Comments (4)
faust64
commented on August 17, 2024
My bad, ... I know klar not to work with docker-registry. They're missing headers -- https://github.com/optiopay/klar/blob/master/docker/docker.go#L380
And I couldn't patch, as I'm not even able to build the original binary -- optiopay/klar#174
Nevermind.
from kubeclarity.
FrimIdan
commented on August 17, 2024
It's an OCI images support that is missing as I understand it.
We have our own klar repo (https://github.com/Portshift/klar), you can try to patch it but I think it will not be trivial path.
from kubeclarity.
faust64
commented on August 17, 2024
Right, I kinda remember trying to patch it already,
Used to work just bumping golang version at first optiopay/klar#160
And then RedHat took over Quay repositories and started working on a new reversion, which pretty much broke every fork I know of. Leading me to switch to Trivy (https://github.com/aquasecurity/trivy), which is kind of like Quay. Though in addition to fetching OS vulnerability DBs, Trivy would also scans for application dependencies ( NPM/Python/Go/.... ).
They can produce json output as well, I kinda forgot about it, ...
Although checking your fork: indeed, it builds.
I might be able to fix those headers ... I'll give this a look, thanks!
from kubeclarity.
faust64
commented on August 17, 2024
Confirmed, your fork builds perfectly, and fixing it wasn't complicated:
kubectl logs -n ci -f scanner-entrypoint-7953e3bb-a02a-4c94-9816-23d1b7bc0dcd-z9frz
time="2021-07-06T14:54:46Z" level=info msg="Analysing 5 layers"
time="2021-07-06T14:54:46Z" level=info msg="Got results from Clair API"
time="2021-07-06T14:54:46Z" level=info msg="Found 0 vulnerabilities"
time="2021-07-06T14:54:46Z" level=info msg="response Status: 202 Accepted"
$ git diff
index 346b6fc..5fbf0cc 100644
--- a/docker/docker.go
+++ b/docker/docker.go
@@ -471,7 +471,7 @@ func parseImageResponse(resp *http.Response, image *Image) error {
}
image.Digest = imageV2.Config.Digest
image.schemaVersion = imageV2.SchemaVersion
- case "application/vnd.docker.distribution.manifest.v1+prettyjws":
+ case "application/vnd.docker.distribution.manifest.v1+prettyjws", "application/vnd.oci.image.manifest.v1+json":
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return fmt.Errorf("failed to read response body: %v", err)
@@ -614,7 +614,7 @@ func (i *Image) pullReq() (*http.Response, error) {
}
// Prefer manifest schema v2
- req.Header.Set("Accept", "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.docker.distribution.manifest.list.v2+json")
+ req.Header.Set("Accept", "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json")
utils.DumpRequest(req)
resp, err := i.client.Do(req)
if err != nil {
I'll submit a PR. Thanks for following up!
from kubeclarity.
Related Issues (20)
- clone(openclarity#507): E2E tests should cover kubeclarity-cli analyze then kubeclarity-cli scan
- clone(openclarity#511): unable to use OciRegistry source error for runtime scanning
- clone(openclarity#515): Cant run scan on openshift - Job creation fail
- clone(openclarity#532): Which command name is correct? `kubeclarity` or `kubeclarity-cli`?
- clone(openclarity#545): New release (to get DB SSL mode)
- clone(openclarity#555): Consider removing or making the `helm.sh/hook: pre-install` annotations optional
- Exporting scan result, vulnerable, overview in PDF, Excel, CSV file HOT 6
- clone(openclarity#566): Add a method in the UI to allow or ignore vulnerabilities
- clone(openclarity#567): Make it easier for users to correlate an application to specific pod(s) in the cluster
- clone(openclarity#597): Some Jobs wonβt run on Openshift
- clone(openclarity#599): Helm install fails in PSS restricted clusters because of hardcoded securityContext values
- clone(openclarity#600): Redis - false flag
- clone(openclarity#601): Image pull secret name has more than 63 characters limit
- clone(openclarity#602): Scanner should use global pullsecret to authenticate with private registries
- Scanning Limitation with private registries HOT 2
- Add README note about KubeClarity future
- Fresh Install - Unable to parse image id HOT 2
- KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted)
- clone(openclarity#642): LDAP Integration
- Not working with kube-image-keeper mutating webhook HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeclarity.