Clair

Clair is an open-source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
2. Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
3. Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
4. When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.

Our goal is to enable a more transparent view of the security of the container-based infrastructure. Thus, the project was named Clair after the French term which translates to clear, bright, transparent.

Terminology

Container

• Container – the execution of an image
• Image – a set of tarballs that contain the filesystem contents and run-time metadata of a container
• Layer – one of the tarballs used in the composition of an image, often expressed as a filesystem delta from another layer

Specific to Clair

• Ancestry – the Clair-internal representation of an Image
• Feature – anything that when present in a filesystem could be an indication of a vulnerability (e.g. the presence of a file or an installed software package)
• Feature Namespace (featurens) – a context around features and vulnerabilities (e.g. an operating system or a programming language)
• Vulnerability Source (vulnsrc) – the component of Clair that tracks upstream vulnerability data and imports them into Clair’s database
• Vulnerability Metadata Source (vulnmdsrc) – the component of Clair that tracks upstream vulnerability metadata and associates them with vulnerabilities in Clair’s database

Changelog v4.6

All

• 577a55d4: use httputil to construct requests

Auto

• 1f1010fe: add automatic memory limit discovery

Build(Deps)

• ef896eb6: bump actions/stale from 6 to 7
• 5a212ffe: bump peter-evans/create-pull-request from 4.1.4 to 4.2.3
• b883bc2b: bump gsactions/commit-message-checker from 1 to 2

Chore

• 5fd26563: v4.6.0 changelog bump
• 33f4fcbd: Bump claircore to v1.4.17
• 54d44908: Bump Claircore to v1.4.16
• 430e6087: Bump Claircore to v1.4.15
• 652d8ce6: Bump Claircore to v1.4.14
• 9f6828cd: Update to Go 1.18 for local-dev
• 1c002bcd: added ppc64le support
• 4b37dcdf: Bump Claircore to v1.4.13
• 9b273420: Bump claircore to v1.4.12

Cicd

• 1dfb42a0: use extracted git archive
• aff17a4a: update usage of set-output
• a8a97f80: update cache action
• 7de63a9c: add tests for odd architectures
• e923360c: omit Dockerfile build args
• 14b8f690: enable go1.19
• 5a8128c1: inject version into built clairctl binaries
• #1649### Clairctl
• a367a7ae: use a better user-agent
• 3b9ff6de: update with new signer

Client

• ddea858f: Add the passed host to the signer
• adbaa567: use signer
• d8ad1ba4: update for httputil changes

Cmd

• 8b899803: use git-archive for version information

Documentation

• 9d1a7aab: fix typo in link

Httptransport

• 25ac033f: use new signer scheme in test
• a9228d40: add a request_id to logs
• #1547### Httputil
• e746ff05: rework request signing and request restriction

Service

• e08f3972: add signer option

Webhook

• d99f7005: add explicit signer argument

Install && Use

Copyright (C) 2015 coreos