Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Problem with Vulnerabilities in docker with Clair

    Scheduled Pinned Locked Moved Support
    12 Posts 3 Posters 33 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      w.repinski_1472
      last edited by

      1. I think that the problem concerns discrepancies in the assessment, some solutions are assessed in points, and then it is defined in words Low/Medium/Hight/Critical etc.
        I noticed that when scanning containers you get verbal information (Severity) and therefore it is not properly mapped.
        In my DevSecOps experience, score presentation is not the most important thing, labels are important.
      1. Can you expand the Overview to display the Assessment tag information in a new column. Maybe it's worth asking an external CVE database for the actual Score for the docker position? Or maybe within the existing ProGet solution to maintain such a mapping of the CVE number to Score?

      2. Thanks for the clarification from Clair. It's logical but hard to figure out.
        However, I'm not entirely sure if it works as you describe.
        I will check and come back with a separate post. It seems to me that we also have the same entry for some resources that are a set of files / e.g. an Alpine image.

      3. Handmade assessments are visible but....
        Additional problem, manually set assessment.
        As you can see in the image, I have duplicated vulnerabilities for the same image and event, the same CVE ID is listed once as a marked assessment, and the second time as an unmarked assessment.
        This seems to be a mistake from the point of business logic. If I mark any specific CVE in the assessment as, for example: Critical, it should appear as critical everywhere. Possibly a checkbox to check.

      Zrzut_Ekranu_2023-08-02_09-21_00.png

      1 Reply Last reply Reply Quote 0
      • rhessingerR Offline
        rhessinger inedo-engineer
        last edited by

        Hi @w-repinski_1472,

        Thanks for the additional input. To expand this a bit more:

        1. Our auto-assessment uses the CVSS score from the vulnerability to determine which assessment to use automatically. The assessment type is then displayed as the label. It looks like there is a bug in both the CVSS score returned from the Clair extension as well as the stored procedure that saves that information back to ProGet. If you look at the execution log from the original ticket you submitted to us, at the end you can see an error occurred in the merge statement. Those two issues together are causing this.

        2. We will look into what is returned from Clair to get this score set properly. When it comes to the vulnerability overview page, we only show the latest unassessed vulnerabilities. If you click the "view all" link at the top of that table, that table will show the assessment information and the score.

        3. We have not seen Clair return this message for a layer that is not a manifest/configuration layer (sorry, I call these metadata layers which can be confusing). If there is an issue with how the layer is parsed, you will need to submit an issue to Clair for this. ProGet is only showing the information that Clair has returned to ProGet for the parsing. This is how our Clair implementation works:

          1. Send a list of image layers to Clair
          2. Clair then will pull each layer from ProGet and scan it.
          3. ProGet will then pull the result for each layer from Clair
          4. ProGet will then auto-assess and save the vulnerability back to ProGet.
        4. I think this is also related to the stored procedure I was referring to earlier.

        We hope to have these issues resolved soon. I hope this clarifies this for you. Please let me know if I missed anything or if you have more questions.

        Thanks,
        Rich

        Products Engineer, Inedo

        1 Reply Last reply Reply Quote 0
        • W Offline
          w.repinski_1472
          last edited by

          Hello,

          In terms of the Clair error, the indication is "start using Clair v4", and this one is not supported by your software ... Maybe it would be possible to install an optional separate from v2 plugin for Clairv4? Have they already achieved the appropriate stability of the program itself as well as the API.

          I will wait for corrections on other topics...

          stevedennisS 1 Reply Last reply Reply Quote 0
          • stevedennisS Offline
            stevedennis inedo-engineer @w.repinski_1472
            last edited by

            Hi @w-repinski_1472,

            Unfortunately integrating with Clair v4 cannot be done with only a new plug-in / extension. It requires substantial changes to the vulnerability feature/module in ProGet, so it's something we would have to consider in a major version like ProGet 2024.

            Thanks,
            Steve

            1 Reply Last reply Reply Quote 0
            • W Offline
              w.repinski_1472
              last edited by

              I upgraded to version 2023.14 (build 17).

              1. Automatic vulnerability assignment (score/severity) still doesn't work.

              Zrzut_Ekranu_2023-08-07_14-29_54.png

              1. Still no information in the Score column.
                Zrzut_Ekranu_2023-08-07_14-34_14.png
                Wouldn't it be better if this column was named Score/Severity?

              2. After some time of operation (several manual scans, changes in the repository, new packages) I get this error.

              Zrzut_Ekranu_2023-08-07_14-01_02.png

              1 Reply Last reply Reply Quote 0
              • rhessingerR Offline
                rhessinger inedo-engineer
                last edited by

                Hi @w-repinski_1472,

                Can you please ensure that your Clair extension is updated to 2.0.1 as well? Some of the fixes required changes to the Clair extension directly. The two issues that were fixed in the extensions:

                1. A separate API call is needed to get the CVSS score
                2. Duplicate vulnerabilities were being returned by Clair

                Looking at your screenshots, it seems those issues will be fixed with an extension update.

                Thanks,
                Rich

                Products Engineer, Inedo

                1 Reply Last reply Reply Quote 0
                • W Offline
                  w.repinski_1472
                  last edited by

                  @rhessinger said in Problem with Vulnerabilities in docker with Clair:

                  Can you please ensure that your Clair extension is updated to 2.0.1 as well? Some of the fixes required changes to the Clair extension directly. The two issues that were fixed in the extensions:

                  A separate API call is needed to get the CVSS score
                  Duplicate vulnerabilities were being returned by Clair

                  Looking at your screenshots, it seems those issues will be fixed with an extension update.
                  Thanks,
                  Rich

                  Thanks for the info, I'm checking.
                  How can I make the information about a new extension update more visible?

                  1 Reply Last reply Reply Quote 0
                  • rhessingerR Offline
                    rhessinger inedo-engineer
                    last edited by

                    Hi @w-repinski_1472,

                    You can see extension updates by navigating to Administration > Extensions and then an information block at the top of the page will display that there are extension updates. For the actual changes that were made in the 2.0.1 version of the Clair extension, you can view the 2.0.1 milestone in GitHub for our Clair extension.

                    Thanks,
                    Rich

                    Products Engineer, Inedo

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      w.repinski_1472
                      last edited by

                      @rhessinger said in Problem with Vulnerabilities in docker with Clair:

                      You can see extension updates by navigating to Administration > Extensions and then an information block at the top of the page will display that there are extension updates. For the actual changes that were made in the 2.0.1 version of the Clair extension, you can view the 2.0.1 milestone in GitHub for our Clair extension

                      And how will I know that I have to go to the extension menu to update the extension?
                      Can ProGet send an email to the "administrator" or display a notification on the main screen like it does when updating ProGet itself?

                      1 Reply Last reply Reply Quote 0
                      • rhessingerR Offline
                        rhessinger inedo-engineer
                        last edited by

                        Hi @w-repinski_1472,

                        We currently do not have any mechanism for alerting the user when an extension update is available. Our guidance around this is to check extensions for updates after a product is upgraded or when instructed by support. In this case, it was my fault for not alerting you to upgrade the extension to fix this issue. I'm sorry for that and I will make sure this does not happen again.

                        Also, many extensions are included in the install package. These extensions are updated automatically when the product is upgraded. So this won't be a problem with most extensions, it just so happens that the clair extension is not an included one.

                        Please let me know if you have any other questions for us.

                        Thanks,
                        Rich

                        Products Engineer, Inedo

                        1 Reply Last reply Reply Quote 0

                        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                        With your input, this post could be even better 💗

                        Register Login
                        • 1 / 1
                        • First post
                          Last post
                        Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation