clair-scanner icon indicating copy to clipboard operation
clair-scanner copied to clipboard
verified publisher icon arminc

Make whitelisting more specific: use image namespaces and package names

Open mirekphd opened this issue 6 years ago • 5 comments

String search in whitelist yaml files should be made more specific, notably it should not ignore package names and should allow for specific images rather than only the official ones (with omitted repo name). Both of these problems affect security in a negative way, making the whitelist unnecessarily general.

  1. Currently the whitelisting code searches over yaml keys only (values can be wrong or deleted), which means than vulnerabilities permissions are unnecessarily general (in any library rather than in a specific one):

These two yaml files correctly whitelist CVE-2019-18224:

generalwhitelist:
  CVE-1234-00000: anylib
images:
  redis:
    CVE-2019-18224: anylib

generalwhitelist:
  CVE-1234-00000: anylib
images:
  redis:
    CVE-2019-18224:
  1. Currently the whitelist code accepts only a single word, assuming it is an image name (not a repo/image [note that repo/image:tag would be impossible for reasons in point 3.]).
This yaml file incorrectly does not whitelist CVE-2019-18224 in bitnami/redis:5.0:
generalwhitelist:
  CVE-1234-00000: anylib
images:
  bitnami/redis:
    CVE-2019-18224:

Only this yaml file correctly whitelists CVE-2019-18224, but unfortunately in all images from all namespaces, which again makes the whitelist too general ([library/]redis, bitnami/redis, mydogsrepo/redis)

generalwhitelist:
  CVE-1234-00000: anylib
images:
  redis:
    CVE-2019-18224:
  1. The current design of yaml files will not be able to cope with image tags, because colons cannot be used in key names (and could not be used in values either, even surrounded by quotes, at least from my experience with Openshift parsing of yaml files).

mirekphd avatar Dec 12 '19 09:12 mirekphd

Related issues: https://github.com/arminc/clair-scanner/issues/74 (@Doqnach) https://github.com/arminc/clair-scanner/issues/14 (@justingood)

mirekphd avatar Dec 12 '19 09:12 mirekphd

Hi @mirekphd

I would like to work on this problem. I began to use clair-scanner today and I use a private repo. I'm already have solve the problem with port and context in scanner.go, but still need to put only a single word in whitelist (the solution removes the namespace too). I made in this way because I don't wanna to change the whitelist layout yet.

To realy solve this, I think that we can use more sub fields in the file, like:

images:
  bitnami
    redis:
      3.7:
        CVE-2019-18224:

or we can change to accept namespace/name:

images:
  bitnami/redis:
      3.7:
        CVE-2019-18224:

What do you think?

dcna-dev avatar Dec 30 '19 21:12 dcna-dev

To realy solve this, I think that we can use more sub fields in the file

I think a robust solution requires predictable key names, like they do perfectly in Kubernetes/Openshift or (slightly less robustly) in docker-compose yaml files - by expanding the same key: value structure multiple times.

Some examples:

  • Kubernetes:
apiVersion: v1
kind: Pod
metadata:
name: two-containers
spec:
containers:
    - name: nginx-container
      image: nginx
    - name: debian-container
      image: debian
  • Docker Compose:
services:
  postgres:
    container_name: clair_postgres
    image: bitnami/postgresql:9.6
  clair:
    container_name: clair_clair
    image: quay.io/coreos/clair:v2.1.2
    depends_on:
      - postgres

mirekphd avatar Jan 01 '20 11:01 mirekphd

I think redesigning the whitelist makes sense. It should at least allow for the following things:

  • General whitelist, it always applies to all
  • Any image name/repo combination
  • Image versions
  • Full name as regexp should be supported

An example could be:

general: #Used to whitelist cve for any image
  - cve: CVE-1234-00000
    lib: specific lib #Optional, if not provided apply to all
images: #Whitelist cve for a specific image
  - name: some/image
    tags: #Optional, if not provided apply to all
      - 1.1
      - 1.2
      - 2.* #Use regex
    cves: #Whitelisted cves
      - name: CVE-1234-00000
        lib: specific lib #Optional, if not provided apply to all  --- Maybe this is not necessary
repository: #Whitelist cve for a specific repository
  - repo: private.repo.com
    cves:
      - name: CVE-1234-00000
        lib: specific lib #Optional, if not provided apply to all  --- Maybe this is not necessary

arminc avatar Jan 07 '20 11:01 arminc

Excellent design, but I'd start by copying Kubernetes format, where a single image key covers all possible variations, with or without registry or tag, and add only one optional key: lib.

whitelist:
    - name: clair
      image: quay.io/coreos/clair:v2.1
      image: docker.io/mirekphd/clair
      image: arminc/clair
      cve: CVE-1234-00000
      cve: CVE-1234-00001
      lib: apt
      lib: ssh

mirekphd avatar Jan 18 '20 17:01 mirekphd