claircore icon indicating copy to clipboard operation
claircore copied to clipboard

Published 20 hours ago verified publisher icon quay

Support wolfi / chainguard detection

Open jbergstroem opened this issue 1 year ago • 12 comments

Wolfi is an operating system tailored for containers. Clair currently doesn't recognize it so I thought it'd make sense to track support.

$ ./clair-scanner --ip 192.168.1.15 -c http://127.0.0.1:6060 cgr.dev/chainguard/node:20
2023/05/01 20:06:58 [INFO] ▶ Start clair-scanner
2023/05/01 20:07:00 [INFO] ▶ Server listening on port 9279
2023/05/01 20:07:00 [INFO] ▶ Analyzing c2b0d3cadf5af59393ce726798e315e7f56dc8c6d1e3ec55ce46cb6aab03c61a
2023/05/01 20:07:00 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 422 with message {"Error":{"Message":"worker: OS and/or package manager are not supported"}}

Relevant info

The following examples are from the generated container cgr.dev/chainguard/node:20 which is part of their automated builds.

OS detection

 $ cat /etc/os-release
ID=wolfi
NAME="Wolfi"
PRETTY_NAME="Wolfi"
VERSION_ID="20230201"
HOME_URL="https://wolfi.dev"

Wolfi mentions using apk as a package manager. Here's an example of the installed list:

$ head -n 20 /lib/apk/db/installed
P:glibc-locale-posix
V:2.37-r6
A:x86_64
L:GPL-3.0-or-later
T:POSIX locale data for glibc
o:glibc
m:
U:
D:
p:
c:be767d33fb37b5dc6c42961efe0472f888976899
i:[]
t:-62135596800
S:73758
I:416967
k:0
C:Q1ODlpjBNlf5+8UVI1uHjwELzSof8=
F:usr
F:usr/lib
F:usr/lib/locale

..which also seems to follow the apk package format.

Should a PR abstract alpine into apk and support both OS'es but with different identifiers? Put differently: I'm new to modifying clair and its ecosystem. How should I proceed with a PR to see it merged?

jbergstroem avatar May 02 '23 02:05 jbergstroem

I'm with the Wolfi team, and we'd be happy to help here however possible!

dlorenc avatar May 02 '23 13:05 dlorenc

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

hdonnay avatar May 02 '23 14:05 hdonnay

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

Hey! Thanks for the response! We use the apk package manager (the same as Alpine) and publish a security feed, also in the same format as Alpine. The feed is available here: https://packages.wolfi.dev/os/security.json

dlorenc avatar May 02 '23 14:05 dlorenc

I think the steps to take are:

  • [ ] Split the apk indexer out of the alpine package
  • [ ] Modularize the alpine Updater machinery and create an instance for alpine and wolfi
  • [ ] Modularize the alpine Matcher machinery and create an instance for alpine and wolfi

I think the generic os-release scanner should be good enough to get distro detection. I don't have the details of all these paged in at the moment, though.

hdonnay avatar May 04 '23 19:05 hdonnay

Just noticed that /etc/issue is missing from wolfi images so the distributionscanner needs to make this optional.

jbergstroem avatar Sep 24 '23 16:09 jbergstroem

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Relevant info: https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/testdata/3.16/etc/issue#L1 https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/testdata/3.16/etc/os-release#L4 https://github.com/quay/claircore/blob/c5ea10095a545f29c92103ad02796e0459db57a3/alpine/distributionscanner.go#L41

At least all the test data you have seem to cover using PRETTY_NAME which means for the scope of this issue/modularizing distributionscanner less changes are needed.

jbergstroem avatar Sep 24 '23 19:09 jbergstroem

Hi! I'm with the Wolfi security team, and we just recently added more documentation for scanners wanting to implement support for Wolfi and the related "Chainguard distro". We've also added some test images for use in manual/automated tests in case that's valuable to you.

https://github.com/chainguard-dev/vulnerability-scanner-support

Also happy to field any questions that come up!

luhring avatar Oct 02 '23 19:10 luhring

Also happy to list clair on this page when you're ready, let us know!

https://www.chainguard.dev/scanners

amdawson avatar Oct 02 '23 19:10 amdawson

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Sorry for pinging you again but it would be good to get clarity on this before I move on! Thanks!

jbergstroem avatar Oct 03 '23 12:10 jbergstroem

@jbergstroem I don't have context for Clair in particular, but this might help a little:

This section explains how scanners should identify the Wolfi/Chainguard distros. Definitely take a look at this! It's short.

tl;dr: Use /etc/os-release to identify the distro. You should use the id field to key off of, and you can use the pretty name for showing to users.

Do not use the version data here! That's explained in the docs, too. 😃

You won't find an /etc/issue.

luhring avatar Oct 03 '23 13:10 luhring

@luhring thanks for the info; I already had a look! Since the idea is to reuse the same framework for Alpine and Wolfi, I wanted to double-check why we need to read both /etc/issue and /etc/os-release for Alpine before proceeding.

jbergstroem avatar Oct 03 '23 13:10 jbergstroem

JFYI since the discussion above @luhring put together this excellent resource on adding scanner support for our images: https://github.com/chainguard-dev/vulnerability-scanner-support

mattmoor avatar Jul 16 '24 21:07 mattmoor