search

optiopay / klar

Integration of Clair and Docker Registry
MIT License
506 stars 138 forks source link

Enhancement: get vulnerabilities by image's non-empty top layer #7

Closed supereagle closed 7 years ago

supereagle commented 7 years ago

@hashmap I have finished the enhancement. PTAL, thanks.

Fix #6

hashmap commented 7 years ago

Thanks @supereagle I'm testing it

hashmap commented 7 years ago

Do you have a (public) example of an image with vulnerabilities? Your version always says Found 0 vulnerabilities, perhaps the current version gives false alarms.

supereagle commented 7 years ago

Do you clean up your postgres? If you use an old postgres, maybe the relationship between layers stored in it is not correct. As the current version depends on these relationships to ensure that the vulnerabilities can be got by non-empty top layer.

supereagle commented 7 years ago

You can have a try on the public image docker.io/nginx:1.9.

supereagle commented 7 years ago

@hashmap Have you tested again?

supereagle commented 7 years ago

Hi Alexey Miroshkin,

I have explained your test results in my comments.

Have you tested this PR again?

发件人: Alexey Miroshkin notifications@github.com 发送时间: 2016年11月9日 19:43 收件人: optiopay/klar 抄送: Robin Yue; Mention 主题: Re: [optiopay/klar] enhancement: get vulnerabilities by image's non-empty top layer (#7)

Do you have a (public) example of an image with vulnerabilities? Your version always says Found 0 vulnerabilities, perhaps the current version gives false alarms.

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/optiopay/klar/pull/7#issuecomment-259395885, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADO7fRwGHo1gTzW81SL5hwLXew7l_qDNks5q8bHggaJpZM4KqRgi.

hashmap commented 7 years ago

Cool, thanks for your efforts! The only question from my side why do you need to reverse order while pushing layers to Clair?

supereagle commented 7 years ago

The revered order is the order from parents to children. image.FsLayers[n-1] is the child layer, and image.FsLayers[n] is the parent layer.

hashmap commented 7 years ago

Could you point me to the spec which defines the order of layers for pull? For some reason I thought that order is different, but could not find any specs now.

supereagle commented 7 years ago

Take docker.io/nginx:latest as an example, its Dockerfile is mainline/jessie/Dockerfile

And its manifest is:

   "schemaVersion": 1,
   "name": "library/nginx",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:d685e39ac8a4ccea462d489b503f9de952f0b8c7a0b0a0548f7a5c20b272668b"
      },
      {
         "blobSum": "sha256:386dc9762af975db201ed66aebd3f8b5f2c24389db4744d54ec47667dcdae26a"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:386a066cd84a33a04d560c42bef66d1dd64ebfc76de78550e5fd0f8d57778bca"
      }
   ],
...
}

Compare its dockerfile and manifest, you will find just two non-empty layers(d685e39ac8a4ccea462d489b503f9de952f0b8c7a0b0a0548f7a5c20b272668b, 386dc9762af975db201ed66aebd3f8b5f2c24389db4744d54ec47667dcdae26a) for two RUN commands in dockerfile. The order of commands in dockerfile are reversed for their layers in manifest.

supereagle commented 7 years ago

@hashmap Any points still not clear?