Description of Problem / Feature Request
I've implemented Clair, Trivy and Grype into my pipelines, but Clair is the only one not finding any CVEs for a Debian 11 based docker image.
Expected Outcome
Expected it to find more or less similar CVEs to the other tools
Actual Outcome
Grype:
[2023-05-16T20:09:36.879Z] [0000] INFO grype version: 0.61.1
[2023-05-16T20:11:28.472Z] [0110] INFO identified distro: Debian GNU/Linux 11 (bullseye) form-lib=syft
...
[2023-05-16T20:11:56.687Z] [0139] INFO found 498 vulnerabilities for 260 packages
Trivy:
[2023-05-16T20:09:41.208Z] Total: 490 (UNKNOWN: 1, LOW: 318, MEDIUM: 65, HIGH: 95, CRITICAL: 11)
Clair:
[2023-05-16T20:09:36.304Z] + clairctl -D report --host http://<fqdn>:8080 <fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:36.879Z] 2023-05-16T20:09:36Z DBG fetching ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:36.879Z] 2023-05-16T20:09:36Z DBG using text output
[2023-05-16T20:09:41.157Z] 2023-05-16T20:09:40Z DBG found manifest digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:41.157Z] 2023-05-16T20:09:40Z DBG requesting index_report attempt=1 digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:42.097Z] 2023-05-16T20:09:41Z DBG body="{\"code\":\"not-found\",\"message\":\"index report for manifest \\\"sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b\\\" not found\"}" digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b method=GET path=/indexer/api/v1/index_report/sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c status="404 Not Found"
[2023-05-16T20:09:42.097Z] 2023-05-16T20:09:41Z DBG don't have needed manifest digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b manifest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:42.357Z] 2023-05-16T20:09:42Z DBG found manifest digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:42.357Z] 2023-05-16T20:09:42Z DBG found layers count=13 digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:43.758Z] 2023-05-16T20:09:43Z DBG requesting index_report attempt=2 digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c
[2023-05-16T20:09:43.758Z] 2023-05-16T20:09:43Z DBG body="{\"code\":\"not-found\",\"message\":\"index report for manifest \\\"sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b\\\" not found\"}" digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b method=GET path=/indexer/api/v1/index_report/sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c status="404 Not Found"
[2023-05-16T20:12:20.318Z] 2023-05-16T20:12:15Z DBG digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b method=POST path=/indexer/api/v1/index_report ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c status="201 Created"
[2023-05-16T20:12:20.319Z] 2023-05-16T20:12:15Z DBG setting validator digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b path=/indexer/api/v1/index_report/sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c validator="\"7a5f5333aeda3d3d3c679da74d74cab5\""
[2023-05-16T20:12:20.319Z] 2023-05-16T20:12:15Z DBG digest=sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b method=GET path=/matcher/api/v1/vulnerability_report/sha256:30280c8edce7364a56902dde59d7e0ae21fbd900156b16a6ac0bcb237fa8297b ref=<fqdn>/<custom>/onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c status="200 OK"
[2023-05-16T20:12:20.319Z] onboarding:8bccae9c83eee9291f95485fdd0ce5ab4bcb030c ok
(company specific info has been anonymized via anonymize.pl)
That last line seems to indicate the the docker image is ok and has no CVEs but that is clearly contradicted by the other two scanners on this exact same docker image:tag.
Environment
- Clair version/image: 4.3.6
- Clair client name/version:
clairctl version v4.6.0-7-g36990912
- Host OS: Linux (GKE)
- Kernel (e.g.
uname -a): Linux 5.10.162+
- Kubernetes version (use
kubectl version): v1.22.17-gke.5400
- Network/Firewall setup: GCP
Reproduce
The complete config to reproduce this is in my Kubernetes-configs repo, specifically this directory:
https://github.com/HariSekhon/Kubernetes-configs/tree/master/clair/base
which can be instantly deployed to Kubernetes:
git clone git@github.com:HariSekhon/Kubernetes-configs
cd clair/base
kustomize build | kubectl apply -f -
and then run this from any pod container on Kubernetes:
clairctl -D report --host http://clair.clair.svc.cluster.local:8080 eu.gcr.io/<project>/<image>:<tag>
eg.
git clone git@github.com:HariSekhon/DevOps-Bash-tools bash-tools
# launch a GCloud SDK container on the cluster and drop me into a bash shell on it
bash-tools/kubernetes/kubectl_gcloud_sdk.sh
# inside the GCloud SDK container, download clairctl
curl -Lo clairctl https://github.com/quay/clair/releases/download/v4.6.1/clairctl-linux-amd64 && chmod +x clairctl
./clairctl -D report --host http://clair.clair.svc.cluster.local:8080 eu.gcr.io/<project>/<image>:<tag>
Live Settings
$ env | grep CLAIR | grep -v -e HOST -e PORT
CLAIR_MODE=combo
CLAIR_CONF=/etc/clair/config.yaml
/etc/clair/config.yaml:
---
introspection_addr: 0.0.0.0:8089
http_listen_addr: 0.0.0.0:8080
log_level: info
indexer:
connstring: postgres://clair:clair@clair-postgresql.clair.svc.cluster.local/clair?sslmode=disable
scanlock_retry: 10
layer_scan_concurrency: 5
migrations: true
matcher:
indexer_addr: clair.clair.svc.cluster.local:8080
connstring: postgres://clair:clair@clair-postgresql.clair.svc.cluster.local/clair?sslmode=disable
max_conn_pool: 100
run: ""
migrations: true
updater_sets:
- alpine
- aws
- debian
- oracle
- photon
- pyupio
- rhel
- suse
- ubuntu
matchers:
names:
- alpine
- aws
- debian
- oracle
- photon
- python
- rhel
- suse
- ubuntu
- crda
config:
crda:
url: https://gw.api.openshift.io/api/v2/
source: clair-sample-instance
key: 207c527cfc2a6b8dcf4fa43ad7a976da
notifier:
indexer_addr: http://clair.clair.svc.cluster.local:8080/
matcher_addr: http://clair.clair.svc.cluster.local:8080/
connstring: postgres://clair:clair@clair-postgresql.clair.svc.cluster.local/clair?sslmode=disable
migrations: true
delivery_interval: 1m
poll_interval: 5m
trace:
name: jaeger
probability: 1
jaeger:
agent:
endpoint: localhost:6831
service_name: clair
metrics:
name: prometheus
Description of Problem / Feature Request
I've implemented Clair, Trivy and Grype into my pipelines, but Clair is the only one not finding any CVEs for a Debian 11 based docker image.
Expected Outcome
Expected it to find more or less similar CVEs to the other tools
Actual Outcome
Grype:
Trivy:
Clair:
(company specific info has been anonymized via anonymize.pl)
That last line seems to indicate the the docker image is ok and has no CVEs but that is clearly contradicted by the other two scanners on this exact same docker image:tag.
Environment
clairctl version v4.6.0-7-g36990912uname -a): Linux 5.10.162+kubectl version): v1.22.17-gke.5400Reproduce
The complete config to reproduce this is in my Kubernetes-configs repo, specifically this directory:
https://github.com/HariSekhon/Kubernetes-configs/tree/master/clair/base
which can be instantly deployed to Kubernetes:
and then run this from any pod container on Kubernetes:
eg.
Live Settings
/etc/clair/config.yaml: