search

quay / clair

Vulnerability Static Analysis for Containers
https://quay.github.io/clair/
Apache License 2.0
10.38k stars 1.16k forks source link

Clair does not find any vulns in RHEL. #311

Closed treezio closed 7 years ago

treezio commented 7 years ago

We are considering deploying quay registry if we can find out any solution for this.

I've been tracking some issues but I get lost between all those Issues, commits and PR (I'm newbie in GitHub).

I got Clair deployed on Docker using the current master version since it includes Alpine Support and when I launch the analyze-local-images binary I just get a message reporting a successful execution. This is impossible since I checked the image using docker-openScap and it reports several CVEs.

jzelinskie commented 7 years ago

Are finding vulnerabilities when you push the image to Quay.io? It's quite possible open-scap uses different resources to determining it's vulnerabilities. We're depending on the upstream distributions to maintain their vulnerability databases. In the case of Alpine Linux, we use http://git.alpinelinux.org/cgit/alpine-secdb/

Quentin-M commented 7 years ago

You also have to wait for Clair to finish its initial update (see other issues).

treezio commented 7 years ago

Thanks for your quick replies guys.

We dont have any quay.io repository currently working, we are looking forward to integrate it in case we can solve the RHEL images problem though.

also I knew about the first vulnerabilities db update.

Also when updating I'm having some issues: 2017-01-30 04:13:10.652758 E | updater/fetchers/metadata_fetchers: could not decode NVD data feed '2008': EOF 2017-01-30 04:13:10.652809 E | updater: an error occured when loading metadata fetcher 'NVD': updater/fetchers: could not parse.

I face the same message everyday but different years data feed, I guess this is related to some proxy/middleware problem.

In the first run I got: 2017-01-27 13:41:48.105930 E | updater/fetchers/metadata_fetchers: could not decode NVD data feed '2015': read tcp 172.17.0.2:38409->180.205.18.15:80: read: connection reset by peer

Then I get the: an error occured when loading metadata fetcher 'NVD': updater/fetchers: could not parse.

anyway, I'm still not able to analyze RHEL Images, is Clair supporting RHEL based images?

Quentin-M commented 7 years ago

Definitely a networking issue. Not much we can do on our side.

CentOS is supported. Never tested RHEL itself, would have to verify how the namespace and package parsers behave and potentially adjust.

jzelinskie commented 7 years ago

closing due to age. please remake this issue if it's still relevant. thanks

ilackarms commented 7 years ago

can anyone confirm if Clair works on RHEL images?

treezio commented 7 years ago

Didn't work for me.

jzelinskie commented 7 years ago

Would you mind opening a new issue? RHEL definitely is working for numerous Clair installations and the logs in this issue are related to NVD metadata and not RHEL.