Skip to content

/ claircore

foundation modules for scanning container packages and reporting vulnerabilities

Apache-2.0 License
45 stars 18 forks
Star
Watch
master
17 branches 41 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.chglog
 
 
.github/workflows
 
 
alpine
 
 
aws
 
 
cmd
 
 
debian
 
 
docs
 
 
dpkg
 
 
etc
 
 
internal
 
 
libindex
 
 
libvuln
 
 
oracle
 
 
osrelease
 
 
photon
 
 
pkg
 
 
python
 
 
pyupio
 
 
rhel
 
 
rpm
 
 
scanner/pkgconfig
 
 
suse
 
 
test
 
 
testdata
 
 
ubuntu
 
 
updater
 
 
.gitignore
 
 
CHANGELOG.md
 
 
CODEOWNERS
 
 
DCO
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
affectedmanifests.go
 
 
affectedmanifests_test.go
 
 
archop.go
 
 
archop_string.go
 
 
book.toml
 
 
digest.go
 
 
distribution.go
 
 
doc.go
 
 
docker-compose.yaml
 
 
environment.go
 
 
go.mod
 
 
go.sum
 
 
indexreport.go
 
 
layer.go
 
 
layer_integration_test.go
 
 
manifest.go
 
 
mock_generate.go
 
 
package.go
 
 
repository.go
 
 
severity.go
 
 
severity_string.go
 
 
tar_test.go
 
 
tools.go
 
 
version.go
 
 
version_test.go
 
 
vulnerability.go
 
 
vulnerabilityreport.go
 
 

README.md

ClairCore

ClairCore provides a set of go modules which handle scanning container layers for installed packages and reporting any discovered vulnerabilities.
ClairCore is designed to be embedded into a service wrapper.

For a full overview see: ClairCore Book

Usage

Two packages exist libindex and libvuln.
These packages export the methods for indexing an image's contents and matching the results of the index to vulnerabilities respectively.

libindex usage

Creating an instance

opts := &libindex.Opts{
    ConnString: "postgres://host:port",
    Migrations: true,
    // see definition for more configuration options
}
lib := libindex.New(opts)

call libindex with a populated Manifest

m := &claircore.Manifest{
    ...
}

ir, err := lib.Index(m)
if err != nil {
    log.Printf("%v", err)
}
if ir.State == "IndexError" {
    log.Printf("scan failed: %s", sr.Err)
}

libvuln usage

creating an instance

opts := &libvuln.Opts{
    ConnString: "postgres://host:port",
    Migrations: true,
    // see definition for more configuration option
}
lib := libvuln.New(opts)

call libvuln with a populated IndexReport

ir := &claircore.IndexReport{
    ...
}
vr, err := libvuln.Scan(ir)
if err != nil {
    log.Printf("%v", err)
}

Libvuln will first initialize all updaters before returning from its constructor.
Controlling how many updaters initialize in parallel is provided via the libvuln.Opts struct

To further understand how these packages work together see:
Highlevel Architecture
Vulnerability Matching

Local development and testing

The following targets start and stop a local development environment

make local-dev-up
make local-dev-down

If you modify libvuln or libindex code the following make targets will restart the services with your changes

make libindexhttp-restart
make libvulnhttp-restart

With the local development environment up the following make target runs all tests including integration

make integration

The following make target runs unit tests which do not require a database or local development environment

make unit

About

foundation modules for scanning container packages and reporting vulnerabilities

Resources

Readme

License

Apache-2.0 License

Releases 41

v0.1.15 Release Latest
Nov 2, 2020
+ 40 releases

Packages

No packages published

Contributors 10

Languages

You can’t perform that action at this time.