3

I've started using Clair to scan my images for vulnerabilities. I noticed though that the standard docker hub Python and Debian stretch images have much vulnerabilities in them according to clair. On docker hub these images only mention vulnerabilities in zlib. Why is there such a difference?

Docker hub: https://hub.docker.com/r/library/python/tags/3.6-slim-stretch/

Clair (via clair-scanner):

$ clair-scanner --ip "$local_ip" python:3.6-slim-stretch
2018/02/09 09:50:09 [INFO] ▶ Start clair-scanner
2018/02/09 09:50:11 [INFO] ▶ Server listening on port 9279
2018/02/09 09:50:11 [INFO] ▶ Analyzing c7549efd5dc0e5ae0c658deb653375fd2314224e1add79f9e94517a3aaa3fd9d
2018/02/09 09:50:13 [INFO] ▶ Analyzing 526e7e1b9f95c059ce50995de300dac4b8b9351340ee6ea09f9dcf782fd5af34
2018/02/09 09:50:13 [INFO] ▶ Analyzing 6b5b41e64517319f9013f245d0f8afb5612bd30766e3e4c65a418f6120186089
2018/02/09 09:50:15 [INFO] ▶ Analyzing 066fe932e0cbb6207e05383d7063cbaafc115f75416b2364281166fa4fa2df7f
2018/02/09 09:50:15 [INFO] ▶ Analyzing 476923b051f9d157ea4903f1b1e5c694dcbb3edb91e4159918b125b350a0f349
2018/02/09 09:50:15 [WARN] ▶ Image [python:3.6-slim-stretch] contains 42 total vulnerabilities
2018/02/09 09:50:15 [ERRO] ▶ Image [python:3.6-slim-stretch] contains 42 unapproved vulnerabilities

clair-scanner found 42 vulnerabilities in the python:3.6-slim-stretch image. The same when using clairctl:

$ docker pull python:3.6-slim-stretch
3.6-slim-stretch: Pulling from library/python
Digest: sha256:5dc3fa18a0fab0326052a95bada5582c08d324bfc24ced84aeb7ae681b93d2e5
Status: Image is up to date for python:3.6-slim-stretch
$ clairctl push -l python:3.6-slim-stretch 
python:3.6-slim-stretch has been pushed to Clair
$ clairctl analyze -l python:3.6-slim-stretch

Image: docker.io/python:3.6-slim-stretch

 Unknown: 6
 Negligible: 22
 Low: 4
 Medium: 7
 High: 4
 Critical: 0
 Defcon1: 0

Yet, when trying to upgrade it, there are no packages:

$ docker run --rm -it python:3.6-slim-stretch bash
root@243dfeabc84b:/# apt-get update
...
root@243dfeabc84b:/# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  sensible-utils
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 kB of archives.
After this operation, 49.2 kB disk space will be freed.
Do you want to continue? [Y/n] n

So why is Clair finding to many false-positives?

tgogos
  • 23,218
  • 20
  • 96
  • 128
vdboor
  • 21,914
  • 12
  • 83
  • 96

0 Answers0