Open jbergstroem opened 1 year ago
I'm with the Wolfi team, and we'd be happy to help here however possible!
👋
We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.
👋
We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.
Hey! Thanks for the response! We use the apk
package manager (the same as Alpine) and publish a security feed, also in the same format as Alpine. The feed is available here: https://packages.wolfi.dev/os/security.json
I think the steps to take are:
apk
indexer out of the alpine
packagealpine
Updater machinery and create an instance for alpine
and wolfi
alpine
Matcher machinery and create an instance for alpine
and wolfi
I think the generic os-release
scanner should be good enough to get distro detection. I don't have the details of all these paged in at the moment, though.
Just noticed that /etc/issue
is missing from wolfi images so the distributionscanner needs to make this optional.
@hdonnay is there a reason to read version from /etc/issue
over extracting it from PRETTY_NAME
found in /etc/os-release
?
Relevant info: https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/testdata/3.16/etc/issue#L1 https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/testdata/3.16/etc/os-release#L4 https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/distributionscanner.go#L41
At least all the test data you have seem to cover using PRETTY_NAME
which means for the scope of this issue/modularizing distributionscanner
less changes are needed.
Hi! I'm with the Wolfi security team, and we just recently added more documentation for scanners wanting to implement support for Wolfi and the related "Chainguard distro". We've also added some test images for use in manual/automated tests in case that's valuable to you.
https://github.com/chainguard-dev/vulnerability-scanner-support
Also happy to field any questions that come up!
Also happy to list clair on this page when you're ready, let us know!
@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?
Sorry for pinging you again but it would be good to get clarity on this before I move on! Thanks!
@jbergstroem I don't have context for Clair in particular, but this might help a little:
This section explains how scanners should identify the Wolfi/Chainguard distros. Definitely take a look at this! It's short.
tl;dr: Use /etc/os-release
to identify the distro. You should use the id
field to key off of, and you can use the pretty name for showing to users.
Do not use the version
data here! That's explained in the docs, too. 😃
You won't find an /etc/issue
.
@luhring thanks for the info; I already had a look! Since the idea is to reuse the same framework for Alpine and Wolfi, I wanted to double-check why we need to read both /etc/issue
and /etc/os-release
for Alpine before proceeding.
Wolfi is an operating system tailored for containers. Clair currently doesn't recognize it so I thought it'd make sense to track support.
Relevant info
The following examples are from the generated container
cgr.dev/chainguard/node:20
which is part of their automated builds.OS detection
Wolfi mentions using apk as a package manager. Here's an example of the installed list:
..which also seems to follow the
apk
package format.Should a PR abstract
alpine
intoapk
and support both OS'es but with different identifiers? Put differently: I'm new to modifying clair and its ecosystem. How should I proceed with a PR to see it merged?