objectiflibre / docker-clair-scanner Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Hello,
Running a container with an image built from this Dockerfile generates an error:
Missing binary name when copy to /usr/local/bin/ folder
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "exec: "clair": executable file not found in $PATH": unknown.
I did a little investigation and found that on the Dockerfile, the binary name is missing in the destination folder, so the copy operation is overwriting the /usr/local/bin folder.
The correct copy line should be:
COPY --from=0 /gopath/src/clair/clair /usr/local/bin/clair
Below some evidence that the bin folder became the Clair binary:
~ # cd /usr/local/bin
/bin/sh: cd: can't cd to /usr/local/bin: Not a directory
~ #
~ #
~ #
~ # cd /usr/local
/usr/local #
/usr/local #
/usr/local #
/usr/local # ls
bin lib share
/usr/local #
/usr/local #
/usr/local #
/usr/local # ./bin
Error: incorrect usage
Usage: clair-scanner [OPTIONS] IMAGE
Scan local Docker images for vulnerabilities with Clair
Arguments:
IMAGE="" Name of the Docker image to scan
Options:
-w, --whitelist="" Path to the whitelist file
-t, --threshold="Unknown" CVE severity threshold. Valid values; 'Defcon1', 'Critical', 'High', 'Medium', 'Low', 'Negligible', 'Unknown'
-c, --clair="http://127.0.0.1:6060" Clair URL
--ip="localhost" IP address where clair-scanner is running on
-l, --log="" Log to a file
--all, --reportAll=true Display all vulnerabilities, even if they are approved
-r, --report="" Report output file, as JSON
--exit-when-no-features=false Exit with status code 5 when no features are found for a particular image
I'm running clair against an image built based on python:3.9-slim which in turn is based on debian buster. The issue is that clair is reporting a ton of vulns that are not there:
Digest: sha256:1b80f32abe0bd20d0b4fad943e84413f3a53f24eafcc12dc1d08e2367c7dd47a
Status: Downloaded newer image for objectiflibre/clair-scanner:latest
2021/05/03 00:52:03 [INFO] ▶ Start clair-scanner
2021/05/03 00:52:10 [INFO] ▶ Server listening on port 9279
2021/05/03 00:52:10 [INFO] ▶ Analyzing 88a5033f64e4b323c387d762ec17331f9ce8f501b4ad690dbd0776bd36ab04c8
2021/05/03 00:52:17 [INFO] ▶ Analyzing 240f33e375e6857121e6de2c39d59d48ea9ee38c83bd9194953c87359a114cc3
2021/05/03 00:52:18 [INFO] ▶ Analyzing a34d2b4f899901b24bac5e12edf9c017934e853fb0736438d0b599e1c01fc1db
2021/05/03 00:52:18 [INFO] ▶ Analyzing d634b671ceef7f6a52deac8e3ee1b0dc2851d7675481557b4652c8d806a50004
2021/05/03 00:52:18 [INFO] ▶ Analyzing 7c6d6709f625e00641902ead5f725a6ba176a3debc339900161180784bdaa14f
2021/05/03 00:52:18 [INFO] ▶ Analyzing 8fbdbe4e5eacb28bf4a924bc2fd557064b3d91a839f5137b0a5962be1e513cdd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 0571676387e8b74eedfe2d6af9c4ab795ffeb5790b573fa05b6c9e0b5fb4eafd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 2565eda99944164ade39790f49df228d2fe748018e8592ceb5579bd95d1b83c7
2021/05/03 00:52:19 [INFO] ▶ Analyzing d99c63c4ba88b3b03367f41999d6e3f1b81bbe6d2447763e4df15dfdd5e8b66b
2021/05/03 00:52:19 [INFO] ▶ Analyzing b8183782c14f08e6ae295fab4b3f669e845ef066d09db4dc85ff99e39b932891
2021/05/03 00:52:19 [WARN] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 total vulnerabilities
2021/05/03 00:52:19 [ERRO] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 unapproved vulnerabilities
You can see the whole output attached: job.log. The base image is: https://gitlab.com/nevrona/public/poetry-docker/-/blob/0d02321d6751486a69ee7c37c6b1ddfba78b07e8/Dockerfile
Currently I can only disable the scan to bypass it but this would defeat the entire purpose of scanning with clair. What should I do?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.