설치 및 설정
Clair DB 및 서버 컨테이너 실행
$ sudo chmod 666 /var/run/docker.sock
$ docker run -p 5432:5432 -d --name db arminc/clair-db:latest
$ docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55bf6ef747d5 arminc/clair-local-scan:latest "/clair -config=/con…" 27 seconds ago Up 25 seconds 0.0.0.0:6060->6060/tcp, :::6060->6060/tcp, 6061/tcp clair
deef5616f3cf arminc/clair-db:latest "docker-entrypoint.s…" About a minute ago Up About a minute 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp dbClair-scanner 설치
$ wget https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64
$ chmod +x clair-scanner_linux_amd64; sudo mv clair-scanner_linux_amd64 /usr/local/bin/clair-scannerjdk11을 사용하는 gradle image 다운
$ docker pull gradle:jdk11
$ docker images
REPOSITORY TAG IMAGE ID
gradle jdk11 ca64ef4dd4da 19 hours ago 744MBaws-cli image 다운
ecr -> public gallery -> aws-cli (by bitnami)
$ docker pull bitnami/aws-cli:latest
$ docker images
bitnami/aws-cli latest 23ca291576a7 2 days ago 378MB실습
parameter
clair-scanner [OPTIONS] IMAGE
IMAGE의 경우 image의 ID로 접근이 불가능하며 name 전체를 가지고 와야 한다.
-w, --whitelist="": 보안 취약점이더라도 취약 결과로 나오지 않게 만듦. 주로 사용되지 않음.
-t, --threshold="Unknown": 보안 취약점에 대한 등급, 취약도를 설정. 해당하는 등급만 출력하도록 설정 가능
-c, --clair="http://127.0.0.1:6060": clair에 대한 url
--ip="localhost": private IP를 설정
-l, --log="": clair scan을 실행하며 생기는 로그
--all, --reportAll=true: 전체 보안 취약 지점 출력. 시간 오래 걸림
-r, --report="": 결과값을 json 파일 형태로 export가 가능해짐
--exit-when-no-features=false: 잘 사용 안함. 이미지 스캔 진행하다 오류가 나는 경우 자동 종료.
Gradle 및 AWS-CLI Docker Image 스캔 및 결과 확인
Gradle
$ clair-scanner --ip ${IP} --clair=http://localhost:6060 --log="clair.log" --report="gradle_report.txt" gradle:jdk11이미지 gradle:jdk11에 대한 보안 취약점 확인. 실습중엔 보안 취약점이 나왔는데, 그새 수정되었는지 어떠한 취약점도 나오지 않았다...
$cat clair.log
2023/04/27 15:37:12 [INFO] ▶ Start clair-scanner
2023/04/27 15:37:25 [INFO] ▶ Server listening on port 9279
2023/04/27 15:37:25 [INFO] ▶ Analyzing 8c8c584fce832212111bcc33757036d5ccfa64f9fc392b45b6aa8ea89780f281
2023/04/27 15:37:27 [INFO] ▶ Analyzing 109ddea472ab3413eb87cea1381424fe6f78fe19e40ab977ff6404e60dd0f229
2023/04/27 15:37:27 [INFO] ▶ Analyzing 9953573d4419972dc5aef18dcdf91d18bdf903d3d7bde75e874a692fa0228dd4
2023/04/27 15:37:27 [INFO] ▶ Analyzing 233c6b4f6f0be8f60896bae59f12cbef159440a6f2d2e3d022eef1a2d0e6d349
2023/04/27 15:37:27 [INFO] ▶ Analyzing ab1404b366c40bd038b3c88c420aeffe2cf598b679a7d770a521446defd56338
2023/04/27 15:37:27 [INFO] ▶ Analyzing 0059aa85befdf4c07f5cbcb6b66eb2474a866e9aeb9292199288d06f9b84fa3e
2023/04/27 15:37:28 [INFO] ▶ Analyzing 7fefd04dadebd022349719f741924cf2ad23f3dfd843d7b5771df63e6141c364
2023/04/27 15:37:28 [INFO] ▶ Image [gradle:jdk11] contains NO unapproved vulnerabilities
$ cat gradle_report.txt
{
"image": "gradle:jdk11",
"unapproved": [],
"vulnerabilities": []
}log와 보안 취약점을 json 형태로 확인할 수 있다.
AWS-CLI
$ clair-scanner --ip ${IP} --clair=http://localhost:6060 --log="clair.log" --report="aws-cli_report.txt" bitnami/aws-cli:latest
+------------+-----------------------------+--------------+------------------+--------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-----------------------------+--------------+------------------+--------------------------------------------------------------+
| Unapproved | High CVE-2019-8457 | db5.3 | 5.3.28+dfsg1-0.8 | SQLite3 from 3.6.0 to and including 3.27.2 is |
| | | | | vulnerable to heap out-of-bound read in the rtreenode() |
| | | | | function when handling invalid rtree tables. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-8457 |
+------------+-----------------------------+--------------+------------------+--------------------------------------------------------------+
| Unapproved | Medium CVE-2020-16156 | perl | 5.32.1-4+deb11u2 | CPAN 2.28 allows Signature Verification Bypass. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2020-16156 |
+------------+-----------------------------+--------------+------------------+--------------------------------------------------------------+
| Unapproved | Medium CVE-2022-1304 | e2fsprogs | 1.46.2-2 | An out-of-bounds read/write vulnerability was |
| | | | | found in e2fsprogs 1.46.5. This issue leads to |
| | | | | a segmentation fault and possibly arbitrary code |
| | | | | execution via a specially crafted filesystem. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2022-1304 |
+------------+-----------------------------+--------------+------------------+--------------------------------------------------------------+
...$ cat aws-cli_report.txt보안 등급이 높은 High에서 Negligible 순으로 존재.
Unknown의 경우 현재 Clair에서는 보안 취약 정도를 확인할 수 없으므로 직접 찾아야 함.
