使用clair镜像扫描
目的
执行镜像扫描,扫描镜像仓库的镜像,生成报告
安装clair
操作系统:ubuntu 18.06
docker:18.06.3
docker-compose: docker-compose version 1.25.5, build 8a1c60f6
打开github clair
使用docker-compos启动clair, clair-docker-compose配置下载
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yaml.sample -o $PWD/docker-compose.yaml
$ mkdir $PWD/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml
配置下载完成后如下
/clair$ tree
.
├── clair_config
│ └── config.yaml
└── docker-compose.yaml
1 directory, 2 files
/clair$ cat docker-compose.yaml
version: '3.8'
services:
clair:
image: quay.io/coreos/clair:latest
command: -config=/config/config.yaml
ports:
- "6060:6060"
- "6061:6061"
depends_on:
- clairdb
volumes:
- type: bind
source: $PWD/clair_config
target: /config
networks:
- clairnet
restart: on-failure
extra_hosts:
- "yourharbor1.com:192.168.1.100"
- "yourharbor2.com:192.168.1.101"
clairdb:
image: postgres:9.6
networks:
- clairnet
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
networks:
clairnet:
driver: bridge
启动,会下载镜像,等待下载完成启动
$ docker-compose -f docker-compose.yaml up -d
启动后docker logs查看clair容器能看到自动从漏洞库下载数据
测试clair健康状态
$ curl -X GET -I http://clair.ip:6061/health
HTTP/1.1 200 OK
Server: clair
Date: Tue, 02 Jun 2020 09:39:46 GMT
Content-Length: 0
如果要检测私有镜像仓库
clair启动参数需要添加--insecure-tls
services:
clair:
image: quay.io/coreos/clair:latest
command: [-config=/config/config.yaml, --insecure-tls]
使用clair扫描镜像
klar是一个集成clair和镜像库的工具
Integration of Clair and Docker Registry
在release页面下载最新版本,并移动到环境变量,本章节使用的版本是2.4.0
klar支持的参数:
Usage
Klar process returns if 0 if the number of detected high severity vulnerabilities in an image is less than or equal to a threshold (see below) and 1 if there were more. It will return 2 if an error has prevented the image from being analyzed.
Klar can be configured via the following environment variables:
-
CLAIR_ADDR- address of Clair server. It has a form ofprotocol://host:port-protocolandportdefault tohttpand6060respectively and may be omitted. You can also specify basic authentication in the URL:protocol://login:password@host:port. -
CLAIR_OUTPUT- severity level threshold, vulnerabilities with severity level higher than or equal to this threshold
will be outputted. Supported levels areUnknown,Negligible,Low,Medium,High,Critical,Defcon1.
Default isUnknown. -
CLAIR_THRESHOLD- how many outputted vulnerabilities Klar can tolerate before returning1. Default is0. -
CLAIR_TIMEOUT- timeout in minutes before Klar cancels the image scanning. Default is1 -
DOCKER_USER- Docker registry account name. -
DOCKER_PASSWORD- Docker registry account password. -
DOCKER_TOKEN- Docker registry account token. (Can be used in place ofDOCKER_USERandDOCKER_PASSWORD) -
DOCKER_INSECURE- Allow Klar to access registries with bad SSL certificates. Default isfalse. Clair will
need to be booted with-insecure-tlsfor this to work. -
DOCKER_TIMEOUT- timeout in minutes when trying to fetch layers from a docker registry -
DOCKER_PLATFORM_OS- The operating system of the Docker image. Default islinux. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest. -
DOCKER_PLATFORM_ARCH- The architecture the Docker image is optimized for. Default isamd64. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest. -
REGISTRY_INSECURE- Allow Klar to access insecure registries (HTTP only). Default isfalse. -
JSON_OUTPUT- Output JSON, not plain text. Default isfalse. -
FORMAT_OUTPUT- Output format of the vulnerabilities. Supported formats arestandard,json,table. Default isstandard. IfJSON_OUTPUTis set to true, this option is ignored. -
WHITELIST_FILE- Path to the YAML file with the CVE whitelist. Look atwhitelist-example.yamlfor the file format. -
IGNORE_UNFIXED- Do not count vulnerabilities without a fix towards the threshold
Usage:
CLAIR_ADDR=localhost CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 DOCKER_USER=docker DOCKER_PASSWORD=secret klar postgres:9.5.1
执行扫描
$ CLAIR_OUTPUT=Unknown FORMAT_OUTPUT=standard CLAIR_ADDR=http://clair.ip:6060 DOCKER_USER=admin DOCKER_PASSWORD=secret REGISTRY_INSECURE=TRUE klar yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 4 layers
Got results from Clair API v1
Found 224 vulnerabilities
Unknown: 99
Negligible: 84
Low: 41
CVE-2018-16868: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By:
A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
https://security-tracker.debian.org/tracker/CVE-2018-16868
-----------------------------------------
CVE-2018-10845: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10845
-----------------------------------------
CVE-2018-10846: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10846
-----------------------------------------
CVE-2018-10844: [Unknown]
Found in: gnutls28 [3.5.8-5+deb9u3]
Fixed By: 3.5.8-5+deb9u4
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
https://security-tracker.debian.org/tracker/CVE-2018-10844
-----------------------------------------
使用docker镜像的klar扫描
编写Dockerfile,并打包成镜像
$ cat Dockerfile
FROM alpine:latest
ADD https://github.com/optiopay/klar/releases/latest/download/klar-2.4.0-linux-amd64 /bin/klar
RUN chmod +x /bin/klar
ENTRYPOINT ["/bin/klar"]
$ docker build -t klar:v1 .
Sending build context to Docker daemon 5.632kB
Step 1/4 : FROM alpine:latest
---> f70734b6a266
Step 2/4 : ADD https://github.com/optiopay/klar/releases/latest/download/klar-2.4.0-linux-amd64 /bin/klar
Downloading [==================================================>] 12.73MB/12.73MB
---> 1bea7444e074
Step 3/4 : RUN chmod +x /bin/klar
---> Running in 050ea7efe3dd
Removing intermediate container 050ea7efe3dd
---> 20f38deaf4a4
Step 4/4 : ENTRYPOINT ["/bin/klar"]
---> Running in f6efdfa2c857
Removing intermediate container f6efdfa2c857
---> c70890393ef1
Successfully built c70890393ef1
Successfully tagged klar:v1
使用镜像执行扫描
$ cat env
CLAIR_OUTPUT=Unknown
FORMAT_OUTPUT=standard
CLAIR_ADDR=http://clair.ip:6060
DOCKER_USER=admin
DOCKER_PASSWORD=secret
REGISTRY_INSECURE=TRUE
$ docker run --rm --add-host yourharbor1.com:192.168.100.1 --env-file env klar:v1 yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 4 layers
Got results from Clair API v1
Found 224 vulnerabilities
Unknown: 99
Negligible: 84
Low: 41
CVE-2019-12900: [Unknown]
Found in: bzip2 [1.0.6-8.1]
Fixed By:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
https://security-tracker.debian.org/tracker/CVE-2019-12900
-----------------------------------------
CVE-2019-3462: [Unknown]
Found in: apt [1.4.8]
Fixed By: 1.4.9
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
https://security-tracker.debian.org/tracker/CVE-2019-3462
-----------------------------------------
镜像作为drone插件执行
drone版本
$ drone --version
drone version 1.2.1
配置drone.yml
$ cat .drone.yml
kind: pipeline
type: docker
name: default
workspace:
base: /work
path: src
steps:
- name: scan
image: klar:v1
environment:
CLAIR_OUTPUT: Unknown
FORMAT_OUTPUT: standard
CLAIR_ADDR: http://clair.ip:6060
DOCKER_USER: admin
DOCKER_PASSWORD: secret
REGISTRY_INSECURE: TRUE
CLAIR_THRESHOLD: 1000
commands:
- /bin/klar yourharbor1.com/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
extra_hosts:
- yourharbor1.com:192.168.100.1
drone执行
$ drone exec --trusted
[scan:0] + /bin/klar harbor.raginghot.com.cn/spinnaker/gcr.io/spinnaker-marketplace/deck:2.1.0-20180221143146
[scan:1] clair timeout 1m0s
[scan:2] docker timeout: 1m0s
[scan:3] no whitelist file
[scan:4] Analysing 4 layers
[scan:5] Got results from Clair API v1
[scan:6] Found 224 vulnerabilities
[scan:7] Unknown: 99
[scan:8] Negligible: 84
[scan:9] Low: 41
[scan:10]
[scan:11] CVE-2018-16869: [Unknown]
[scan:12] Found in: nettle [3.3-1]
[scan:13] Fixed By:
[scan:14] A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
[scan:15] https://security-tracker.debian.org/tracker/CVE-2018-16869
[scan:16] -----------------------------------------
[scan:17] CVE-2018-16868: [Unknown]
[scan:18] Found in: gnutls28 [3.5.8-5+deb9u3]
[scan:19] Fixed By:
[scan:20] A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
[scan:21] https://security-tracker.debian.org/tracker/CVE-2018-16868
[scan:22] -----------------------------------------
[scan:23] CVE-2018-10845: [Unknown]
[scan:24] Found in: gnutls28 [3.5.8-5+deb9u3]
[scan:25] Fixed By: 3.5.8-5+deb9u4
[scan:26] It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
[scan:27] https://security-tracker.debian.org/tracker/CVE-2018-10845
[scan:28] -----------------------------------------