-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: get vulnerabilities by image's non-empty top layer #7
Conversation
Thanks @supereagle I'm testing it |
Do you have a (public) example of an image with vulnerabilities? Your version always says |
Do you clean up your postgres? If you use an old postgres, maybe the relationship between layers stored in it is not correct. As the current version depends on these relationships to ensure that the vulnerabilities can be got by non-empty top layer. |
You can have a try on the public image |
@hashmap Have you tested again? |
Hi Alexey Miroshkin,
I have explained your test results in my comments.
Have you tested this PR again?
…________________________________
发件人: Alexey Miroshkin <notifications@github.com>
发送时间: 2016年11月9日 19:43
收件人: optiopay/klar
抄送: Robin Yue; Mention
主题: Re: [optiopay/klar] enhancement: get vulnerabilities by image's non-empty top layer (#7)
Do you have a (public) example of an image with vulnerabilities? Your version always says Found 0 vulnerabilities, perhaps the current version gives false alarms.
―
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#7 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADO7fRwGHo1gTzW81SL5hwLXew7l_qDNks5q8bHggaJpZM4KqRgi>.
|
var vs []Vulnerability | ||
for i := range image.FsLayers { | ||
for i := layerLength - 1; i >= 0; i-- { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought you want to analyze just the top level, in code I see that empty layers a filtered out and we reversed the direction of iteration. Did I miss something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
filterEmptyLayers() just filters the empty layters, not reverses the layer order.
if index > 0 { | ||
parentName = image.FsLayers[index-1].BlobSum | ||
if index < len(image.FsLayers)-1 { | ||
parentName = image.FsLayers[index+1].BlobSum |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We reversed the loop, but layers are still stored in the original order, why we take upper layer as a parent?
vs, err := c.analyzeLayer(image.FsLayers[0]) | ||
if err != nil { | ||
fmt.Printf("Analyse image %s/%s:%s failed: %s", image.Registry, image.Name, image.Tag, err.Error()) | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clair sometimes returns error, not sure we should stop in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The GET layer API will be called only once with the the top layer as it is out of loop. If it has error, should return with no vulnerability.
return vs | ||
} | ||
|
||
func (c *Clair) analyzeLayer(layer *layer) (*[]Vulnerability, error) { | ||
url := fmt.Sprintf("%s/v1/layers/%s?vulnerabilities", c.url, layer.Name) | ||
func (c *Clair) analyzeLayer(layer docker.FsLayer) ([]Vulnerability, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea was to work with Clair layers here, not with Docker ones, any reason to break this encapsulation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are the same, as both of them are for the layer id. The vulnerabilities can be got by image top layer, which can be directly got by image.FsLayers[0], so use Docker layer instead.
@@ -131,7 +153,7 @@ func (c *Clair) analyzeLayer(layer *layer) (*[]Vulnerability, error) { | |||
vs = append(vs, v) | |||
} | |||
} | |||
return &vs, nil | |||
return vs, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this change, thanks
Cool, thanks for your efforts! The only question from my side why do you need to reverse order while pushing layers to Clair? |
The revered order is the order from parents to children. image.FsLayers[n-1] is the child layer, and image.FsLayers[n] is the parent layer. |
Could you point me to the spec which defines the order of layers for pull? For some reason I thought that order is different, but could not find any specs now. |
Take And its manifest is:
Compare its dockerfile and manifest, you will find just two non-empty layers(d685e39ac8a4ccea462d489b503f9de952f0b8c7a0b0a0548f7a5c20b272668b, 386dc9762af975db201ed66aebd3f8b5f2c24389db4744d54ec47667dcdae26a) for two |
@hashmap Any points still not clear? |
@hashmap I have finished the enhancement. PTAL, thanks.
Fix #6