I want to let you know about Clair, an open source tool that lets you scan containers and Docker images for potential security problems. It was developed initially at Coreos and is now around three years old with more than 80 contributors in total. I’ve been contributing to it recently and have been impressed by what it can do.
Here’s the need Clair serves: containers are so easy to build that people forget about the security issues that their containers might need to address. Obviously, that’s a problem, and it’s where Clair comes in.
While it isn’t a perfect solution, Clair can do a lot to help you keep your containers secure.
In particular, it:
- Ingests vulnerability metadata at regular intervals from a configured set of sources and stores the data in its database.
- Offers an API that you can use to index container images and then create and store a list of features present in the image.
- Offers an API through which clients can query a database for vulnerabilities found in a particular image, correlating vulnerabilities and features for each request and thereby avoiding the need to rescan images.
- Notifies alert systems that a change has occurred when updates are made to vulnerability metadata.
One of the features that I find most valuable is Clair’s ability to warn you of vulnerabilities. It lets you run a query on any individual container that not only checks the container for vulnerabilities but also notes the CVE number of the issue it finds as well as its severity. Clair then calls on the National Vulnerability Database to provide a description of the issue in the report (when the database has one). When there is a fix available, it also tells you what image version contains the fix so that you can easily update as needed.
Importantly, you are only seeing vulnerabilities reported by trusted sources, so you can be sure that you do need to attend to issues that are flagged.
Here is an example of a vulnerability reported by Clair:
“featurename”: “nghttp2”,
“featureversion”: “1.36.0-2”,
“vulnerability”: “CVE-2019-9511”,
“namespace”: “debian:10”,
“description”: “Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service.
The attacker requests a large amount of data from a specified resource over multiple streams.
They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.”,
“link”: “https://security-tracker.debian.org/tracker/CVE-2019-9511“,
“severity”: “High”,
“fixedby”: “1.36.0-2+deb10u1”
The attributes have the following meanings:
- featurename names the package that has the vulnerability.
- featureversion is the vulnerable version.
- namespace is the base image for which this vulnerability applies (in this example, it is Debian version 10).
- link is the url where you can read more about the issue.
- fixedby is the package version after which there are no more vulnerabilities.
If you are curious about how many potential vulnerabilities exist, here’s a chart I made listing the presence of high, medium, and low CVE vulnerabilities in four of today’s most popular container packages.
If these images have this many vulnerabilities, think how many your own containers might include! In fact, the likelihood of vulnerabilities in most containers is one reason for the creation of GitHub’s new Security Lab, of which VMware is a founding member. The Security Lab’s goal is to keep open source software secure and can be learned about in more detail here.
Importantly, Clair only reports vulnerabilities manifested by the specific base image that you are using. So, it won’t report issues that aren’t relevant to the kind of container you are using.
Clair has also built up a nice support infrastructure. A number of third party integrations, for example, let you run Clair in a variety of different ways, such as local or cloud-based scenarios. You can find these by looking at Clair’s GitHub documentation.
My particular contributions are based around helping integrate VMware’s Photon OS into Clair. Soon, anyone building containers with Photon OS can scan their containers with Clair and benefit from the insights into vulnerabilities that it offers.
Stay tuned to the Open Source Blog and follow us on Twitter (@vmwopensource) for information on all the latest open source projects coming out of VMware.