Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat ®, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.
Clair has also introduced support for programming language package managers, starting with Python, and a new image-oriented API.
Automatic detection of vulnerabilities will help increase awareness and best security practices across development and operations teams, and encourage action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.
For example, CVE-2014-0160, aka "Heartbleed" has been known for some time, yet Red Hat Quay security scanning found it is still a potential threat to a high percent of the container images users have stored on Quay.
Take note that vulnerabilities often rely on particular conditions in order to be exploited. For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undertake deeper analysis as required.
references:
https://www.redhat.com/en/topics/containers/what-is-clair#:~:text=Clair%20scans%20each%20container%20layer,%C2%AE%2C%20Ubuntu%2C%20and%20Debian.
No comments:
Post a Comment