Vulnerability Scanning of Docker Images on OpenPower Systems

With increasing use of containers in enterprises, there is an increased focus on container security. One of the aspects of container security is ensuring that the image doesn’t contain known vulnerabilities. This is where vulnerability scanners come into the picture. Vulnerability scanning of docker container images is an important part of the overall container workflow.

The following NewStack article provides an excellent summary of the available options and is a must read.

This article deals with the configuration and setup of Clair vulnerability scanner on OpenPower servers. Note that the vulnerability scanners are not really architecture specific. They usually check for known CVEs by correlating content of container images with a stored database of vulnerability data. The vulnerability data is imported from sources like:

The setup instructions in this article are specific for RedHat Linux (RHEL LE) however the same instructions should apply to Ubuntu or other distributions with minor changes related to install and configuration of dependent packages.
Additionally if you are looking for a hosted solution on Power, check out this article describing usage of Bluemix Vulnerability Advisor.
Pre-requisites

  • Clair requires postgresql server. This is part of the distribution package repository.
  • Golang toolchain is required to build Clair binary

Golang for RHEL on OpenPower servers is available as part of Advance Toolchain.  Following is the direct download link for golang-1.7 – ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7/at10.0/advance-toolchain-golang-at-10.0-1.ppc64le.rpm

Ubuntu already includes golang toolchain as part of distribution package repository. Additionally you can also download ppc64le/golang docker image from DockerHub.

Build and Install Clair and related Tools
Assuming ‘go’ binary is in the $PATH, the following instructions will be required to build Clair and related tools

# mkdir  ~/gopath
# export GOPATH=~/gopath
# export PATH=$PATH:$GOPATH/bin
# go get github.com/coreos/clair
# go install github.com/coreos/clair/cmd/clair
# go get -u github.com/coreos/clair/contrib/analyze-local-images

analyze-local-images program will scan local images by calling Clair APIs.

Running Clair

Clair needs a configuration file. A sample configuration file is provided with the source. At a minimum, the ‘source’ option for database needs to be updated to point to the postgresql server. Following is an example from my setup:

clair:
  database:
    # Database driver
    type: pgsql
    options:
      # PostgreSQL Connection string
      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
      source: postgresql://postgres:passw0rd@localhost/postgres?sslmode=disable

      # Number of elements kept in the cache
      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
      cachesize: 16384
[snip]

Start clair by executing the following command:

# clair -config=<path-to-config.yaml>

Once clair daemon starts it’ll start downloading and importing the vulnerability data. Once this process is completed, let’s make some API calls to the clair daemon and check the output to verify it’s working.

The following command shows the operating systems for which list of vulnerabilities are available.
If you are using a docker image based on an operating system for which vulnerability list is not available then the scanning is useless for that docker image.

# curl http://localhost:6060/v1/namespaces | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   370  100   370    0     0   222k      0 --:--:-- --:--:-- --:--:--  361k
{
  "Namespaces": [
    {
      "Name": "debian:7"
    },
    {
      "Name": "debian:unstable"
    },
    {
      "Name": "debian:8"
    },
    {
      "Name": "debian:9"
    },
    {
      "Name": "sle:12"
    },
    {
      "Name": "sle:12.1"
    },
    {
      "Name": "sle:12.2"
    },
    {
      "Name": "opensuse:13.2"
    },
    {
      "Name": "opensuse:42.1"
    },
    {
      "Name": "opensuse:13.1"
    },
    {
      "Name": "opensuse:42.2"
    },
    {
      "Name": "centos:7"
    },
    {
      "Name": "centos:5"
    },
    {
      "Name": "centos:6"
    },
    {
      "Name": "ubuntu:16.04"
    },
    {
      "Name": "ubuntu:12.04"
    }
  ]
}

 
The following shows the list of vulnerabilities for debian:8

# curl http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities?limit=2 | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1276  100  1276    0     0   174k      0 --:--:-- --:--:-- --:--:--  207k
{
  "Vulnerabilities": [
    {
      "Name": "CVE-2016-0756",
      "NamespaceName": "debian:8",
      "Description": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.",
      "Link": "https://security-tracker.debian.org/tracker/CVE-2016-0756",
      "Severity": "Medium",
      "Metadata": {
        "NVD": {
          "CVSSv2": {
            "Score": 5,
            "Vectors": "AV:N/AC:L/Au:N/C:N/I:P"
          }
        }
      }
    },
    {
      "Name": "CVE-2012-0885",
      "NamespaceName": "debian:8",
      "Description": "chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.",
      "Link": "https://security-tracker.debian.org/tracker/CVE-2012-0885",
      "Severity": "Medium",
      "Metadata": {
        "NVD": {
          "CVSSv2": {
            "Score": 4.3,
            "Vectors": "AV:N/AC:M/Au:N/C:N/I:N"
          }
        }
      }
    }
  ],
  "NextPage": "gAAAAABYNnBwJKIStOuJOBkHlIFzTp89ba2_dDcMvNS-cjNhdzPy1ri9GZKNHNO5wsBp_CIjrVLEebkY_Us8Tef49olWy6nLjQ=="
}

 
Scan Docker Images
Let’s see some examples of scanning docker images using the analyze-local-image program. The analyze-local-image program makes use of Clair APIs for vulnerability scanning of locally stored docker images.

# docker images
ppc64le/debian      jessie              cfc916508345        2 weeks ago         127.6 MB
ppc64le/debian      latest              cfc916508345        2 weeks ago         127.6 MB

Scanning the debian image displays the following report:

# analyze-local-images cfc916508345

2016-11-23 23:28:57.568615 I | Saving cfc916508345 to local disk (this may take some time)
2016-11-23 23:29:07.023871 I | Retrieving image history
2016-11-23 23:29:07.024066 I | Analyzing 1 layers...
2016-11-23 23:29:07.024075 I | Analyzing 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
2016-11-23 23:29:07.137814 I | Retrieving image's vulnerabilities
Clair report for image cfc916508345 (2016-11-24 05:29:07.150283539 +0000 UTC)
CVE-2014-9761 (High)
	Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6)
	before 2.23 allow context-dependent attackers to cause a denial of service
	(application crash) or possibly execute arbitrary code via a long argument to
	the (1) nan, (2) nanf, or (3) nanl function.

	Package:       glibc @ 2.19-18+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2014-9761
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5276 (Medium)
	The std::random_device class in libstdc++ in the GNU Compiler Collection (aka
	GCC) before 4.9.4 does not properly handle short reads from blocking sources,
	which makes it easier for context-dependent attackers to predict the random
	values via unspecified vectors.

	Package:       gcc-4.9 @ 4.9.2-10
	Link:          https://security-tracker.debian.org/tracker/CVE-2015-5276
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-7796 (Medium)
	The manager_dispatch_notify_fd function in systemd allows local users to cause a
	denial of service (system hang) via a zero-length message received over a notify
	socket, which causes an error to be returned and the notification handler to be
	disabled.

	Package:       systemd @ 215-17+deb8u5
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-7796
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-3189 (Low)
	Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote
	attackers to cause a denial of service (crash) via a crafted bzip2 file, related
	to block ends set to before the start of the block.

	Package:       bzip2 @ 1.0.6-7
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-3189
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5180 (Low)
	Package:       glibc @ 2.19-18+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2015-5180
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2005-2541 (Negligible)
	Tar 1.15.1 does not properly warn the user when extracting setuid or setgid
	files, which may allow local users or remote attackers to gain privileges.

	Package:       tar @ 1.27.1-2+deb8u1
	Link:          https://security-tracker.debian.org/tracker/CVE-2005-2541
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5218 (Negligible)
	Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27
	allows local users to cause a denial of service (crash) via a crafted file,
	related to the page global variable.

	Package:       util-linux @ 2.25.2-6
	Link:          https://security-tracker.debian.org/tracker/CVE-2015-5218
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5224 (Negligible)
	Package:       util-linux @ 2.25.2-6
	Link:          https://security-tracker.debian.org/tracker/CVE-2015-5224
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-2779 (Negligible)
	Package:       util-linux @ 2.25.2-6
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-2779
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-6251 (Negligible)
	Package:       shadow @ 1:4.2-3+deb8u1
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-6251
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4756 (Negligible)
	The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
	authenticated users to cause a denial of service (CPU and memory consumption)
	via crafted glob expressions that do not match any pathnames, as demonstrated
	by glob expressions in STAT commands to an FTP daemon, a different vulnerability
	than CVE-2010-2632.

	Package:       glibc @ 2.19-18+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2010-4756
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5186 (Negligible)
	Package:       audit @ 1:2.4-1
	Link:          https://security-tracker.debian.org/tracker/CVE-2015-5186
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2013-4392 (Negligible)
	systemd, when updating file permissions, allows local users to change the
	permissions and SELinux security contexts for arbitrary files via a symlink
	attack on unspecified files.

	Package:       systemd @ 215-17+deb8u5
	Link:          https://security-tracker.debian.org/tracker/CVE-2013-4392
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2007-5686 (Negligible)
	initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp
	file, which allows local users to obtain sensitive information regarding
	authentication attempts.  NOTE: because sshd detects the insecure permissions
	and does not log certain events, this also prevents sshd from logging failed
	authentication attempts by remote attackers.

	Package:       shadow @ 1:4.2-3+deb8u1
	Link:          https://security-tracker.debian.org/tracker/CVE-2007-5686
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2013-4235 (Negligible)
	Package:       shadow @ 1:4.2-3+deb8u1
	Link:          https://security-tracker.debian.org/tracker/CVE-2013-4235
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-6252 (Negligible)
	Package:       shadow @ 1:4.2-3+deb8u1
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-6252
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4052 (Negligible)
	Stack consumption vulnerability in the regcomp implementation in the GNU C
	Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows
	context-dependent attackers to cause a denial of service (resource exhaustion)
	via a regular expression containing adjacent repetition operators, as
	demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for
	ProFTPD.

	Package:       glibc @ 2.19-18+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2010-4052
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-4484 (Negligible)
	Package:       cryptsetup @ 2:1.6.6-5
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-4484
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2011-4116 (Negligible)
	Package:       perl @ 5.20.2-3+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2011-4116
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2011-3374 (Negligible)
	Package:       apt @ 1.0.9.8.3
	Link:          https://security-tracker.debian.org/tracker/CVE-2011-3374
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4051 (Negligible)
	The regcomp implementation in the GNU C Library (aka glibc or libc6) through
	2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause
	a denial of service (application crash) via a regular expression containing
	adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
	as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c
	exploit for ProFTPD, related to a "RE_DUP_MAX overflow."

	Package:       glibc @ 2.19-18+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2010-4051
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2012-3878 (Negligible)
	Package:       perl @ 5.20.2-3+deb8u6
	Link:          https://security-tracker.debian.org/tracker/CVE-2012-3878
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-0634 (Negligible)
	Package:       bash @ 4.3-11
	Link:          https://security-tracker.debian.org/tracker/CVE-2016-0634
	Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

 
Installing and running Clair vulnerability scanner is very straight forward. Hope this helps you to get started with vulnerability scanning of docker images.

Pradipta Kumar Banerjee

I'm a Cloud and Linux/ OpenSource enthusiast, with 16 years of industry experience at IBM. You can find more details about me here - Linkedin

You may also like...