我已经开始使用 Clair 扫描我的图像以查找漏洞。我注意到尽管根据 clair 的说法,标准的 docker hub Python 和 Debian 拉伸图像中存在很多漏洞。在 docker hub 上,这些图像仅提及 zlib 中的漏洞。为什么会有这样的差异?
Docker 集线器:https ://hub.docker.com/r/library/python/tags/3.6-slim-stretch/
克莱尔(通过克莱尔扫描仪):
$ clair-scanner --ip "$local_ip" python:3.6-slim-stretch
2018/02/09 09:50:09 [INFO] ▶ Start clair-scanner
2018/02/09 09:50:11 [INFO] ▶ Server listening on port 9279
2018/02/09 09:50:11 [INFO] ▶ Analyzing c7549efd5dc0e5ae0c658deb653375fd2314224e1add79f9e94517a3aaa3fd9d
2018/02/09 09:50:13 [INFO] ▶ Analyzing 526e7e1b9f95c059ce50995de300dac4b8b9351340ee6ea09f9dcf782fd5af34
2018/02/09 09:50:13 [INFO] ▶ Analyzing 6b5b41e64517319f9013f245d0f8afb5612bd30766e3e4c65a418f6120186089
2018/02/09 09:50:15 [INFO] ▶ Analyzing 066fe932e0cbb6207e05383d7063cbaafc115f75416b2364281166fa4fa2df7f
2018/02/09 09:50:15 [INFO] ▶ Analyzing 476923b051f9d157ea4903f1b1e5c694dcbb3edb91e4159918b125b350a0f349
2018/02/09 09:50:15 [WARN] ▶ Image [python:3.6-slim-stretch] contains 42 total vulnerabilities
2018/02/09 09:50:15 [ERRO] ▶ Image [python:3.6-slim-stretch] contains 42 unapproved vulnerabilities
clair-scanner 在 python:3.6-slim-stretch 图像中发现了 42 个漏洞。使用时相同clairctl
:
$ docker pull python:3.6-slim-stretch
3.6-slim-stretch: Pulling from library/python
Digest: sha256:5dc3fa18a0fab0326052a95bada5582c08d324bfc24ced84aeb7ae681b93d2e5
Status: Image is up to date for python:3.6-slim-stretch
$ clairctl push -l python:3.6-slim-stretch
python:3.6-slim-stretch has been pushed to Clair
$ clairctl analyze -l python:3.6-slim-stretch
Image: docker.io/python:3.6-slim-stretch
Unknown: 6
Negligible: 22
Low: 4
Medium: 7
High: 4
Critical: 0
Defcon1: 0
然而,当尝试升级它时,没有包:
$ docker run --rm -it python:3.6-slim-stretch bash
root@243dfeabc84b:/# apt-get update
...
root@243dfeabc84b:/# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
sensible-utils
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 kB of archives.
After this operation, 49.2 kB disk space will be freed.
Do you want to continue? [Y/n] n
那么,为什么 Clair 会发现很多误报呢?