Last active
April 16, 2020 11:51
-
-
Save sdorsett/1fd15bc0a65a8ec1b74b6a22fa37910a to your computer and use it in GitHub Desktop.
Using clair-scanner to scan a local docker image
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### make sure go is installed | |
| Stans-MacBook-Pro:clair-scanner standorsett$ go version | |
| go version go1.8.3 darwin/amd64 | |
| Stans-MacBook-Pro:clair-scanner standorsett$ | |
| ### make sure GOPATH is defined and $GOPATH/bin is added to $PATH | |
| Stans-MacBook-Pro:clair-scanner standorsett$ cat ~/.bash_profile | |
| export GOPATH=$HOME/go | |
| export PATH=$GOPATH/bin:$PATH | |
| ### go get dep | |
| go get -u github.com/golang/dep/cmd/dep | |
| ### go get and build clair-scanner | |
| go get github.com/arminc/clair-scanner | |
| cd ~/go/src/github.com/arminc/clair-scanner/ | |
| make ensure && make build | |
| ### cp clair-scanner that was compiled to ~/go/bin | |
| cp clair-scanner ~/go/bin/ | |
| ### start up clair-db and clair-local-scan docker containers | |
| docker run -p 5432:5432 -d --name db arminc/clair-db:latest | |
| docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1 | |
| ### Scan a docker image that has been pulled locally | |
| Stans-MacBook-Pro:clair-scanner standorsett$ clair-scanner --ip 127.0.0.1 --report golang-latest.json golang | |
| 2017/10/04 12:45:09 [INFO] ▶ Start clair-scanner | |
| 2017/10/04 12:45:22 [INFO] ▶ Server listening on port 9279 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 26f835f70de5eb3ce2fd926d8e0ddf0ac3f9e64d00b9ce4b500882ba92df1070 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 6226a80bd318e836c74b8836b9105efa264906e322c3e662b6d3a1f3aa070209 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 50d284e316da4249491daf363ad187a9efca20776d584cb7bbd42962b3ec614d | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 00f59011a78fac049489fb13e38534bb9a2ec014318d2377a9b2fa6978a0bc46 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing f78311543751623169e23437b6297f42177d8c549146809fa01fc3ea69eb0809 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing dcdfa8eedeb038b8637f12d4226cfad71d1e2edc50dc673d96c17d1c9423645c | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 2fb83fc65b6cbc9b28376af4c31ca9c839a379b45767a5bd34c716632e8acaf1 | |
| 2017/10/04 12:45:22 [INFO] ▶ Analyzing 4f2422127f754b9aace98c2246db9ca2e0a1017e37312ae44b54f5c978975088 | |
| 2017/10/04 12:45:22 [INFO] ▶ Unapproved vulnerabilities [[CVE-2017-13734 CVE-2017-10684 CVE-2017-13729 CVE-2017-13728 CVE-2017-13733 CVE-2017-13730 CVE-2017-13732 CVE-2017-11112 CVE-2017-13731 CVE-2017-11113 CVE-2017-10685 CVE-2017-10790 CVE-2017-7246 CVE-2017-7245 CVE-2017-11164 CVE-2017-14062 CVE-2011-4116 CVE-2017-12883 CVE-2012-3878 CVE-2017-12837 CVE-2017-14062 CVE-2017-1000101 CVE-2017-1000100 CVE-2017-1000254 CVE-2015-3276 CVE-2017-14159 CVE-2007-2768 CVE-2007-2243 CVE-2008-3234 CVE-2013-0340 CVE-2013-4235 CVE-2007-5686 CVE-2017-12424 CVE-2013-7040 CVE-2017-3735 CVE-2016-2781 CVE-2017-14934 CVE-2017-14745 CVE-2017-14529 CVE-2017-12967 CVE-2017-12453 CVE-2017-9749 CVE-2017-9041 CVE-2017-12459 CVE-2017-14333 CVE-2017-9744 CVE-2017-9043 CVE-2017-9750 CVE-2017-9752 CVE-2017-9742 CVE-2017-9756 CVE-2017-12458 CVE-2017-12457 CVE-2017-14130 CVE-2017-12456 CVE-2017-9040 CVE-2017-9745 CVE-2017-9755 CVE-2017-9042 CVE-2017-13710 CVE-2017-9753 CVE-2017-12455 CVE-2017-12799 CVE-2017-9954 CVE-2017-14729 CVE-2017-9751 CVE-2017-13757 CVE-2017-9038 CVE-2017-12452 CVE-2017-9044 CVE-2017-9754 CVE-2017-9039 CVE-2017-12451 CVE-2017-14974 CVE-2017-14128 CVE-2017-12454 CVE-2017-9743 CVE-2017-12448 CVE-2017-9955 CVE-2017-9748 CVE-2017-9747 CVE-2017-12450 CVE-2017-9746 CVE-2017-12449 CVE-2017-14129 CVE-2017-13716 CVE-2017-14938 CVE-2017-15025 CVE-2017-14939 CVE-2017-14940 CVE-2017-14930 CVE-2017-14932 CVE-2017-15022 CVE-2017-15020 CVE-2017-14933 CVE-2017-15023 CVE-2017-15021 CVE-2017-15024 CVE-2017-1000082 CVE-2013-4392 CVE-2017-10140 CVE-2015-8985 CVE-2017-12132 CVE-2017-8804 CVE-2010-4052 CVE-2010-4051 CVE-2017-12133 CVE-2016-10228 CVE-2010-4756 CVE-2010-0928 CVE-2007-6755 CVE-2017-3735 CVE-2017-14867 CVE-2011-3389 CVE-2012-0039 CVE-2011-3374 CVE-2017-14340 CVE-2017-10663 CVE-2010-5321 CVE-2017-1000370 CVE-2011-4915 CVE-2017-13695 CVE-2004-0230 CVE-2017-1000111 CVE-2017-1000380 CVE-2017-13693 CVE-2015-2877 CVE-2017-9984 CVE-2017-14991 CVE-2017-11600 CVE-2017-7518 CVE-2008-4609 CVE-2017-12762 CVE-2017-1000379 CVE-2017-1000252 CVE-2014-9892 CVE-2017-14051 CVE-2008-2544 CVE-2011-4917 CVE-2016-8660 CVE-2017-9985 CVE-2017-14497 CVE-2017-9986 CVE-2017-14140 CVE-2017-1000371 CVE-2005-3660 CVE-2017-13694 CVE-2017-12134 CVE-2015-8553 CVE-2017-12153 CVE-2017-7558 CVE-2017-14489 CVE-2017-11472 CVE-2013-7445 CVE-2010-4563 CVE-2007-3719 CVE-2017-11473 CVE-2014-9900 CVE-2017-1000112 CVE-2017-1000251 CVE-2017-12146 CVE-2012-4542 CVE-2017-14106 CVE-2017-8831 CVE-2017-14156 CVE-2017-12154 CVE-2016-2779 CVE-2017-14176 CVE-2005-2541 CVE-2017-13685 CVE-2017-10989 CVE-2008-4108 CVE-2004-0971 CVE-2017-11368 CVE-2017-11462]] | |
| Stans-MacBook-Pro:clair-scanner standorsett$ clair-scanner --ip 127.0.0.1 --report golang-latest.json centos:centos7 | |
| 2017/10/04 12:46:28 [INFO] ▶ Start clair-scanner | |
| 2017/10/04 12:46:31 [INFO] ▶ Server listening on port 9279 | |
| 2017/10/04 12:46:31 [INFO] ▶ Analyzing 892ebb5d1299cbf459f67aa070f29fdc6d83f4025c58c090e9a69bd4f7af436b | |
| 2017/10/04 12:46:31 [INFO] ▶ Unapproved vulnerabilities [[RHSA-2017:2832 RHSA-2017:2832 RHSA-2017:2832]] | |
| Stans-MacBook-Pro:clair-scanner standorsett$ | |
| # Running clair-scanner on Centos 7: | |
| DOCKER_IMAGE='centos:centos7' | |
| SERVER_IP="$(ip -f inet a show ens160| grep inet| awk '{ print $2}' | cut -d/ -f1)" | |
| clair-scanner --ip $SERVER_IP $DOCKER_IMAGE | |
| # Pulling information about specific vulnerabilities | |
| curl http://localhost:6060/v1/layers/892ebb5d1299cbf459f67aa070f29fdc6d83f4025c58c090e9a69bd4f7af436b?vulnerabilities | |
| curl http://localhost:6060/v1/namespaces/ | |
| curl http://localhost:6060/v1/namespaces | |
| curl http://localhost:6060/v1/namespaces/centos:7/vulnerabilities/RHSA-2017:2832 |
Hi!
I scan golang, after this, were is the report file? I don´t found it...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there,
I tried the ### go get and build clair-scanner and go get and build clair-scanner and i am stuck at error.
1-->
root@kali:
# go get github.com/arminc/clair-scanner/go/src/github.com/arminc/clair-scanner# make ensure && make buildpackage github.com/coreos/clair/api/v1: cannot find package "github.com/coreos/clair/api/v1" in any of:
/usr/lib/go-1.11/src/github.com/coreos/clair/api/v1 (from $GOROOT)
/root/go/src/github.com/coreos/clair/api/v1 (from $GOPATH)
2-->
root@kali:
dep ensure
dep: WARNING: branch, version, revision, or source should be provided for "gopkg.in/yaml.v2"
dep: WARNING: branch, version, revision, or source should be provided for "github.com/mbndr/logo"
dep: WARNING: branch, version, revision, or source should be provided for "github.com/olekukonko/tablewriter"
Please let me know wat i m doing wrong here. I tried other methods mentioned by official clair developer on github but none is working.
Looking for your response.