search

optiopay / klar

Integration of Clair and Docker Registry
MIT License
505 stars 138 forks source link

Klar Incorrectly Parsing Results #96

Closed mikelnick closed 6 years ago

mikelnick commented 6 years ago

We've been using klar for over a year and rebuild it weekly to run in our pipeline. Recently we noticed it wasn't reporting a high vulns for images we knew to have high vulns. We recently set up portus to verify that the same clair server was returning different results and found it to be klar. the was verified with the env var - export KLAR_TRACE=true. Here is the output with that flag, you can see it reports "0" at the end.

Our klar image has these values:

ENV CLAIR_ADDR https://clairdns:443
ENV DOCKER_USER dockeruser
ENV JSON_OUTPUT true 
ENV CLAIR_TIMEOUT 3
ENV DOCKER_TIMEOUT 3
ENV CLAIR_OUTPUT High

We pass docker password with klar command 

"Severity":"High","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:P/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.12"},{"Name":"CVE-2016-2180","NamespaceName":"ubuntu:12.04","Description":"The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the \"openssl ts\" command.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2180","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.37"},{"Name":"CVE-2015-3194","NamespaceName":"ubuntu:12.04","Description":"crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-3194","Severity":"Medium","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.32"},{"Name":"CVE-2014-3507","NamespaceName":"ubuntu:12.04","Description":"Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-3507","Severity":"Medium","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.17"},{"Name":"CVE-2016-2181","NamespaceName":"ubuntu:12.04","Description":"The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2181","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.37"},{"Name":"CVE-2014-0195","NamespaceName":"ubuntu:12.04","Description":"The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-0195","Severity":"Medium","Metadata":{"NVD":{"CVSSv2":{"Score":6.8,"Vectors":"AV:N/AC:M/Au:N/C:P/I:P"}}},"FixedBy":"1.0.1-4ubuntu5.14"},{"Name":"CVE-2015-7575","NamespaceName":"ubuntu:12.04","Description":"Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-7575","Severity":"Medium","Metadata":{"NVD":{"CVSSv2":{"Score":4.3,"Vectors":"AV:N/AC:M/Au:N/C:N/I:P"}}},"FixedBy":"1.0.1-4ubuntu5.33"},{"Name":"CVE-2015-1792","NamespaceName":"ubuntu:12.04","Description":"The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-1792","Severity":"Medium","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:N"}}},"FixedBy":"1.0.1-4ubuntu5.31"},{"Name":"CVE-2018-0739","NamespaceName":"ubuntu:12.04","Description":"Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-0739","Severity":"Medium","FixedBy":"1.0.1-4ubuntu5.40"},{"Name":"CVE-2017-3735","NamespaceName":"ubuntu:12.04","Description":"While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-3735","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":5,"Vectors":"AV:N/AC:L/Au:N/C:N/I:P"}}},"FixedBy":"1.0.1-4ubuntu5.40"},{"Name":"CVE-2018-0737","NamespaceName":"ubuntu:12.04","Description":"The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-0737","Severity":"Low"}],"AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed2965c17d36134c649ed20a7f97df417be369e6db427b8e0c563953035c5728ff50"},{"Name":"libselinux","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.1.0-4.1ubuntu1","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"langpack-locales","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.13+git20120306-3","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"grep","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.10-1","Vulnerabilities":[{"Name":"CVE-2012-5667","NamespaceName":"ubuntu:12.04","Description":"Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-5667","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":4.4,"Vectors":"AV:L/AC:M/Au:N/C:P/I:P"}}}}],"AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"hostname","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"3.06ubuntu1","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"makedev","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.3.1-89ubuntu2","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"ubuntu-keyring","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2011.11.21.1","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"procps","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"1:3.2.8-11ubuntu6.4","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"coreutils","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"8.13-3ubuntu3.3","Vulnerabilities":[{"Name":"CVE-2016-2781","NamespaceName":"ubuntu:12.04","Description":"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":2.1,"Vectors":"AV:L/AC:L/Au:N/C:N/I:P"}}}}],"AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"slang2","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.2.4-3ubuntu1","AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"util-linux","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"2.20.1-1ubuntu3.1","Vulnerabilities":[{"Name":"CVE-2014-9114","NamespaceName":"ubuntu:12.04","Description":"Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-9114","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":7.2,"Vectors":"AV:L/AC:L/Au:N/C:C/I:C"}}}},{"Name":"CVE-2013-0157","NamespaceName":"ubuntu:12.04","Description":"(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2013-0157","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":2.1,"Vectors":"AV:L/AC:L/Au:N/C:P/I:N"}}}},{"Name":"CVE-2016-5011","NamespaceName":"ubuntu:12.04","Description":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-5011","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":4.7,"Vectors":"AV:L/AC:M/Au:N/C:N/I:N"}}}}],"AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e8382c5c13f6c0f75b149357a754d690198e298344432"},{"Name":"bzip2","NamespaceName":"ubuntu:12.04","VersionFormat":"dpkg","Version":"1.0.6-1","Vulnerabilities":[{"Name":"CVE-2016-3189","NamespaceName":"ubuntu:12.04","Description":"Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.","Link":"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-3189","Severity":"Low","Metadata":{"NVD":{"CVSSv2":{"Score":4.3,"Vectors":"AV:N/AC:M/Au:N/C:N/I:N"}}}}],"AddedBy":"58d5d7cef73096bc3c0b76957960d82640cc5f020b3b86187722730b938fed29c3865f9854d6f1c1ad9e83
30
82c5c13f6c0f75b149357a754d690198e298344432"}]}}

0

{"LayerCount":8,"Vulnerabilities":{}}

I ran non json as well because it shows the count nicer - just to prove its not counting high vulns

$ JSON_OUTPUT=false DOCKER_PASSWORD=$DOCKER_PWORD klar $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
clair timeout 3m0s
docker timeout: 3m0s
Analysing 8 layers
Got results from Clair API v1
Found 208 vulnerabilities
Negligible: 27
Low: 148
Medium: 33
hashmap commented 6 years ago

Would you mind to check version 2.1.0? Please let me know if the issue still exists. Thanks!

mikelnick commented 6 years ago

That did it @hashmap thanks!