Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: get vulnerabilities by image's non-empty top layer #7

Merged
merged 1 commit into from
Dec 19, 2016
Merged

Enhancement: get vulnerabilities by image's non-empty top layer #7

merged 1 commit into from
Dec 19, 2016

Conversation

supereagle
Copy link
Contributor

@supereagle supereagle commented Nov 5, 2016
edited
Loading

@hashmap I have finished the enhancement. PTAL, thanks.

Fix #6

@hashmap
Copy link
Contributor

hashmap commented Nov 8, 2016

Thanks @supereagle I'm testing it

@hashmap
Copy link
Contributor

hashmap commented Nov 9, 2016

Do you have a (public) example of an image with vulnerabilities? Your version always says Found 0 vulnerabilities, perhaps the current version gives false alarms.

@supereagle
Copy link
Contributor Author

Do you clean up your postgres? If you use an old postgres, maybe the relationship between layers stored in it is not correct. As the current version depends on these relationships to ensure that the vulnerabilities can be got by non-empty top layer.

@supereagle
Copy link
Contributor Author

You can have a try on the public image docker.io/nginx:1.9.

@i1skn i1skn changed the title enhancement: get vulnerabilities by image's non-empty top layer Enhancement: get vulnerabilities by image's non-empty top layer Nov 10, 2016
@supereagle
Copy link
Contributor Author

@hashmap Have you tested again?

@supereagle
Copy link
Contributor Author

supereagle commented Dec 4, 2016 via email

hashmap
hashmap reviewed Dec 5, 2016
View reviewed changes
clair/clair.go
var vs []Vulnerability
for i := range image.FsLayers {
for i := layerLength - 1; i >= 0; i-- {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought you want to analyze just the top level, in code I see that empty layers a filtered out and we reversed the direction of iteration. Did I miss something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

filterEmptyLayers() just filters the empty layters, not reverses the layer order.

clair/clair.go
if index > 0 {
parentName = image.FsLayers[index-1].BlobSum
if index < len(image.FsLayers)-1 {
parentName = image.FsLayers[index+1].BlobSum
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We reversed the loop, but layers are still stored in the original order, why we take upper layer as a parent?

clair/clair.go
vs, err := c.analyzeLayer(image.FsLayers[0])
if err != nil {
fmt.Printf("Analyse image %s/%s:%s failed: %s", image.Registry, image.Name, image.Tag, err.Error())
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clair sometimes returns error, not sure we should stop in this case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GET layer API will be called only once with the the top layer as it is out of loop. If it has error, should return with no vulnerability.

clair/clair.go
return vs
}

func (c *Clair) analyzeLayer(layer *layer) (*[]Vulnerability, error) {
url := fmt.Sprintf("%s/v1/layers/%s?vulnerabilities", c.url, layer.Name)
func (c *Clair) analyzeLayer(layer docker.FsLayer) ([]Vulnerability, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea was to work with Clair layers here, not with Docker ones, any reason to break this encapsulation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are the same, as both of them are for the layer id. The vulnerabilities can be got by image top layer, which can be directly got by image.FsLayers[0], so use Docker layer instead.

clair/clair.go
@@ -131,7 +153,7 @@ func (c *Clair) analyzeLayer(layer *layer) (*[]Vulnerability, error) {
vs = append(vs, v)
}
}
return &vs, nil
return vs, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this change, thanks

@hashmap
Copy link
Contributor

hashmap commented Dec 6, 2016

Cool, thanks for your efforts! The only question from my side why do you need to reverse order while pushing layers to Clair?

@supereagle
Copy link
Contributor Author

The revered order is the order from parents to children. image.FsLayers[n-1] is the child layer, and image.FsLayers[n] is the parent layer.

@hashmap
Copy link
Contributor

hashmap commented Dec 13, 2016

Could you point me to the spec which defines the order of layers for pull? For some reason I thought that order is different, but could not find any specs now.

@supereagle
Copy link
Contributor Author

Take docker.io/nginx:latest as an example, its Dockerfile is mainline/jessie/Dockerfile

And its manifest is:

   "schemaVersion": 1,
   "name": "library/nginx",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:d685e39ac8a4ccea462d489b503f9de952f0b8c7a0b0a0548f7a5c20b272668b"
      },
      {
         "blobSum": "sha256:386dc9762af975db201ed66aebd3f8b5f2c24389db4744d54ec47667dcdae26a"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:386a066cd84a33a04d560c42bef66d1dd64ebfc76de78550e5fd0f8d57778bca"
      }
   ],
...
}

Compare its dockerfile and manifest, you will find just two non-empty layers(d685e39ac8a4ccea462d489b503f9de952f0b8c7a0b0a0548f7a5c20b272668b, 386dc9762af975db201ed66aebd3f8b5f2c24389db4744d54ec47667dcdae26a) for two RUN commands in dockerfile. The order of commands in dockerfile are reversed for their layers in manifest.

@supereagle
Copy link
Contributor Author

@hashmap Any points still not clear?

@hashmap hashmap merged commit b088466 into optiopay:master Dec 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hashmap hashmap hashmap left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@supereagle @hashmap @i1skn