clair

package module

v0.0.0-...-41c8d9c Latest Latest Go to latest Published: Aug 27, 2019 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/noahklein/clair

Links

Open Source Insights

README ¶

Clair

Note: The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get stable binaries.

Clair Logo

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.

Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named Clair after the French term which translates to clear, bright, transparent.

Getting Started

Learn the terminology and about the drivers and data sources that power Clair
Watch presentations on the high-level goals and design of Clair
Follow instructions to get Clair up and running
Explore the API on SwaggerHub
Discover third party integrations that help integrate Clair with your infrastructure
Read the rest of the documentation on the CoreOS website or in the Documentation directory
Get up and running with Local Development

Community

Mailing List: clair-dev@googlegroups.com
IRC: #clair on freenode.org
Bugs: issues

Contributing

See CONTRIBUTING for details on submitting patches and the contribution workflow.

License

Clair is under the Apache 2.0 license. See the LICENSE file for details.

Documentation ¶

Index ¶

Variables
func AnalyzeLayer(ctx context.Context, store database.Datastore, blobSha256 string, ...) (*database.Layer, error)
func EnabledDetectors() []database.Detector
func GetLastUpdateTime(datastore database.Datastore) (time.Time, bool, error)
func IsAncestryCached(store database.Datastore, name string, layerHashes []string) (bool, error)
func RegisterConfiguredDetectors(store database.Datastore)
func RunNotifier(config *notification.Config, datastore database.Datastore, ...)
func RunUpdater(config *UpdaterConfig, datastore database.Datastore, st *stopper.Stopper)
func SaveAncestry(store database.Datastore, ancestry *database.Ancestry) error
type AnalyzeError
- func (e AnalyzeError) Error() string
type AncestryBuilder
- func NewAncestryBuilder(detectors []database.Detector) *AncestryBuilder
- func (b *AncestryBuilder) AddLeafLayer(layer *database.Layer)
- func (b *AncestryBuilder) Ancestry(name string) *database.Ancestry
type UpdaterConfig

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// StorageError represents an analyze error caused by the storage
	StorageError = AnalyzeError("failed to query the database.")
	// RetrieveBlobError represents an analyze error caused by failure of
	// downloading or extracting layer blobs.
	RetrieveBlobError = AnalyzeError("failed to download layer blob.")
	// ExtractBlobError represents an analyzer error caused by failure of
	// extracting a layer blob by imagefmt.
	ExtractBlobError = AnalyzeError("failed to extract files from layer blob.")
	// FeatureDetectorError is an error caused by failure of feature listing by
	// featurefmt.
	FeatureDetectorError = AnalyzeError("failed to scan feature from layer blob files.")
	// NamespaceDetectorError is an error caused by failure of namespace
	// detection by featurens.
	NamespaceDetectorError = AnalyzeError("failed to scan namespace from layer blob files.")
)

View Source

var (

	// EnabledUpdaters contains all updaters to be used for update.
	EnabledUpdaters []string
)

Functions ¶

func AnalyzeLayer ¶

func AnalyzeLayer(ctx context.Context, store database.Datastore, blobSha256 string, blobFormat string, downloadURI string, downloadHeaders map[string]string) (*database.Layer, error)

AnalyzeLayer retrieves the clair layer with all extracted features and namespaces. If a layer is already scanned by all enabled detectors in the Clair instance, it returns directly. Otherwise, it re-download the layer blob and scan the features and namespaced again.

func EnabledDetectors ¶

func EnabledDetectors() []database.Detector

EnabledDetectors retrieves a list of all detectors installed in the Clair instance.

func GetLastUpdateTime ¶

func GetLastUpdateTime(datastore database.Datastore) (time.Time, bool, error)

GetLastUpdateTime retrieves the latest successful time of update and whether or not it's the first update.

func IsAncestryCached ¶

func IsAncestryCached(store database.Datastore, name string, layerHashes []string) (bool, error)

IsAncestryCached checks if the ancestry is already cached in the database with the current set of detectors.

func RegisterConfiguredDetectors ¶

func RegisterConfiguredDetectors(store database.Datastore)

RegisterConfiguredDetectors populates the database with registered detectors.

func RunNotifier ¶

func RunNotifier(config *notification.Config, datastore database.Datastore, stopper *stopper.Stopper)

RunNotifier begins a process that checks for new notifications that should be sent out to third parties.

func RunUpdater ¶

func RunUpdater(config *UpdaterConfig, datastore database.Datastore, st *stopper.Stopper)

RunUpdater begins a process that updates the vulnerability database at regular intervals.

func SaveAncestry ¶

func SaveAncestry(store database.Datastore, ancestry *database.Ancestry) error

SaveAncestry saves an ancestry to the datastore.

Types ¶

type AnalyzeError ¶

type AnalyzeError string

AnalyzeError represents an failure when analyzing layer or constructing ancestry.

func (AnalyzeError) Error ¶

func (e AnalyzeError) Error() string

type AncestryBuilder ¶

type AncestryBuilder struct {
	// contains filtered or unexported fields
}

AncestryBuilder builds an Ancestry, which contains an ordered list of layers and their features.

func NewAncestryBuilder ¶

func NewAncestryBuilder(detectors []database.Detector) *AncestryBuilder

NewAncestryBuilder creates a new ancestry builder.

ancestry builder takes in the extracted layer information and produce a set of namespaces, features, and the relation between features for the whole image.

func (*AncestryBuilder) AddLeafLayer ¶

func (b *AncestryBuilder) AddLeafLayer(layer *database.Layer)

AddLeafLayer adds a leaf layer to the ancestry builder, and computes the namespaced features.

func (*AncestryBuilder) Ancestry ¶

func (b *AncestryBuilder) Ancestry(name string) *database.Ancestry

Ancestry produces an Ancestry from the builder.

type UpdaterConfig ¶

type UpdaterConfig struct {
	EnabledUpdaters []string
	Interval        time.Duration
}

UpdaterConfig is the configuration for the Updater service.

Source Files ¶

View all Source files

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
api
v3
v3/clairpb Package clairpb is a generated protocol buffer package.	Package clairpb is a generated protocol buffer package.
cmd
clair
database Package database defines the Clair's models and a common interface for database implementations.	Package database defines the Clair's models and a common interface for database implementations.
pgsql Package pgsql implements database.Datastore with PostgreSQL.	Package pgsql implements database.Datastore with PostgreSQL.
pgsql/ancestry
pgsql/detector
pgsql/feature
pgsql/keyvalue
pgsql/layer
pgsql/lock
pgsql/migrations Package migrations regroups every migrations available to the pgsql database backend.	Package migrations regroups every migrations available to the pgsql database backend.
pgsql/monitoring
pgsql/namespace
pgsql/notification
pgsql/page
pgsql/testutil
pgsql/util
pgsql/vulnerability
ext
featurefmt Package featurefmt exposes functions to dynamically register methods for determining the features present in an image layer.	Package featurefmt exposes functions to dynamically register methods for determining the features present in an image layer.
featurefmt/apk Package apk implements a featurefmt.Lister for APK packages.	Package apk implements a featurefmt.Lister for APK packages.
featurefmt/dpkg Package dpkg implements a featurefmt.Lister for dpkg packages.	Package dpkg implements a featurefmt.Lister for dpkg packages.
featurefmt/rpm Package rpm implements a featurefmt.Lister for rpm packages.	Package rpm implements a featurefmt.Lister for rpm packages.
featurens Package featurens exposes functions to dynamically register methods for determining a namespace for features present in an image layer.	Package featurens exposes functions to dynamically register methods for determining a namespace for features present in an image layer.
featurens/alpinerelease Package alpinerelease implements a featurens.Detector for Alpine Linux based container image layers.	Package alpinerelease implements a featurens.Detector for Alpine Linux based container image layers.
featurens/aptsources Package aptsources implements a featurens.Detector for apt based container image layers.	Package aptsources implements a featurens.Detector for apt based container image layers.
featurens/lsbrelease Package lsbrelease implements a featurens.Detector for container image layers containing an lsb-release file.	Package lsbrelease implements a featurens.Detector for container image layers containing an lsb-release file.
featurens/osrelease Package osrelease implements a featurens.Detector for container image layers containing an os-release file.	Package osrelease implements a featurens.Detector for container image layers containing an os-release file.
featurens/redhatrelease Package redhatrelease implements a featurens.Detector for container image layers containing an redhat-release-like files.	Package redhatrelease implements a featurens.Detector for container image layers containing an redhat-release-like files.
imagefmt Package imagefmt exposes functions to dynamically register methods to detect different types of container image formats.	Package imagefmt exposes functions to dynamically register methods to detect different types of container image formats.
imagefmt/aci Package aci implements an imagefmt.Extractor for appc formatted container image layers.	Package aci implements an imagefmt.Extractor for appc formatted container image layers.
imagefmt/docker Package docker implements an imagefmt.Extractor for docker formatted container image layers.	Package docker implements an imagefmt.Extractor for docker formatted container image layers.
notification Package notification exposes functions to dynamically register methods to deliver notifications from the Clair database.	Package notification exposes functions to dynamically register methods to deliver notifications from the Clair database.
notification/webhook Package webhook implements a notification sender for HTTP JSON webhooks.	Package webhook implements a notification sender for HTTP JSON webhooks.
versionfmt Package versionfmt exposes functions to dynamically register formats used to parse Feature Versions.	Package versionfmt exposes functions to dynamically register formats used to parse Feature Versions.
versionfmt/dpkg Package dpkg implements a versionfmt.Parser for version numbers used in dpkg based software packages.	Package dpkg implements a versionfmt.Parser for version numbers used in dpkg based software packages.
versionfmt/rpm Package rpm implements a versionfmt.Parser for version numbers used in rpm based software packages.	Package rpm implements a versionfmt.Parser for version numbers used in rpm based software packages.
vulnmdsrc Package vulnmdsrc exposes functions to dynamically register vulnerability metadata sources used to update a Clair database.	Package vulnmdsrc exposes functions to dynamically register vulnerability metadata sources used to update a Clair database.
vulnmdsrc/nvd Package nvd implements a vulnerability metadata appender using the NIST NVD database.	Package nvd implements a vulnerability metadata appender using the NIST NVD database.
vulnsrc Package vulnsrc exposes functions to dynamically register vulnerability sources used to update a Clair database.	Package vulnsrc exposes functions to dynamically register vulnerability sources used to update a Clair database.
vulnsrc/alpine Package alpine implements a vulnerability source updater using the alpine-secdb git repository.	Package alpine implements a vulnerability source updater using the alpine-secdb git repository.
vulnsrc/amzn Package amzn implements a vulnerability source updater using ALAS (Amazon Linux Security Advisories).	Package amzn implements a vulnerability source updater using ALAS (Amazon Linux Security Advisories).
vulnsrc/debian Package debian implements a vulnerability source updater using the Debian Security Tracker.	Package debian implements a vulnerability source updater using the Debian Security Tracker.
vulnsrc/oracle Package oracle implements a vulnerability source updater using the Oracle Linux OVAL Database.	Package oracle implements a vulnerability source updater using the Oracle Linux OVAL Database.
vulnsrc/rhel Package rhel implements a vulnerability source updater using the Red Hat Linux OVAL Database.	Package rhel implements a vulnerability source updater using the Red Hat Linux OVAL Database.
vulnsrc/suse Package suse implements a vulnerability source updater using the SUSE Linux and openSUSE OVAL Database.	Package suse implements a vulnerability source updater using the SUSE Linux and openSUSE OVAL Database.
vulnsrc/ubuntu Package ubuntu implements a vulnerability source updater using the Ubuntu CVE Tracker.	Package ubuntu implements a vulnerability source updater using the Ubuntu CVE Tracker.
pkg
commonerr Package commonerr defines reusable error types common throughout the Clair codebase.	Package commonerr defines reusable error types common throughout the Clair codebase.
formatter
fsutil Package fsutil contains utility functions for file system querying.	Package fsutil contains utility functions for file system querying.
gitutil Package gitutil implements an easy way to update a git repository to a local temporary directory.	Package gitutil implements an easy way to update a git repository to a local temporary directory.
grpcutil Package grpcutil implements various utilities around managing gRPC services.	Package grpcutil implements various utilities around managing gRPC services.
httputil Package httputil implements common HTTP functionality used throughout the Clair codebase.	Package httputil implements common HTTP functionality used throughout the Clair codebase.
pagination Package pagination implements a series of utilities for dealing with paginating lists of objects for an API.	Package pagination implements a series of utilities for dealing with paginating lists of objects for an API.
stopper
strutil
tarutil Package tarutil implements some tar utility functions.	Package tarutil implements some tar utility functions.
timeutil Package timeutil implements extra utilities dealing with time not found in the standard library.	Package timeutil implements extra utilities dealing with time not found in the standard library.
version