search

optiopay / klar

Integration of Clair and Docker Registry
MIT License
506 stars 138 forks source link

[BUG] Klar always scans amd64 architecture image although DOCKER_PLATFORM_ARCH=arm64 for multi architecture images #192

Open HarvyNBB opened 1 year ago

HarvyNBB commented 1 year ago

For KLAR_VERSION=2.4.0 For multi architecture images, that contain for instance arm64 and amd64 architectures,

docker buildx imagetools inspect private-registry/image/image:latest
Name:      private-registry/image/image:latest
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:950664361b8bb941e7f8d4f5d44a6c26fb646ef865afb6f34ee89790bd39fcc6

Manifests: 
  Name:      private-registry/image/image:latest@sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      private-registry/image/image:latest@sha256:b39481e57c15366b3822852c9d65de1876e7c7d3128ff2d88330915e3bc73815
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64

On exporting DOCKER_PLATFORM_ARCH=amd64 and running Klar command

.
.
HTTP/1.1 200 OK
.
.
Content-Type: application/vnd.docker.distribution.manifest.v2+json
.
.
Docker-Content-Digest: sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097"
.
.
Analysing 17 layers
Got results from Clair API v1
Whitelisted 7 vulnerabilities
Found 72 vulnerabilities
Unknown: 22
Negligible: 45
Medium: 5

On exporting DOCKER_PLATFORM_ARCH=arm64 and running Klar command, Klar also shows the sha256 of the amd64 architecture image and same vulnerabilities statistics of that of amd64.

.
.
HTTP/1.1 200 OK
.
.
Content-Type: application/vnd.docker.distribution.manifest.v2+json
.
.
Docker-Content-Digest: sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097"
.
.
Analysing 17 layers
Got results from Clair API v1
Whitelisted 7 vulnerabilities
Found 72 vulnerabilities
Unknown: 22
Negligible: 45
Medium: 5

as seen the sha256 shown in the output is always that of the linux/amd64 paltform and the vulnerabilities statistics are identical

Also by analysing the single arch individual image, the detected vulnerabilities are different

amd64

.
.
HTTP/1.1 200 OK
.
.
Content-Type: application/vnd.docker.distribution.manifest.v2+json
.
.
Docker-Content-Digest: sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:ca3a9e73ff06f67a84fc5fd943d04d2fb13bf4f7d48accf8a54c8b040f789097"
.
.
Analysing 17 layers
Got results from Clair API v1
Whitelisted 7 vulnerabilities
Found 72 vulnerabilities
Unknown: 22
Negligible: 45
Medium: 5
.
.

arm64

.
.
HTTP/1.1 200 OK
.
.
Content-Type: application/vnd.docker.distribution.manifest.v2+json
.
.
Docker-Content-Digest: sha256:b39481e57c15366b3822852c9d65de1876e7c7d3128ff2d88330915e3bc73815
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:b39481e57c15366b3822852c9d65de1876e7c7d3128ff2d88330915e3bc73815"
.
.
Analysing 17 layers
Got results from Clair API v1
Whitelisted 7 vulnerabilities
Found 81 vulnerabilities
Unknown: 22
Negligible: 55
Medium: 4

Note that also on using any irrelevant DOCKER_PLATFORM_ARCH value, still klar scan the amd64 image

Steps to reproduce:

  1. export DOCKER_PLATFORM_ARCH=arm64
  2. Run Klar scan

Actual result:

  1. The image scanned is amd64 architecture

Expected result:

  1. The image of arm64 architecture should be the one to be scanned
  2. On using any other unsupported DOCKER_PLATFORM_ARCH, Klar should report an error