目的

执行镜像扫描，扫描镜像仓库的镜像，生成报告

安装clair

操作系统：ubuntu 18.06
docker：18.06.3
docker-compose: docker-compose version 1.25.5, build 8a1c60f6

打开github clair
使用docker-compos启动clair, clair-docker-compose配置下载

$ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yaml.sample -o $PWD/docker-compose.yaml
$ mkdir $PWD/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml

配置下载完成后如下

/clair$ tree
.
├── clair_config
│   └── config.yaml
└── docker-compose.yaml1 directory, 2 files
/clair$ cat docker-compose.yaml
version: '3.8'services:clair:image: quay.io/coreos/clair:latestcommand: -config=/config/config.yamlports:- "6060:6060"- "6061:6061"depends_on:- clairdbvolumes:- type: bindsource: $PWD/clair_configtarget: /confignetworks:- clairnetrestart: on-failureextra_hosts:- "yourharbor1.com:192.168.1.100"- "yourharbor2.com:192.168.1.101"clairdb:image: postgres:9.6networks:- clairnetenvironment:- POSTGRES_HOST_AUTH_METHOD=trustnetworks:clairnet:driver: bridge

启动，会下载镜像，等待下载完成启动

$ docker-compose -f docker-compose.yaml up -d

启动后docker logs查看clair容器能看到自动从漏洞库下载数据

测试clair健康状态

$ curl -X  GET -I http://clair.ip:6061/health
HTTP/1.1 200 OK
Server: clair
Date: Tue, 02 Jun 2020 09:39:46 GMT
Content-Length: 0

如果要检测私有镜像仓库
clair启动参数需要添加 --insecure-tls

services:clair:image: quay.io/coreos/clair:latestcommand: [-config=/config/config.yaml, --insecure-tls]

使用clair扫描镜像

klar是一个集成clair和镜像库的工具

Integration of Clair and Docker Registry

在release页面下载最新版本，并移动到环境变量，本章节使用的版本是2.4.0

klar支持的参数：

Usage

Klar process returns if 0 if the number of detected high severity vulnerabilities in an image is less than or equal to a threshold (see below) and 1 if there were more. It will return 2 if an error has prevented the image from being analyzed.

Klar can be configured via the following environment variables:

CLAIR_ADDR - address of Clair server. It has a form of protocol://host:port - protocol and port default to http and 6060 respectively and may be omitted. You can also specify basic authentication in the URL: protocol://login:password@host:port.
CLAIR_OUTPUT - severity level threshold, vulnerabilities with severity level higher than or equal to this threshold
will be outputted. Supported levels are Unknown, Negligible, Low, Medium, High, Critical, Defcon1.
Default is Unknown.
CLAIR_THRESHOLD - how many outputted vulnerabilities Klar can tolerate before returning 1. Default is 0.
CLAIR_TIMEOUT - timeout in minutes before Klar cancels the image scanning. Default is 1
DOCKER_USER - Docker registry account name.
DOCKER_PASSWORD - Docker registry account password.
DOCKER_TOKEN - Docker registry account token. (Can be used in place of DOCKER_USER and DOCKER_PASSWORD)
DOCKER_INSECURE - Allow Klar to access registries with bad SSL certificates. Default is false. Clair will
need to be booted with -insecure-tls for this to work.
DOCKER_TIMEOUT - timeout in minutes when trying to fetch layers from a docker registry
DOCKER_PLATFORM_OS - The operating system of the Docker image. Default is linux. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest.
DOCKER_PLATFORM_ARCH - The architecture the Docker image is optimized for. Default is amd64. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest.
REGISTRY_INSECURE - Allow Klar to access insecure registries (HTTP only). Default is false.
JSON_OUTPUT - Output JSON, not plain text. Default is false.
FORMAT_OUTPUT - Output format of the vulnerabilities. Supported formats are standard, json, table. Default is standard. If JSON_OUTPUT is set to true, this option is ignored.
WHITELIST_FILE - Path to the YAML file with the CVE whitelist. Look at whitelist-example.yaml for the file format.
IGNORE_UNFIXED - Do not count vulnerabilities without a fix towards the threshold

Usage:

CLAIR_ADDR=localhost CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 DOCKER_USER=docker DOCKER_PASSWORD=secret klar postgres:9.5.1

执行扫描

$ CLAIR_OUTPUT=Unknown FORMAT_OUTPUT=standard  CLAIR_ADDR=http://clair.ip:6060 DOCKER_USER=admin DOCKER_PASSWORD=secret  REGISTRY_INSECURE=TRUE klar yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 4 layers
Got results from Clair API v1
Found 224 vulnerabilities
Unknown: 99
Negligible: 84
Low: 41CVE-2018-16868: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By:
A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
https://security-tracker.debian.org/tracker/CVE-2018-16868
-----------------------------------------
CVE-2018-10845: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10845
-----------------------------------------
CVE-2018-10846: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10846
-----------------------------------------
CVE-2018-10844: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10844
-----------------------------------------

使用docker镜像的klar扫描

编写Dockerfile，并打包成镜像

$ cat Dockerfile
FROM alpine:latestADD https://github.com/optiopay/klar/releases/latest/download/klar-2.4.0-linux-amd64 /bin/klar
RUN chmod +x /bin/klarENTRYPOINT ["/bin/klar"]

$ docker build -t klar:v1 .
Sending build context to Docker daemon  5.632kB
Step 1/4 : FROM alpine:latest---> f70734b6a266
Step 2/4 : ADD https://github.com/optiopay/klar/releases/latest/download/klar-2.4.0-linux-amd64 /bin/klar
Downloading [==================================================>]  12.73MB/12.73MB---> 1bea7444e074
Step 3/4 : RUN chmod +x /bin/klar---> Running in 050ea7efe3dd
Removing intermediate container 050ea7efe3dd---> 20f38deaf4a4
Step 4/4 : ENTRYPOINT ["/bin/klar"]---> Running in f6efdfa2c857
Removing intermediate container f6efdfa2c857---> c70890393ef1
Successfully built c70890393ef1
Successfully tagged klar:v1

使用镜像执行扫描

$ cat env
CLAIR_OUTPUT=Unknown
FORMAT_OUTPUT=standard
CLAIR_ADDR=http://clair.ip:6060
DOCKER_USER=admin
DOCKER_PASSWORD=secret
REGISTRY_INSECURE=TRUE$ docker run --rm --add-host yourharbor1.com:192.168.100.1 --env-file env  klar:v1 yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 4 layers
Got results from Clair API v1
Found 224 vulnerabilities
Unknown: 99
Negligible: 84
Low: 41CVE-2019-12900: [Unknown]
Found in: bzip2 [1.0.6-8.1]
Fixed By:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
https://security-tracker.debian.org/tracker/CVE-2019-12900
-----------------------------------------
CVE-2019-3462: [Unknown]
Found in: apt [1.4.8]
Fixed By: 1.4.9
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
https://security-tracker.debian.org/tracker/CVE-2019-3462
-----------------------------------------

镜像作为drone插件执行

drone版本

$ drone --version
drone version 1.2.1

配置drone.yml

$ cat .drone.yml
kind: pipeline
type: docker
name: defaultworkspace:base: /workpath: srcsteps:- name: scanimage: klar:v1environment:CLAIR_OUTPUT: UnknownFORMAT_OUTPUT: standardCLAIR_ADDR: http://clair.ip:6060DOCKER_USER: adminDOCKER_PASSWORD: secretREGISTRY_INSECURE: TRUECLAIR_THRESHOLD: 1000commands:- /bin/klar yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146extra_hosts:- yourharbor1.com:192.168.100.1

drone执行

$ drone exec --trusted
[scan:0] + /bin/klar harbor.raginghot.com.cn/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
[scan:1] clair timeout 1m0s
[scan:2] docker timeout: 1m0s
[scan:3] no whitelist file
[scan:4] Analysing 4 layers
[scan:5] Got results from Clair API v1
[scan:6] Found 224 vulnerabilities
[scan:7] Unknown: 99
[scan:8] Negligible: 84
[scan:9] Low: 41
[scan:10]
[scan:11] CVE-2018-16869: [Unknown]
[scan:12] Found in: nettle [3.3-1]
[scan:13] Fixed By:
[scan:14] A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
[scan:15] https://security-tracker.debian.org/tracker/CVE-2018-16869
[scan:16] -----------------------------------------
[scan:17] CVE-2018-16868: [Unknown]
[scan:18] Found in: gnutls28 [3.5.8-5+deb9u3]
[scan:19] Fixed By:
[scan:20] A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
[scan:21] https://security-tracker.debian.org/tracker/CVE-2018-16868
[scan:22] -----------------------------------------
[scan:23] CVE-2018-10845: [Unknown]
[scan:24] Found in: gnutls28 [3.5.8-5+deb9u3]
[scan:25] Fixed By: 3.5.8-5+deb9u4
[scan:26] It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
[scan:27] https://security-tracker.debian.org/tracker/CVE-2018-10845
[scan:28] -----------------------------------------

使用clair镜像扫描相关推荐

【Docker】clair镜像扫描的实现
clair镜像扫描的实现一.前言 clair扫描的相关基础请先移步我的另外一篇文章镜像安全扫描工具clair与clairctl 这次我们采用clair api方式的扫描,基本思路是打包镜像解压t ...
Harbor集成Clair镜像安全扫描并手动导入漏洞数据
通过这篇文章,你会了解到: harbor启停方法 clair镜像扫描原理 harbor数据库(MySQL)一览 clair数据库(PostgreSql)一览 harbor手动导入漏洞数据方法背景先 ...
Harbor集成Clair镜像安全扫描原理探知
上一篇文章中我们简单了解了Harbor集成Clair的安装方案及内网模式下CVE漏洞数据的手动导入功能.本篇文章,我们再梳理下漏洞扫描的具体原理和实现. 关于clair Clair是CoreOS 20 ...
Harbor仓库镜像扫描原理
harbor仓库中的镜像扫描这个功能,看似很高大上,其实等你了解了它的底层原理与流程,你就会发现就是做了那么一件事而已,用通俗的一句话概括,就是找到每个镜像文件系统中已经安装的软件包与版本,然后跟官方 ...
Nydus 镜像扫描加速
文|余硕上海交通大学22届毕业生阿里云开发工程师从事云原生底层系统的开发和探索工作. 本文 6369 字阅读 16 分钟 GitLink 编程夏令营是在 CCF 中国计算机学会指导下,由 CC ...
生产中的12种容器镜像扫描最佳实践
现在很多团队面临着这么一个挑战:如何在不减慢应用交付速度的情况下,管理好安全风险.有种方法可以解决该问题,就是采用安全的 DevOps 工作流程. 安全的DevOps(也称为DevSecOps)会在从 ...
Clair镜像安全扫描工具
本文主要描述Clair的部署内容 Install:首先要下载好需要的镜像等文件 # Clone the repo git clone git@github.com:arminc/clair-scann ...
常见的几种开源镜像仓库介绍
常见的几种开源镜像仓库介绍 1.Docker Registry 2.VMware Harbor 安装部署Harbor 3.Sonatype Nexus 4.SUSE Portus 以上几种方案的特性对 ...
谈谈我对Harbor认识
Harbor是什么第一次听到这个名字应该是2016年初的时候,那是在容器技术已经兴起的,各个容器管理平台正处于群雄逐鹿的时候,mesos.kubernetes.swarm等被国内外各个厂商用来作为容 ...

使用clair镜像扫描

文章目录

目的