Open mattaereal opened 1 week ago
I couldn't make clair
work with any test case. I can't manage to get a working config.yaml
file. It appears its schema has been updated and some keys deprecated. We'll have to create our own container with test cases and a working version of it.
This is the current documentation I created at README.md:
The documentation for clair is currently incomplete. The provided config.yaml file from their documentation side is not longer being accepted by clair and requires manual modification.
Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).
Since clair scans containers, it is best to run it separately.
docker pull quay.io/projectquay/clair:4.7.4
# Alternatively you can try and pull latest but it did not work out for me
docker pull quay.io/projectquay/clair
# Download sample config
wget -q https://github.com/quay/clair/blob/main/config.yaml.sample \
--output-document /tmp/clair/config.yaml
# Run clair
docker run -p 6060:6060 -p 6061:6061 \
-v /tmp/clair:/clair/config \
quay.io/projectquay/clair:4.7.4 -conf /clair/config/config.yaml -mode combo
One liner if you don't want a container:
sudo wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \
&& sudo chmod +x /usr/local/bin/clair
I just did a POC using docker-compose to deploy the Falco suite (Engine, webui, sidekick, redis) and integrate it with our toolbox. https://github.com/theredguild/container-sec-tools/pull/28
clair is now working from within the container
wanderer@9973394f367e /workspace $ clair report ubuntu
ubuntu found libgcrypt20 1.10.3-2build1 CVE-2024-2236 on Ubuntu 24.04 LTS (noble) - medium
ubuntu found libssl3t64 3.0.13-0ubuntu3.4 CVE-2024-41996 on Ubuntu 24.04 LTS (noble) - low
ubuntu found coreutils 9.4-3ubuntu6 CVE-2016-2781 on Ubuntu 24.04 LTS (noble) - low
ubuntu found gpgv 2.4.4-2ubuntu17 CVE-2022-3219 on Ubuntu 24.04 LTS (noble) - low
ubuntu found libc-bin 2.39-0ubuntu8.3 CVE-2016-20013 on Ubuntu 24.04 LTS (noble) - negligible
ubuntu found libc6 2.39-0ubuntu8.3 CVE-2016-20013 on Ubuntu 24.04 LTS (noble) - negligible
clair, falco and sast-scan are the three tools that make the most sense to have separately. Given their complexity or their nature, they need to be run locally or separately.
In the case of falco and clair, they need to be able to interact with the host os. And sast-scan has a LOT of tools similar to the ones that we have on the main container, even some overlap, so it's like a bonus.