klar
klar copied to clipboard
optiopay
Not able to scan Private Registry
Help wanted:
First of all I want to say thank you for this tool.
I am using harbor with clair.
I have downloaded following two images from docker.
docker.io/golang 1.8.5-alpine3.6 6f99e0568c03 6 months ago 258 MB
docker.io/golang 1.8.4-jessie c43e4acbfaba 9 months ago 712 MB
then push to my LOCAL "Harbor Registry"
ns1.tcs-ally.tk/ocp-dev/golang 1.8.4-jessie c43e4acbfaba 9 months ago 712 MB
ns1.tcs-ally.tk/ocp-dev/golang 1.8.5-alpine3.6 6f99e0568c03 6 months ago 258 MB
if I do scan docker image able to get using "klar"
CLAIR_ADDR=http://ns1.tcs-ally.tk:6060 klar golang:1.8.4-jessie
but with private registry (Harbor)
[root@ns1 harbor]# CLAIR_ADDR=http://ns1.tcs-ally.tk:6060 klar ns1.tcs-ally.tk/ocp-dev/golang:1.8.4-jessie
Get error
Can't pull image: Get https://ns1.tcs-ally.tk/v2/ocp-dev/golang/manifests/1.8.4-jessie: dial tcp 10.90.1.78:443: getsockopt: connection refused
Note : I am able to download from private registry (Harbor)
[root@ns1 harbor]# docker pull ns1.tcs-ally.tk/ocp-dev/golang:1.8.4-jessie
Trying to pull repository ns1.tcs-ally.tk/ocp-dev/golang ...
1.8.4-jessie: Pulling from ns1.tcs-ally.tk/ocp-dev/golang
Digest: sha256:f6e019e3aa1280d36f1e3376ff2fe60c63b836852e977dceaf8be4bc34767e9c
Status: Downloaded newer image for ns1.tcs-ally.tk/ocp-dev/golang:1.8.4-jessie
[root@ns1 harbor]# docker images ns1.tcs-ally.tk/ocp-dev/golang
REPOSITORY TAG IMAGE ID CREATED SIZE
ns1.tcs-ally.tk/ocp-dev/golang 1.8.5-alpine3.6 6f99e0568c03 6 months ago 258 MB
ns1.tcs-ally.tk/ocp-dev/golang 1.8.4-jessie c43e4acbfaba 9 months ago 712 MB
Can you telnet or curl 10.90.1.78:443 from a machine with Klar? It seems that your private registry is unreachable. Also does it have HTTPS enabled?
If you look my post that I am able to download images from private registry that mean it's reachable.
And my private registry is insecured.
Same here, scan works ok for an image on docker hub, but not if I pull the image locally and give its ID to Klar or if I push the image to our private registry and try to scan it from there:
CASE1: With Docker hub => Works OK: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar debian:latest
CASE2: Local image ID => it seems to look for the image ID on docker hub instead of locally and therefore can't find/pull it: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar 9a5d7185d3a6 ----> HTTP REQUEST: GET /v2/library/9a5d7185d3a6/manifests/latest HTTP/1.1 Host: registry-1.docker.io
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/9a5d7185d3a6","Action":"pull"}]}]}
Can't pull fsLayers
CASE3: Image in private registry=> Same than case 2: it seems to look for it in docker hub and obviously end up with a 404: KLAR_TRACE=true CLAIR_ADDR=localhost:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ./klar priv-registry:443/debian:latest
----> HTTP REQUEST: GET /v2/library/priv-registry/manifests/443:debian:latest HTTP/1.1 Host: registry-1.docker.io
404 page not found
ImageV1 decode error Can't pull image: json: cannot unmarshal number into Go value of type docker.imageV1
I looked in the doc but did not find how to tell to Klar in which registry it should look for the image (public registry, local images or private registry).
@prasenforu I can just see that docker can pull images from the registry. It may or may not mean that 10.90.1.78:443 is reachable, it may be listening on port 80 only.
And my private registry is insecured.
Please try to set REGISTRY_INSECURE=true
@khba
CASE2 is not supported by Klar, it doesn't work with local images Klar is a simple tool to analyze images stored in a private or public Docker registry for security vulnerabilities using Clair
CASE3 for any registry you need to use the same name as you see in docker images, so port is not needed.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/coreos/clair-git latest 565aa423300b 7 months ago 423MB
postgres latest 599272bf538f 7 months ago 287MB
$ CLAIR_ADDR=localhost:6060 ./klar quay.io/coreos/clair-git
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 16 layers
Failed to analyze using API v1: push image https://quay.io/v2/coreos/clair-git:latest to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value
Got results from Clair API v3
Found 2 vulnerabilities
Medium: 1
High: 1
CVE-2017-14166: [Medium]
Found in: libarchive [3.2.2-r2]
Fixed By: 3.3.1-r2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
-----------------------------------------
CVE-2017-1000158: [High]
Found in: python2 [2.7.13-r0]
Fixed By: 2.7.14-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158
-----------------------------------------
Thanks for answering, yes that's the name I have in docker images and that I've been using to push and pull images ever since:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
priv-registry:443/apache-master INTEG 479e50153046 27 hours ago 127MB
quay.io/coreos/clair v2.0.4 a6cda8543e4c 2 days ago 445MB
postgres latest 730027eb9d78 10 days ago 236MB
debian latest 9a5d7185d3a6 2 weeks ago 101MB
priv-registry:443/debian latest 9a5d7185d3a6 2 weeks ago 101MB
The thing is with or without '443', we see that it is trying to send the request to pull the layer from docker hub instead of pulling it from the actual private registry: ---> HTTP REQUEST: GET /v2/priv-registry/debian/manifests/latest HTTP/1.1 Host: registry-1.docker.io
@khba port confuses Klar. You may want to try without port in image name. If it doesn't help we have a bug, need to investiagate
Is there a command to check if Klar can talk to the private registry ? Knowing that the host can talk to the same private registry and push/pull images from it.
I am no Go expert but his may be what's bothering Klar: the fact that my private registry name doesn't contain "localhost" nor "." , so it assumes it all part of the image name:
In docker/docker.go line 132 :
if part == "localhost" || strings.Contains(part, ".") {
// it's registry, let's check what's next =port of image name
Yup that's it, it works when I replace my registry name from "priv-registry" to "priv.registry" ! But this was just a test, not everyone can update registry names as they wish. Anyway thanks for this great tool !
Thanks !!
REGISTRY_INSECURE=true works for my issue.
But I have quick questions regarding scan ?
I am using Harbor (Private Registry) with Clair in build image scanner,
When I am checking vulnerability (scan) inside Harbor its showing different result (High 20) like below.
But when I am checking with your tool with SAME Clair its showing different result (High 87)
I assume they (Harbor) are using other tool to scan but both are using same database in clair.