clairctl
clairctl copied to clipboard
clairctl analyse finds vulnerabilities but generated reports is empty
[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl analyze --local test
Image: /test:latest
6 layers found
➜ Analysis [6abfdb537f90] found 1 vulnerabilities.
➜ Analysis [7474b11b9d82] found 1 vulnerabilities.
➜ Analysis [6648ba9ac357] found 1 vulnerabilities.
➜ Analysis [5ea7935d4b60] found 1 vulnerabilities.
➜ Analysis [dfa0bdb07945] found 0 vulnerabilities.
➜ Analysis [8866d07828be] found 0 vulnerabilities.
[technoman@technoman openssl_mod]$ $GOPATH/bin/clairctl report --local test
HTML report at reports/html/analysis-test-latest.html
[technoman@technoman openssl_mod]$
Here's my Dockerfile
FROM centos
MAINTAINER Frezbo <[email protected]>
ENV OPENSSL_VERSION="1.0.2h"
#from https://github.com/openssl/openssl/pull/872/files
COPY no-des.patch /opt
RUN yum -y update \
### Install tool for compiling
&& yum -y install gcc \
&& yum -y install make \
&& yum -y install wget \
&& yum -y install tar \
&& yum -y install perl \
&& yum -y install git \
&& yum -y install patch \
&& yum clean all
## BUILD OpenSSL
RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /opt/ \
&& cd /opt/ \
&& tar xzf openssl-${OPENSSL_VERSION}.tar.gz \
&& rm -f openssl-${OPENSSL_VERSION}.tar.gz \
&& git clone https://github.com/cloudflare/sslconfig.git \
&& cd openssl-${OPENSSL_VERSION} \
&& patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch \
&& mv /opt/no-des.patch /opt/openssl-${OPENSSL_VERSION} \
&& patch -p1 crypto/cms/cms_kari.c < no-des.patch
RUN mkdir -p /hab/pkgs
RUN cd /opt/openssl-${OPENSSL_VERSION} \
&& ./config --prefix=/hab/pkgs no-ssl3 no-rc4 no-camellia no-seed no-comp no-srp no-psk no-idea no-des no-descbcm no-dh \
&& make depend \
&& make \
#&& make test \ #make test fails when des is disabled
&& make install \
&& rm -rf /opt/openssl-${OPENSSL_VERSION} /opt/sslconfig
Generated report https://drive.google.com/file/d/0B84ansxoO-VOcFV0THF4YXRMMFE/view?usp=sharing
I thought this was an issue also, but I think what it is saying in the report is that there are no vulnerabilities in the running layer, make sense?
eg: ➜ Analysis [8866d07828be] found 0 vulnerabilities.
has no vulnerabilities, so, I assume, if you ran the container, there would be no vulnerabilities, but I might be wrong.
I guess we can ask @jgsqware to clear this up for us :)
@whiteadam I used Clair's official analyze-local-images tool and it exactly reported one vulnerability