Can't pull fsLayers
CASE3: Image in private registry=> Same than case 2: it seems to look for it in docker hub and obviously end up with a 404: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar priv-registry:443/debian:latest
----> HTTP REQUEST: GET /v2/library/priv-registry/manifests/443:debian:latest HTTP/1.1 Host: registry-1.docker.io
404 page not found
ImageV1 decode error Can't pull image: json: cannot unmarshal number into Go value of type docker.imageV1
I looked in the doc but did not find how to tell to Klar in which registry it should look for the image (public registry, local images or private registry).
hashmap
commented
6 years ago @prasenforu I can just see that docker can pull images from the registry. It may or may not mean that 10.90.1.78:443 is reachable, it may be listening on port 80 only.
And my private registry is insecured.
Please try to set REGISTRY_INSECURE=true
hashmap
commented
6 years ago @khba
CASE2 is not supported by Klar, it doesn't work with local images Klar is a simple tool to analyze images stored in a private or public Docker registry for security vulnerabilities using Clair
CASE3 for any registry you need to use the same name as you see in docker images, so port is not needed.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/coreos/clair-git latest 565aa423300b 7 months ago 423MB
postgres latest 599272bf538f 7 months ago 287MB
$ CLAIR_ADDR=localhost:6060 ./klar quay.io/coreos/clair-git
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 16 layers
Failed to analyze using API v1: push image https://quay.io/v2/coreos/clair-git:latest to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value
Got results from Clair API v3
Found 2 vulnerabilities
Medium: 1
High: 1
CVE-2017-14166: [Medium]
Found in: libarchive [3.2.2-r2]
Fixed By: 3.3.1-r2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
-----------------------------------------
CVE-2017-1000158: [High]
Found in: python2 [2.7.13-r0]
Fixed By: 2.7.14-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158
-----------------------------------------Thanks for answering, yes that's the name I have in docker images and that I've been using to push and pull images ever since:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
priv-registry:443/apache-master INTEG 479e50153046 27 hours ago 127MB
quay.io/coreos/clair v2.0.4 a6cda8543e4c 2 days ago 445MB
postgres latest 730027eb9d78 10 days ago 236MB
debian latest 9a5d7185d3a6 2 weeks ago 101MB
priv-registry:443/debian latest 9a5d7185d3a6 2 weeks ago 101MBThe thing is with or without '443', we see that it is trying to send the request to pull the layer from docker hub instead of pulling it from the actual private registry: ---> HTTP REQUEST: GET /v2/priv-registry/debian/manifests/latest HTTP/1.1 Host: registry-1.docker.io
hashmap
commented
6 years ago @khba port confuses Klar. You may want to try without port in image name. If it doesn't help we have a bug, need to investiagate
khba
commented
6 years ago Is there a command to check if Klar can talk to the private registry ? Knowing that the host can talk to the same private registry and push/pull images from it.
khba
commented
6 years ago I am no Go expert but his may be what's bothering Klar: the fact that my private registry name doesn't contain "localhost" nor "." , so it assumes it all part of the image name:
In docker/docker.go line 132 :
if part == "localhost" || strings.Contains(part, ".") {
// it's registry, let's check what's next =port of image nameYup that's it, it works when I replace my registry name from "priv-registry" to "priv.registry" ! But this was just a test, not everyone can update registry names as they wish. Anyway thanks for this great tool !
prasenforu
commented
6 years ago Thanks !!
REGISTRY_INSECURE=true works for my issue.
But I have quick questions regarding scan ?
I am using Harbor (Private Registry) with Clair in build image scanner,
When I am checking vulnerability (scan) inside Harbor its showing different result (High 20) like below.
But when I am checking with your tool with SAME Clair its showing different result (High 87)
I assume they (Harbor) are using other tool to scan but both are using same database in clair.
Help wanted:
First of all I want to say thank you for this tool.
I am using harbor with clair.
I have downloaded following two images from docker.
then push to my LOCAL "Harbor Registry"
if I do scan docker image able to get using "klar"
but with private registry (Harbor)
Note : I am able to download from private registry (Harbor)