clairctl icon indicating copy to clipboard operation
clairctl copied to clipboard

Published 20 hours ago verified publisher icon jgsqware

clairctl analyse finds vulnerabilities but generated reports is empty

Open frezbo opened this issue 7 years ago • 2 comments 

[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl analyze --local test

Image: /test:latest
 6 layers found
 
  ➜ Analysis [6abfdb537f90] found 1 vulnerabilities.
  ➜ Analysis [7474b11b9d82] found 1 vulnerabilities.
  ➜ Analysis [6648ba9ac357] found 1 vulnerabilities.
  ➜ Analysis [5ea7935d4b60] found 1 vulnerabilities.
  ➜ Analysis [dfa0bdb07945] found 0 vulnerabilities.
  ➜ Analysis [8866d07828be] found 0 vulnerabilities.

[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl report --local test
HTML report at reports/html/analysis-test-latest.html
[technoman@technoman openssl_mod]$

Here's my Dockerfile

FROM centos
MAINTAINER Frezbo <[email protected]>
ENV OPENSSL_VERSION="1.0.2h"
#from https://github.com/openssl/openssl/pull/872/files
COPY no-des.patch /opt
RUN yum -y update \
### Install tool for compiling
&& yum -y install gcc \
&& yum -y install make \
&& yum -y install wget \
&& yum -y install tar \
&& yum -y install perl \
&& yum -y install git \
&& yum -y install patch \
&& yum clean all
## BUILD OpenSSL
RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /opt/ \
&& cd /opt/ \
&& tar xzf openssl-${OPENSSL_VERSION}.tar.gz \
&& rm -f openssl-${OPENSSL_VERSION}.tar.gz \
&& git clone https://github.com/cloudflare/sslconfig.git \
&& cd openssl-${OPENSSL_VERSION} \
&& patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch \
&& mv /opt/no-des.patch /opt/openssl-${OPENSSL_VERSION} \
&& patch -p1 crypto/cms/cms_kari.c < no-des.patch
RUN mkdir -p /hab/pkgs
RUN cd /opt/openssl-${OPENSSL_VERSION} \
&& ./config --prefix=/hab/pkgs no-ssl3 no-rc4 no-camellia no-seed no-comp no-srp no-psk no-idea no-des no-descbcm no-dh \
&& make depend \
&& make \
#&& make test \ #make test fails when des is disabled
&& make install \
&& rm -rf /opt/openssl-${OPENSSL_VERSION} /opt/sslconfig

Generated report https://drive.google.com/file/d/0B84ansxoO-VOcFV0THF4YXRMMFE/view?usp=sharing

frezbo avatar Mar 31 '17 11:03 frezbo

I thought this was an issue also, but I think what it is saying in the report is that there are no vulnerabilities in the running layer, make sense?

eg: ➜ Analysis [8866d07828be] found 0 vulnerabilities. has no vulnerabilities, so, I assume, if you ran the container, there would be no vulnerabilities, but I might be wrong.

I guess we can ask @jgsqware to clear this up for us :)

whiteadam avatar Apr 11 '17 00:04 whiteadam

@whiteadam I used Clair's official analyze-local-images tool and it exactly reported one vulnerability

frezbo avatar Apr 11 '17 02:04 frezbo