Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support wolfi / chainguard detection #923

Open
jbergstroem opened this issue May 2, 2023 · 12 comments
Open

Support wolfi / chainguard detection #923

jbergstroem opened this issue May 2, 2023 · 12 comments
Labels
triaged The maintainers have seen this issue

Comments

@jbergstroem
Copy link
Contributor

jbergstroem commented May 2, 2023

Wolfi is an operating system tailored for containers. Clair currently doesn't recognize it so I thought it'd make sense to track support.

$ ./clair-scanner --ip 192.168.1.15 -c http://127.0.0.1:6060 cgr.dev/chainguard/node:20
2023/05/01 20:06:58 [INFO] ▶ Start clair-scanner
2023/05/01 20:07:00 [INFO] ▶ Server listening on port 9279
2023/05/01 20:07:00 [INFO] ▶ Analyzing c2b0d3cadf5af59393ce726798e315e7f56dc8c6d1e3ec55ce46cb6aab03c61a
2023/05/01 20:07:00 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 422 with message {"Error":{"Message":"worker: OS and/or package manager are not supported"}}

Relevant info

The following examples are from the generated container cgr.dev/chainguard/node:20 which is part of their automated builds.

OS detection

 $ cat /etc/os-release
ID=wolfi
NAME="Wolfi"
PRETTY_NAME="Wolfi"
VERSION_ID="20230201"
HOME_URL="https://wolfi.dev"

Wolfi mentions using apk as a package manager. Here's an example of the installed list:

$ head -n 20 /lib/apk/db/installed
P:glibc-locale-posix
V:2.37-r6
A:x86_64
L:GPL-3.0-or-later
T:POSIX locale data for glibc
o:glibc
m:
U:
D:
p:
c:be767d33fb37b5dc6c42961efe0472f888976899
i:[]
t:-62135596800
S:73758
I:416967
k:0
C:Q1ODlpjBNlf5+8UVI1uHjwELzSof8=
F:usr
F:usr/lib
F:usr/lib/locale

..which also seems to follow the apk package format.

Should a PR abstract alpine into apk and support both OS'es but with different identifiers? Put differently: I'm new to modifying clair and its ecosystem. How should I proceed with a PR to see it merged?

@dlorenc
Copy link

dlorenc commented May 2, 2023

I'm with the Wolfi team, and we'd be happy to help here however possible!

@hdonnay
Copy link
Member

hdonnay commented May 2, 2023

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

@dlorenc
Copy link

dlorenc commented May 2, 2023

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

Hey! Thanks for the response! We use the apk package manager (the same as Alpine) and publish a security feed, also in the same format as Alpine. The feed is available here: https://packages.wolfi.dev/os/security.json

@hdonnay
Copy link
Member

hdonnay commented May 4, 2023

I think the steps to take are:

  • Split the apk indexer out of the alpine package
  • Modularize the alpine Updater machinery and create an instance for alpine and wolfi
  • Modularize the alpine Matcher machinery and create an instance for alpine and wolfi

I think the generic os-release scanner should be good enough to get distro detection. I don't have the details of all these paged in at the moment, though.

@hdonnay hdonnay added the triaged The maintainers have seen this issue label May 4, 2023
@jbergstroem
Copy link
Contributor Author

Just noticed that /etc/issue is missing from wolfi images so the distributionscanner needs to make this optional.

@jbergstroem
Copy link
Contributor Author

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Relevant info:

Welcome to Alpine Linux 3.16

PRETTY_NAME="Alpine Linux v3.16"

issueRegexp = regexp.MustCompile(`Alpine Linux ([[:digit:]]+\.[[:digit:]]+)`)

At least all the test data you have seem to cover using PRETTY_NAME which means for the scope of this issue/modularizing distributionscanner less changes are needed.

jbergstroem added a commit to jbergstroem/claircore that referenced this issue Sep 24, 2023
jbergstroem added a commit to jbergstroem/claircore that referenced this issue Sep 24, 2023
Refs: quay#923
Signed-off-by: Johan Bergström <bugs@bergstroem.nu>
hdonnay pushed a commit to jbergstroem/claircore that referenced this issue Oct 2, 2023
Refs: quay#923
Signed-off-by: Johan Bergström <bugs@bergstroem.nu>
@luhring
Copy link

luhring commented Oct 2, 2023

Hi! I'm with the Wolfi security team, and we just recently added more documentation for scanners wanting to implement support for Wolfi and the related "Chainguard distro". We've also added some test images for use in manual/automated tests in case that's valuable to you.

https://github.com/chainguard-dev/vulnerability-scanner-support

Also happy to field any questions that come up!

@amdawson
Copy link

amdawson commented Oct 2, 2023

Also happy to list clair on this page when you're ready, let us know!

https://www.chainguard.dev/scanners

@jbergstroem
Copy link
Contributor Author

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Sorry for pinging you again but it would be good to get clarity on this before I move on! Thanks!

@luhring
Copy link

luhring commented Oct 3, 2023

@jbergstroem I don't have context for Clair in particular, but this might help a little:

This section explains how scanners should identify the Wolfi/Chainguard distros. Definitely take a look at this! It's short.

tl;dr: Use /etc/os-release to identify the distro. You should use the id field to key off of, and you can use the pretty name for showing to users.

Do not use the version data here! That's explained in the docs, too. 😃

You won't find an /etc/issue.

@jbergstroem
Copy link
Contributor Author

jbergstroem commented Oct 3, 2023

@luhring thanks for the info; I already had a look! Since the idea is to reuse the same framework for Alpine and Wolfi, I wanted to double-check why we need to read both /etc/issue and /etc/os-release for Alpine before proceeding.

@mattmoor
Copy link

JFYI since the discussion above @luhring put together this excellent resource on adding scanner support for our images: https://github.com/chainguard-dev/vulnerability-scanner-support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triaged The maintainers have seen this issue
Development

No branches or pull requests

6 participants