我已经开始使用Clair扫描我的图像中的漏洞。我注意到,根据clair的说法,标准的docker hub hub Python和Debian拉伸映像在其中有很多漏洞。在docker hub上,这些映像仅提及zlib中的漏洞。为什么会有这样的差异?
Docker中心:https://hub.docker.com/r/library/python/tags/3.6-slim-stretch/
克莱尔(通过clair-scanner ::
$ clair-scanner --ip "$local_ip" python:3.6-slim-stretch
2018/02/09 09:50:09 [INFO] ▶ Start clair-scanner
2018/02/09 09:50:11 [INFO] ▶ Server listening on port 9279
2018/02/09 09:50:11 [INFO] ▶ Analyzing c7549efd5dc0e5ae0c658deb653375fd2314224e1add79f9e94517a3aaa3fd9d
2018/02/09 09:50:13 [INFO] ▶ Analyzing 526e7e1b9f95c059ce50995de300dac4b8b9351340ee6ea09f9dcf782fd5af34
2018/02/09 09:50:13 [INFO] ▶ Analyzing 6b5b41e64517319f9013f245d0f8afb5612bd30766e3e4c65a418f6120186089
2018/02/09 09:50:15 [INFO] ▶ Analyzing 066fe932e0cbb6207e05383d7063cbaafc115f75416b2364281166fa4fa2df7f
2018/02/09 09:50:15 [INFO] ▶ Analyzing 476923b051f9d157ea4903f1b1e5c694dcbb3edb91e4159918b125b350a0f349
2018/02/09 09:50:15 [WARN] ▶ Image [python:3.6-slim-stretch] contains 42 total vulnerabilities
2018/02/09 09:50:15 [ERRO] ▶ Image [python:3.6-slim-stretch] contains 42 unapproved vulnerabilities
克莱尔扫描仪在python:3.6-slim-stretch图像中发现了42个漏洞。使用clairctl时相同:
$ docker pull python:3.6-slim-stretch
3.6-slim-stretch: Pulling from library/python
Digest: sha256:5dc3fa18a0fab0326052a95bada5582c08d324bfc24ced84aeb7ae681b93d2e5
Status: Image is up to date for python:3.6-slim-stretch
$ clairctl push -l python:3.6-slim-stretch
python:3.6-slim-stretch has been pushed to Clair
$ clairctl analyze -l python:3.6-slim-stretch
Image: docker.io/python:3.6-slim-stretch
Unknown: 6
Negligible: 22
Low: 4
Medium: 7
High: 4
Critical: 0
Defcon1: 0
但是,当尝试升级它时,没有软件包:
$ docker run --rm -it python:3.6-slim-stretch bash
root@243dfeabc84b:/# apt-get update
...
root@243dfeabc84b:/# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
sensible-utils
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 kB of archives.
After this operation, 49.2 kB disk space will be freed.
Do you want to continue? [Y/n] n
为什么克莱尔会发现许多假阳性?
我对这个问题也很感兴趣。而且我还有另一个:到底是“已批准”和“未批准”漏洞是什么意思?