-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Photon-OS ClairCore Support #118
Comments
Can we get some information about Photon OS first. |
Yes, we have our own security tracker for Photon OS security vulnerabilities. We are uploading the results in the repository itself as a security advisory https://github.com/vmware/photon/wiki/Security-Advisories and as a JSON file for every single Photon OS release here: https://vmware.bintray.com/photon_cve_metadata/
I will investigate your first question and I will answer on this issue. |
@MVrachev |
Photon is using RPM as package management technology. |
@MVrachev I'm looking at your docker files and it appears photon releases have well defined OS release files:
Would you like to take a stab at writing a DistributionScanner for PhotonOS? The distribution scanner should return a *claircore.Distribution struct representing the discovered PhotoOS release in the given layer. You are free to use any files that may exist in a PhotoOS container layer, but OS-Release looks pretty good for you guys. We have been hard coding the claircore.Distribution structures for now - like so: https://github.com/quay/claircore/blob/master/debian/releases.go If you'd like to open a PR for the DistributionScanner first, we can work together on it. Once that's complete we can work on parsing your vulnerability database. |
Hello again @ldelossa. |
@ppadmavilasom @MVrachev We now need to create a few things to match Vulnerabilities to a Photo-OS IndexReport. https://github.com/quay/claircore/blob/master/libvuln/driver/matcher.go#L37 For Updater, you will want to implement the full interface, including embedded interfaces. A good example is ubuntu: https://github.com/quay/claircore/blob/master/ubuntu/matcher.go The idea here is to fetch your security database, parse it into claircore.Vulnerability structures, and then implement a Matcher which tells clairore how to match your packages to the vulnerabilities. This portion can be a little abstract so ping me if you need assistance. |
@ldelossa appreciate your help with this. will work on the rest. |
@ppadmavilasom we try to drive ppl to our mdbook documentation: I am a heavy user of the local development environment. So I will often use
You are able to pass cctool a repository/namespace:tag and it will pull the layers and create a IndexReport and a Vulnerability report for you. cc @hdonnay if you want to add anything. Tho you make a good point, we need to get better at testing our IndexReports. |
@ppadmavilasom currently Clair tests are failining on vmware: fetch component=pkg/ovalutil/Fetcher.Fetch database=https://packages.vmware.com/photon/security/oval/com.vmware.phsa-photon3.xml is your sec db down ? |
@ppadmavilasom not a problem, thanks for the quick PR! |
We're currently having problems where the xml document has missing and nonsensical dates in the Empty date strings are now dealt with in our OVAL package, but there's the problem of the nonsensical dates. For example, I don't think PHSA-2020:00033 was actually issued in the early third century. |
@hdonnay Thanks for checking and sorry for this. We used PHSA-2020:00033 as an id in the document not as a date. Should these date be in any other format ? Is there any other's distro's document I can use as a reference ? |
@smaliakkal Sorry, I was pointing out that PHSA-2020:00033 has a date of 209-09-10, which seems wrong. There may be others, but that's where our importing is falling down first. |
@hdonnay Thanks for pointing. |
@ppadmavilasom any work being done to continue this integration? |
@ldelossa we have corrected bogus date and empty dates ? |
@smaliakkal I was referring to the original topic of his thread. currently photon-os updater is working and the distribution scanner is working, but a Matcher must be implemented. |
@ldelossa we will send a PR in the next couple of weeks |
@suezzelur @ppadmavilasom @ldelossa @smaliakkal |
merged! thanks for contributing. |
Thanks @ldelossa |
Hi, I have already spent a lot of time working on this pr for Clair: https://github.com/quay/clair/pull/886/files.
After contacting @ldelossa I was advised to move the pr here.
Can you please help me figure out how much work will that be?
The text was updated successfully, but these errors were encountered: