- Clair is an open source project for analyzing container images for known software vulnerabilities. It uses static analysis to detect vulnerabilities by examining the content of container images without running the containers. - Clair's analysis can be done once and reused to inform about current and future vulnerabilities. It also suggests fixes and notifies users about new vulnerabilities. - Clair is designed as an extensible framework, including detectors for vulnerabilities from different sources, datastores, updaters, notifiers and support for multiple container formats and operating systems. The presenter discusses current and potential future capabilities.

1. Quentin Machu
@Quentin__M | quentin.machu@coreos.com
Clair
A Container Image Security Analyzer

2. We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers
90+ Projects on GitHub, 1,000+ Contributors
OPEN SOURCE
CoreOS.com - @coreoslinux - github/coreos
Secure solutions, support plans, training + more
ENTERPRISE
sales@coreos.com - tectonic.com - quay.io
CoreOS is Running the World’s Containers
Secure the Internet
MISSION
2

4. Storytelling()

5. A traditional deployment
5

6. But … wait
6

7. A containerized deployment
7

8. A container in practice ...
8

9. Is that all ?
9

11. CVE-2015-0235
aka
GHOST
“GHOST is a buffer overflow bug affecting the gethostbyname() and
gethostbyname2() function calls in the glibc library. This vulnerability
allows a remote attacker that is able to make an application call to either of
these functions to execute arbitrary code.”
11

12. CVE-2014-0160
aka
Heartbleed
“The TLS and DTLS implementations in OpenSSL do not properly handle
Heartbeat Extension packets, which allows remote attackers to obtain
sensitive information from process memory via crafted packets that trigger
a buffer over-read.”
12

13. 76K
Vulnerabilities
13

14. How do we make this better for
developers?

15. Open source project for the static analysis of
vulnerabilities in appc and docker containers.
github.com/coreos/clair
15

16. Showtime()

17. - Static analysis
- Do the job only once
- Suggest & Notify
- Built as a framework
Clair in a few points
17

18. Static analysis
CONTEXT
Millions of container images
- Running these containers is expensive
- Running any untrusted container is unsafe
- “We need to go deeper”
- Secure solutions can become pretty complex
- Several dynamic analysis tools exist
- Requires human input and guidance
18

19. - Extract and store enough to inform about both known
and future vulnerabilities
- Reuse analysis data as much as possible
Do the job only once
CONTEXT
Millions of container images
Over 15 new vulnerabilities / day
What happens when new vulnerabilities are published ?
19

20. “I read your security report about my container, but …
what can I actually do?”
Here, look, here’s what you can easily fix.
“I feel confident about my container now. I’m lazy though and
don’t want to check the report again. Tell me as soon as
there’s something new that I should be concerned about”
Sure. Where can I contact you?
Suggest & Notify
20

21. Built as a framework
Open Source and Extensibility
are the heart and soul of Clair
v1.1.021

22. Built as a framework
- Detectors
type FeaturesDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) ([]database.FeatureVersion, error)
}
v1.1.0
type NamespaceDetector interface {
GetRequiredFiles() []string
Detect(map[string][]byte) *database.Namespace
}
type DataDetector interface {
Supported(path string, format string) bool
Detect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err error)
}
22

23. Built as a frameworktype Fetcher interface {
FetchUpdate(database.Datastore) (FetcherResponse, error)
Clean()
}
Built as a framework
- Vulnerability Updaters / Notifiers
type Notifier interface {
Configure(config.NotifierConfig) (bool, error)
Send(database.VulnerabilityNotification) error
}
v1.1.023

24. type Datastore interface {
ListNamespaces() ([]Namespace, error)
InsertLayer(Layer) error
FindLayer(name string, withFeatures, withVulnerabilities bool) (Layer, error)
DeleteLayer(name string) error
ListVulnerabilities(namespaceName string, limit int, page int) ([]Vulnerability, int, error)
InsertVulnerabilities(vulnerabilities []Vulnerability, createNotification bool) error
FindVulnerability(namespaceName, name string) (Vulnerability, error)
DeleteVulnerability(namespaceName, name string) error
InsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []FeatureVersion) error
DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error
GetAvailableNotification(renotifyInterval time.Duration) (VulnerabilityNotification, error)
GetNotification(name string, limit int, page PageNumber) (VulnerabilityNotification, PageNumber, error)
SetNotificationNotified(name string) error
DeleteNotification(name string) error
InsertKeyValue(key, value string) error
GetKeyValue(key string) (string, error)
Lock(name string, owner string, duration time.Duration, renew bool) (bool, time.Time)
Unlock(name, owner string)
FindLock(name string) (string, time.Time, error)
Ping() bool
Close()
}
Built as a framework
- Datastores
v1.1.024

25. - Image format: appc, Docker
- Operating systems: Debian, Ubuntu, CentOS
- Detection: package managers (dpkg, rpm)
- Vulnerability sources: Distribution-specific
- Database: PostgresSQL 9.4+
- Notification: Webhook
What does it currently support ?
v1.1.025

26. - Revisit database implementation
- MySQL Support (Huawei)
- Improve release distribution
- Embed migrations
- Address client UX
- Integrate a solid command-line tool (Wemanity)
- Expand detection capabilities
- Add Alpine Linux support (goo.gl/TSkCxM)
- Implement npm (Huawei), python, OWASP
- Anything you’d like to see!
What’s next?
v1.1.026

27. coreos.com/fest - @coreosfest
May 9 & 10, 2016 - Berlin, Germany

28. Thank you!
We’re hiring in all departments! Email: careers@coreos.com Positions: coreos.com/ careers
Quentin Machu
@Quentin__M | quentin.machu@coreos.com