转载

容器漏洞的静态分析 - 介绍CoreOS 的最新出版的第一个稳定版Clair

最近coreos 发布了第一个稳定版的 Clair。 Clair 是用于静态分析容器漏洞的。

项目地址： https://github.com/coreos/clair

安装说明： https://github.com/coreos/clai ... ME.md

api使用说明： https://github.com/coreos/clai ... ME.md

说明里有些不到位的地方，我自己整理了一下：

Clair的安装：

Clair 仓库里的文档不是很全，我用下面的命令在docker 安装的

$ docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres
 $ mkdir $HOME/clair_config
 $ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $HOME/clair_config/config.yaml
 $ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
 
 这行：    source: postgresql://postgres:mysecretpassword@postgres:5432?sslmode=disable
 
 $ docker run -d --link some-postgres:postgres -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair -config=/config/config.yaml

需要运行一段时间，namespaces会自动增加的。

$ http GET http://192.168.99.100:6060/v1/namespaces
 HTTP/1.1 200 OK
 Content-Encoding: gzip
 Content-Length: 139
 Content-Type: application/json;charset=utf-8
 Date: Wed, 23 Mar 2016 13:40:29 GMT
 Server: clair
 
 {
 "Namespaces": [
     {
         "Name": "debian:9"
     },
     {
         "Name": "debian:7"
     },
     {
         "Name": "debian:unstable"
     },
     {
         "Name": "debian:8"
     },
     {
         "Name": "debian:6"
     },
     {
         "Name": "ubuntu:15.04"
     },
     {
         "Name": "ubuntu:14.04"
     },
     {
         "Name": "ubuntu:14.10"
     },
     {
         "Name": "ubuntu:12.04"
     },
     {
         "Name": "ubuntu:15.10"
     },
     {
         "Name": "ubuntu:12.10"
     },
     {
         "Name": "ubuntu:13.04"
     },
     {
         "Name": "centos:6"
     },
     {
         "Name": "centos:7"
     },
     {
         "Name": "alpine:3.3.1"
     }
 ]

}

找出docker 的地址：

安装后，会有个6060端口和6061 端口开放，如果你是在Mac OSX 里运行的话，需要找到docker-machine 的IP 地址：

$ docker-machine ip default
 192.168.99.100

安装httpie

另外建议下载httpie 来方便的运行 API 命令，安装指南在这里： https://github.com/jkbrzt/httpie

安装 analyze-local-images 工具

$ export GOPATH=~/go
 $ go get -u github.com/coreos/clair/contrib/analyze-local-images

查验镜像漏洞

$ docker images
 REPOSITORY             TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
 alpine                 3.3                 sha256:90239        4 weeks ago         4.794 MB
 python                 2.7-alpine          sha256:dd22f        4 days ago          72.59 MB
 
 $ ~/go/bin/analyze-local-images -endpoint "http://192.168.99.100:6060" -my-address "192.168.99.1"  sha256:bdeba
 
 2016-03-24 00:51:46.402394 I | Saving sha256:dd22f to local disk (this may take some time)
 2016-03-24 00:51:50.790207 I | Retrieving image history
 2016-03-24 00:51:50.790498 I | Setting up HTTP server (allowing: 192.168.99.100)
 2016-03-24 00:51:50.993039 I | Analyzing 7 layers...
 2016-03-24 00:51:50.993078 I | Analyzing 061232993debe19e048a5d9c774c5d338548ecfbb0239ee4163126dae0140dd6
 2016-03-24 00:51:50.996947 I | Analyzing 1c65a9822da53a4a95961435f56ef33f4477ca1565eb9c1d58a5070016859282
 2016-03-24 00:51:51.000084 I | Analyzing 4390cef4f59e1f151361d40db43d4960f23625eca66ebb774bfa37893cf680ae
 2016-03-24 00:51:51.002810 I | Analyzing bb00ffee73d2d2be09d5b5aef31741e5dc126d8df016b74e0fe00db64dd9b84b
 2016-03-24 00:51:51.023537 I | Analyzing fbafe5adf71025904c4b57092474acd0fb4f23e3f3ad47e2b096ae3098655974
 2016-03-24 00:51:51.038989 I | Analyzing 0a58753f8a1d1e69295cf09a7903683c4ef938443cc54eef97ae12c5b430e929
 2016-03-24 00:51:51.042544 I | Analyzing cf539c4370716f1d668d8c6dd3e0a511b0bf59ce70eb6fe8970e57c1b6a7b8ee
 2016-03-24 00:51:51.047216 I | Retrieving image's vulnerabilities
 Clair report for image sha256:dd22f (2016-03-23 13:51:51.075386919 +0000 UTC)
 NOTE: No features have been detected in the image. This usually means that the image isn't supported by Clair.