Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Problems with Clair integration for scanning docker images
-
Hi,
we have clair installed and it seems to be running fine so far. Initially we had some problems with reaching the sources that clair needs (e.g. nist.gov, alpinelinux.org, ...) but it all works now. There are no more such errors in the clair log. But I get the following messages in Proget when running the VulnerabilityDownloader task:
Requested vulnerability information for 38 total package versions. Sending last 38 coordinates as a final request... Request returned 38 vulnerability records. Clair returned error ProxyAuthenticationRequired for layer sha256:2db29710... Clair returned error ProxyAuthenticationRequired for layer sha256:31a7f9b4d.. ...An image with log4j in it is not detected. Any idea?
Cheers
Karsten
-
I haven't seen that error before, but based on the text ("ProxyAuthenticationRequired for layer"), I think that Clair is trying to download an external layer?
Some container image manifests (especially Windows, but not entirely) will point to a URL outside of the registry. This is often done for licensing reasons. What this means is that, Clair (or the docker client) downloads the layers from a url instead of ProGet.
I'm not familiar enough with container scanners (Clair) to know how they search for vulnerabilities; I believe it's done by looking at the packages installed on the system. Log4j is not a package installed on the system (I think), but a library used in some applications.
Cheers,
Steve
