Containers / Security

CoreOS Adds Remediation Hooks to the Clair Container Security Scanner

21 Mar 2016 9:39am, by

CoreOS has augmented open source container image security analyzer, Clair, to suggest available patches or updates to correct the vulnerabilities it finds.

The new feature is part of the full production-ready, 1.o release of Clair.  In addition to remediation, Clair 1.0 also features considerable improvements in performance and extensibility.

“We’ve made Clair a lot more actionable by fleshing out the APIs to give you better insight into not only into what vulnerabilities you have, but what actions you can take to remove the vulnerabilities or fix them,” said Jacob Moshenko, CoreOS product manager and a co-founder of Quay, which CoreOS acquired for its container registry technology.

The software addresses the nascent but growing issue of how to update containers once they are in production. “It’s usually developers who creating container images, and not the ops people, which have been traditionally responsible for updating the operating system,” Moshenko said. This software provides a way to incorporate security updating into a container-based development and deployment process.

First released in beta form late last year, Clair compares the contents of a container against a number of Linux distribution-specific CVE databases (currently those maintained by Red Hat, Ubuntu, and Debian). It then alerts the user if any of the software within the containers has known vulnerabilities. It can be used both to scan existing containers for known vulnerabilities as well as to scan them when new vulnerabilities appear.

clair-1.0-embed

Today, many containers are based on a standard full-sized Linux distribution, such as Debian or Ubuntu, and, as a result, carry a pretty large attack surface, in terms of possible vulnerabilities that could be used in an attack.

CoreOS, indexing containers hosted in the company’s own Quay container registry, found that more than 70 percent of detected vulnerabilities could be fixed simply by updating the installed packages in these container images and that more than 80 percent of critical vulnerabilities could be fixed with a simple update.

The updated Clair now provides, by way of its API, not only the specific vulnerability found, by the version of the software package that fixes the vulnerability, as well as data, when available, from the Common Vulnerability Scoring System (CVSS), including fundamental vulnerability characteristics such as means of access, whether authentication is required, and the impacts on confidentiality, integrity, or availability.

The software flags the specific image layer where the vulnerability resides, offering a system administrator a shortcut to where to apply the patch.

“We tell you which packaged version the problem was fixed in, if it’s been fixed by the OS vendor. And if it hasn’t been fixed by the OS vendor, we tell you that problem as well,” Moshenko said.

The system also offers suggestions in ways to speed the correction process, showing, for instance, cases where multiple vulnerabilities could be fixed by a single update.

Typically, correcting a vulnerability in a container involves rebuilding the container with the updated software. This can be done either internally through Quay, or a new build process could be triggered in a continuous integration/continuous deployment system by way of the Clair webhook.

Ready for Duty

Much of the performance improvements come about thanks to the use of a new supporting database, PostgreSQL. Previously, the company used a graph database, though it was able to use PostgreSQL’s recursive queries to emulate a graph-like structure. This switch-over lowered the API response latency from 30 seconds to 30 milliseconds, the company boasted.

CoreOS has also expanded the API, rendered in RESTful JSON with the hope that it can be more easily incorporated into workflows and systems, those created internally or by third-party software providers. Various subsystems of the software have made extensible, including components such as vulnerability fetchers, detectors, notification hooks, and for working with image formats.

Users of the CoreOS Quay registry will get the product for free. The registry can fire off notifications to the user by way of a Web site notification, by a webhook back to the user’s own site, or using some other configuration. The software is also available on GitHub.

CoreOS is a sponsor of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.