Add package.json for custom packages about clair HOT 14 CLOSED

• JSON is quite practical because it can be parsed with go's standard lib. However, I think that using yaml instead would be better because it is way easier to write by hand - and users will definitely write it by hand.
• How do we want to define whitelisted packages? I think that specifying package names is enough and that the version should not appear.
• Where should the file be stored (path) ?

What about something like that:

version: 1
os: 
  name: debian
  version: 8
packages:
  installed:
    - name: nginx
      version: 1.9
    - name: redis
      version: 3.0
  whitelisted:
    - openssl
    - pam.d

In a near future (w/ npm support, etc), os will probably become namespace and could be optionally defined per package.

from clair.

We might want to allow additional metadata on the whitelisted packages, such as a comment why, and maybe an optional version/date (so that we can reshow vulns for newer versions if necessary)

from clair.

@josephschorr Right. Comments can simply be added with the pound sign in yaml. Optional version is actually a good idea.

version: 1
os: 
  name: debian
  version: 8
packages:
  installed:
    - name: nginx
      version: 1.9
    - name: redis
      version: 3.0
  whitelisted:
    - name: openssl
    - name: pam.d
      version: 3.1b

from clair.

Well, if we have the comment in the actual yaml, then we can display it in the UI, showing why a package is disabled for checking

from clair.

Alright. I'd like to implement that asap, but probably without the Clair-side whitelist initially because it requires to modify Clair's graph schema (and walk over more nodes - therefore probably a bit slower) and I don't want to do this at the moment. Priority is performances over features for now.

from clair.

-->> Allow users to add a package.json file (or some other filename) in the root directory ....
Who are the users here, the image author? If not, a user need to pull/save/untar/add-package.json/tar and then POST to Clair to scan, right? How about add a new parameter to the POSTLayersParameters?

from clair.

That can be a good idea as well, sure! Why not.

from clair.

It seems super easy to implement the 'npm' support, 'package.json' in nodejs suit for Clair very well. I've added my implementation to the wiki page. https://github.com/liangchenye/clair/blob/pkg/worker/detectors/packages/npm.go.

And the python support would done in the similar way.

from clair.

Right, that sounds good. We should have separate issues for these package managers thought. This issue is for another feature.

However, nodejs and python vulnerabilities are not operating-system dependent. Currently, this would require to create a vulnerability for each operating system for these packages, which doesn't make sense. #54 (the task I am currently working hard on) will however make it possible. It will be possible to mark the packages detected by npm part of the nodejs namespace (for instance), regardless of the operating system of the image (which will represent the default namespace, used in detectors that don't provide namespaces). Vulnerability will be namespaced as well, thus allowing us to define vulnerabilities for NodeJS globally.

from clair.

I wouldn't call it package.json because that's the default for NPM. In my opinion it should have a different name to avoid conflicts with NPM.

from clair.

Absolutely. Note that Clair doesn't mention the term packages anymore since v1.0.0 as its capabilities could be extended to virtually anything.

from clair.

clair.json?

from clair.

Is this feature in? Can I specify the pkgs in a json/yaml file and figure out what clair thinks about it?

from clair.

We’re declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!

from clair.