CoreOS has delivered the first version of its container security inspector, Clair Container Image Security Analyzer. Clair is an inspection engine that looks through the built-up software layers of a given container to see which ones hold outdated code with known vulnerabilities.
When it finds one that does, it sends an alert to the owner and identifies the layer that needs a software update. It's often able to provide a reference to the correct update. CoreOS announced the availability of Clair 1.0 on March 18.
CoreOS uses a version of Clair on its own site, whereas an online version of Clair watches over the CoreOS container registry service, Quay.io. The beta version of Quay Security Scanning was based on a pre-1.0 release of Clair.
CoreOS, maker of the Rocket container runtime and CoreOS Linux for container hosts, announced Clair and the scanning service four months ago.
Analyzing the results of Clair's use there, CoreOS concluded that 70% of vulnerabilities could be fixed by updating the installed software in the container image. It also could see that many of the vulnerabilities that were rated as high or critical already have patches. All that's needed to eliminate exposure is to apply the patch.
[Want to see the Linux Foundation’s response to Heartbleed? Read "Let's Encrypt" Will Try to Secure the Internet.]
The Heartbleed vulnerability "has been known for over 18 months, yet scanning (by Clair) found it is still a potential threat to 80 percent of the Docker images users have been stored on Quay," wrote Quentin Machu, a CoreOS software engineer, in a blog post on Nov. 13, after he had several months' experience scanning container images stored on Quay.
Heartbleed appeared in April 2014 as a buffer overflow vulnerability in the OpenSSL encryption library and prompted a vulnerability-fighting response from the US Department of Homeland Security.
Clair 1.0 is a scanning engine that's out of beta and ready for production use, Machu wrote. Clair looks at each layer of a container, and compares its code to the reference code in the Common Vulnerabilities and Exposures database maintained by US-CERT, the Office of Cybersecurity and Communications of the DHS.
Similar reference databases are offered by Ubuntu, Debian, and Red Hat.
The scanning engine can be accessed through a public REST-based API, so in-house services may be built that provide periodic checks for container vulnerabilities, Machu wrote. Clair 1.0 is also open source code and can be downloaded for use on-premises. Developers may access and trigger the scanning engine through its API to provide homegrown services that check the quality of freshly produced containers and recheck the condition of running containers.
Clair has a "fetcher" subsystem that gathers vulnerability data from public sources. It includes "detectors," which index container images by the code modules they contain. The index becomes a reference point if that module is found to need a patch. The index can then reference containers in the registry that contain the module.
It also has notification hooks so that when a new vulnerability is discovered no time is lost in getting notices out to the parties that have expressed interest in being alerted.
CoreOS will be presenting on the capabilities of Clair at OSCON 2016 in Austin in May.
Machu said a primary accomplishment of the 1.0 release is its improvement in performance, mainly by speeding up interactions with "our largest bottleneck," the system's database.
Getting busy humans to do routine checking of containerized software is hard to do, "which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues …" Machu wrote in his March 18 blog post.
"Container images are infrequently updated. But with Clair security scanning, users can identify and update problematic images more easily," he wrote.