1. Home
  2. Categories
  3. Support
  4. Clair: VulnerabilitySource

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Clair: VulnerabilitySource

  • H

    I tried to follow the https://docs.inedo.com/docs/proget-compliance-clair but it gives issue with the database connection string in running the Clair Docker.

    I changed the steps as follows:

    mkdir $PWD/clair_config

    This will fix no database connection https://github.com/quay/clair/issues/317:

    curl -L https://raw.githubusercontent.com/coreos/clair/2c5f1d30346cccb4f68c2e02f9337c7786025bb6/config.example.yaml -o $PWD/clair_config/config

sudo docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 -e POSTGRES_HOST_AUTH_METHOD=trust postgres:9.6

sudo docker run -e HTTP_PROXY=*** -e HTTPS_PROXY=*** --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:v2.1.2 -config=/config/config

    When I run VulnerabilityDownloader, I get the following error:

    Fetching updates for Clair_Index_Docker...
Persisted object is not a VulnerabilitySource.
    0
  • rhessinger
    inedo-engineer

    Hi @hashim-abu-gellban_3562,

    Can you please tell me which version of ProGet you are running? Are you able to edit your vulnerability source in ProGet?

    Thanks,
    Rich

    0
  • H

    Hi Rich,

    ProGet Version is 2022.24 (Build 5). The issue is of the steps to install Clair. Can you let me know which Clair version is compatible of this ProGet version? If you have a chance installing Clair, let me know the steps. It seems the documentation (https://docs.inedo.com/docs/proget-compliance-clair) is not enough.

    Thank you,
    Hashim

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @hashim-abu-gellban_3562 ,

    Currently ProGet works with Clair v2. Unfortunately, Clair v4 (there is no v3 by the way) is basically a "different product" and the API is completely different. The vulnerabilities that are scanned/reported are the same, it's really just the back-end. We are exploring updating to v4 (a major change) or just creating our own container scanner for PGVC; both are major undertakings.

    That being said, it sounds to me like Clair v2 is currently running okay.

    What's really through us off is the error message that you're getting...

    Fetching updates for Clair_Index_Docker...
Persisted object is not a VulnerabilitySource.

    That's an internal error to ProGet, and basically ProGet is failing to even try to query Clair. This must be a new regression (there are some new preview features for vulnerabilities), but we just can't figure out how you are getting that particular error message.

    Essentially, it means the configuration in the ProGet database is incorrect; the Configuration_Xml column from select * from VulnerabilitySources should look something like this:

    <Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource Assembly="Clair">
  <Properties ApiUrl="http://localhost:6060/" AuthenticationHeader="MySecretKey" />
</Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource>

    Any insight or more information would be really helpful - especially if you can query the ProGet database to see what's in the table.

    This is why Rich asked if you can "edit" the Vulnerablity Source in the ProGEt UI, because that should give the exact same error if the config is invalid.

    Thanks

    0
  • H

    Thank you for your update! Did you install Clair as a Docker for version 2? Can you share the steps to update the connect string for the database (config file to point to the proper Postgres instance and password) since I could not find where to update in config file?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @hashim-abu-gellban_3562 ,

    I haven't set up Clair (v2) recently... but a little while back (as part of a ProGet regression test), I did set it up and it worked. I remember it wasn't very straight-forward and I had to redo a few things because I fat-fingered some of the Docker commands.

    I'll see if I can some additional help on this, please stay tuned...

    Cheers,
    Alana

    0
  • Dan_Woolf
    inedo-engineer

    Hi @hashim-abu-gellban_3562,

    I think the issue here is that the link for the sample config in our docs is now pointing to the wrong sample configuration file. You will want to download the config sample from: https://raw.githubusercontent.com/quay/clair/v2.1.8/config.example.yaml

    As Alana mentioned they are on Clair v4 now and it is a different product than version 2 and v4 has a completely different configuration file structure. If you use this older config example, you'll see in the first section has the database connection information. Use this configuration file base should fix your issue.

    Thanks,
    Dan

    0
  • H

    Thank you! The Clair Docker container is running.

    In the documentation there is the following step:
    Once you have created a vulnerability source, you will then need to add that vulnerability source to your container registry. You would do that by clicking Manage Registry in your container registry, and clicking the Add button on vulnerability sources

    I cannot find the Manage Registry/ Container registry. Can you help?

    0
  • rhessinger
    inedo-engineer

    Hi @hashim-abu-gellban_3562,

    Happy to hear the config fixed your issue on the clair container. In ProGet v2022 we moved the feed vulnerability source to the Reporting & SCA > Vulnerabilities > Configure Vulnerability Download Blocking page. You should be able to wire it up from there. I'll make sure to update our documentation with these changes as well.

    Thanks,
    Rich

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation