clair: Clair does not detect Debian vulnerability
Description of Problem
I have an image that I know contains a version of openssh-client that is vulnerable to CVE-2019-6111 but when I scan it in Clair it does not detect this vulnerability. Having dug into the problem I think there are two issues, firstly the packages in any layers other than the base are not detected, secondly when a package is a binary package it is not matched to its source. More details on both of these below.
Problem 1: Non-base layers not scanned
Problem description
I have the following dockerfile that installs a vulnerable version of openssh-client:
FROM debian:stretch-slim
RUN echo 'deb http://snapshot.debian.org/archive/debian/20170625T040030Z stretch-proposed-updates main' >> /etc/apt/sources.list && \
apt-get -o Acquire::Check-Valid-Until=false update && \
apt-get install openssh-client=1:7.4p1-10+deb9u1 -y
Expected Outcome
I expect to see the openssh-client listed in the list of installed packages and it to be vulnerable.
Actual Outcome
openssh-client does not appear in the list of installed packages. I looked at what is in the database and see that the layer does exist for the manifest as:
SELECT COUNT(DISTINCT layer_id) FROM manifest_layer ml
INNER JOIN manifest m
ON m.id=ml.manifest_id
WHERE m.hash='<HASH>'
Returns 2 layers as expected, however, no packages are loaded from the second layer (that contains the openssh-client as the following only returns 1:
SELECT COUNT(DISTINCT psa.layer_id) FROM package p
INNER JOIN package_scanartifact psa
ON psa.package_id=p.id
INNER JOIN manifest_layer ml
ON ml.layer_id=psa.layer_id
INNER JOIN manifest m
ON m.id=ml.manifest_id
WHERE m.hash='<HASH>'
When looking at the logs I see a debug message come out saying:
didn't find an os-release or lsb release file
So I wonder if it is not scanning the extra layer because it does not have the base OS files, although I have not taken this investigation further.
Problem 2: Binary packages are not matched to source vulnerabilities
Problem description
To continue my investigation I then squashed the image into a single layer with this Dockerfile:
FROM debian:stretch-slim as base
RUN echo 'deb http://snapshot.debian.org/archive/debian/20170625T040030Z stretch-proposed-updates main' >> /etc/apt/sources.list && \
apt-get -o Acquire::Check-Valid-Until=false update && \
apt-get install openssh-client=1:7.4p1-10+deb9u1 -y
FROM scratch
COPY --from=base / /
Expected Outcome
I expect to see the openssh-client listed in the list of installed packages and it to be vulnerable.
Actual Outcome
openssh-client now appeared in the list of installed packages but it was not vulnerable. The vulnerability report now contains the fact that the package is installed:
"172": {
"id": "172",
"name": "openssh-client",
"version": "1:7.4p1-10+deb9u1",
"kind": "binary",
"source": {
"id": "171",
"name": "openssh",
"version": "1:7.4p1-10+deb9u1",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"normalized_version": "",
"arch": "amd64",
"cpe": ""
}
Again I went to the database to try to figure out why this might not be vulnerable and see that the database only contains data about the binary vulnerabilities:
SELECT COUNT(id) FROM vuln
WHERE dist_id = 'debian' AND package_kind <> 'binary'
Returns 0. Looking at what it has loaded for CVE-2019-6111 I ran:
SELECT * FROM vuln
WHERE dist_id = 'debian' AND name = 'CVE-2019-6111'
Which returns two results, both with a package_name of openssh, i.e. the source package but the package_kind is binary in both cases. As I only have the openssh_client package installed and not the openssh package I think this is why it is not matching.
Environment
- Clair version/image: I ran:
$ git checkout v4.0.5
$ make local-dev-up-with-quay
- Clair client name/version: I accessed the API via curl
- Host OS: macos using docker
- Kernel (e.g.
uname -a): Darwin Kernel Version 20.4.0 - Kubernetes version (use
kubectl version): n/a - Network/Firewall setup: All on localhost
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 34 (8 by maintainers)
We recently merged this: https://github.com/quay/claircore/pull/550 into claircore. It builds the source->binary relationship when saving vulnerabilities and expands them so Debian vulnerabilities are now saved in the DB at binary level with their binary package names.
@crozzy @iainduncani Thanks for your support. I left Kharkiv two days ago, and now I am in Dnipro, where more calm situation.
Description of Problem
I tried recreating Problem 1 of the issue by creating and scanning images that add vulnerable packages with Clair V4 and it seems like the problem is still present.
Test 1: Adding a vulnerable version of curl to debian:10
There exists a vulnerability CVE-2021-22924 (https://security-tracker.debian.org/tracker/CVE-2021-22924) for curl:7.64.0-4+deb10u2 for debian buster. I have the following dockerfile that installs the package:
I have also confirmed that both layers are present in the manifest after scanning
Expected Outcome
I expected to see curl listed in the list of packages as well as CVE-2021-22924 (https://security-tracker.debian.org/tracker/CVE-2021-22924) be listed in the vulnerabilities returned by GetVulnerabilityReport
Actual Outcome
curl did not appear in the list of packages, neither did the CVE. I have tested and confirmed the CVE is reported for Clair V2.
Test 2: Adding a vulnerable package to ubuntu:18.04
There exists a vulnerability CVE-2021-38185 (https://ubuntu.com/security/CVE-2021-38185) for cpio versions through 2.13 for ubuntu 18.04. I have the following dockerfile that installs the package:
I have also confirmed that both layers are present in the manifest after scanning
Expected Outcome
I expected to see cpio listed in the list of packages as well as CVE-2021-38185 (https://ubuntu.com/security/CVE-2021-38185) be listed in the vulnerabilities returned by GetVulnerabilityReport
Actual Outcome
cpio did not appear in the list of packages, neither did the CVE. I have tested and confirmed the CVE is reported for Clair V2.
Environment