Comments (14)
- JSON is quite practical because it can be parsed with go's standard lib. However, I think that using yaml instead would be better because it is way easier to write by hand - and users will definitely write it by hand.
- How do we want to define whitelisted packages? I think that specifying package names is enough and that the version should not appear.
- Where should the file be stored (path) ?
What about something like that:
version: 1
os:
name: debian
version: 8
packages:
installed:
- name: nginx
version: 1.9
- name: redis
version: 3.0
whitelisted:
- openssl
- pam.d
In a near future (w/ npm support, etc), os
will probably become namespace
and could be optionally defined per package.
from clair.
We might want to allow additional metadata on the whitelisted packages, such as a comment why, and maybe an optional version/date (so that we can reshow vulns for newer versions if necessary)
from clair.
@josephschorr Right. Comments can simply be added with the pound sign in yaml. Optional version is actually a good idea.
version: 1
os:
name: debian
version: 8
packages:
installed:
- name: nginx
version: 1.9
- name: redis
version: 3.0
whitelisted:
- name: openssl
- name: pam.d
version: 3.1b
from clair.
Well, if we have the comment in the actual yaml, then we can display it in the UI, showing why a package is disabled for checking
from clair.
Alright. I'd like to implement that asap, but probably without the Clair-side whitelist initially because it requires to modify Clair's graph schema (and walk over more nodes - therefore probably a bit slower) and I don't want to do this at the moment. Priority is performances over features for now.
from clair.
-->> Allow users to add a package.json file (or some other filename) in the root directory ....
Who are the users here, the image author? If not, a user need to pull/save/untar/add-package.json/tar and then POST to Clair to scan, right? How about add a new parameter to the POSTLayersParameters?
from clair.
That can be a good idea as well, sure! Why not.
from clair.
It seems super easy to implement the 'npm' support, 'package.json' in nodejs suit for Clair very well. I've added my implementation to the wiki page. https://github.com/liangchenye/clair/blob/pkg/worker/detectors/packages/npm.go.
And the python support would done in the similar way.
from clair.
Right, that sounds good. We should have separate issues for these package managers thought. This issue is for another feature.
However, nodejs and python vulnerabilities are not operating-system dependent. Currently, this would require to create a vulnerability for each operating system for these packages, which doesn't make sense. #54 (the task I am currently working hard on) will however make it possible. It will be possible to mark the packages detected by npm
part of the nodejs
namespace (for instance), regardless of the operating system of the image (which will represent the default namespace, used in detectors that don't provide namespaces). Vulnerability will be namespaced as well, thus allowing us to define vulnerabilities for NodeJS globally.
from clair.
I wouldn't call it package.json
because that's the default for NPM. In my opinion it should have a different name to avoid conflicts with NPM.
from clair.
Absolutely. Note that Clair doesn't mention the term packages
anymore since v1.0.0 as its capabilities could be extended to virtually anything.
from clair.
clair.json
?
from clair.
Is this feature in? Can I specify the pkgs in a json/yaml file and figure out what clair thinks about it?
from clair.
Weβre declaring bug bankruptcy as part of the release process for a new major version of Clair. Please open a ticket in our issue tracker if you feel this still needs to be addressed, and we'll triage as part of our v4 development process. Thanks!
from clair.
Related Issues (20)
- clairctl release version is β???β HOT 2
- clairctl import-updaters error when vulnerabilities gz file is about 200MB HOT 6
- Ports not correctly handled when configuring indexer.airgap
- Documented updated.filters feature is not implemented HOT 1
- failed to scan all layer contents: rhel: unable to create a mappingFile object HOT 3
- vulnerabilities not matched for `node:12.22-buster` image
- Problems trying to integrate the clair notifier
- Running Clair locally is DOA HOT 2
- clair-matcher warning unable to parse python vulnerability range HOT 4
- docs: `--host` incorrectly documented as main command flag HOT 3
- Not finding any CVEs despite Trivy and Grype finding many HOT 9
- docs: cmd: document dropins scheme
- notifier: migrate to `amqp091` HOT 1
- docs: Add grafana and pyroscope to the testing.md docs HOT 1
- Verifying the Clair Installation HOT 3
- CVE-2023-38408 is not found on any images that other scanners show have it HOT 2
- CVE-2020-7712 is for node json package but clair false positives by flagging ruby json package as vulnerable HOT 1
- Clair Vulnerability Databases/Sources HOT 2
- config: lint for `jaeger` protocol & support for OTLP export HOT 1
- clairctl: export-updaters OOM issues HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clair.