CN112084496A - Clair-based mirror image security scanning method - Google Patents
Clair-based mirror image security scanning method Download PDFInfo
- Publication number
- CN112084496A CN112084496A CN202010909553.4A CN202010909553A CN112084496A CN 112084496 A CN112084496 A CN 112084496A CN 202010909553 A CN202010909553 A CN 202010909553A CN 112084496 A CN112084496 A CN 112084496A
- Authority
- CN
- China
- Prior art keywords
- clair
- scanning
- mirror image
- mirror
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 239000002131 composite material Substances 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010191 image analysis Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention provides a Clair-based mirror image security scanning method, which belongs to the field of container mirror images, and is characterized in that a Clair mirror image scanning technology is integrated on the basis of a hardor mirror image warehouse to perform security scanning on mirror images, Clair depends on a CVE (composite virtual environment) resource library to perform vulnerability matching scanning, file systems in all mirror images are traversed, whether software packages contain security vulnerabilities is checked one by one, and all mirror images can be scanned uniformly through daily timing scanning.
Description
Technical Field
The invention relates to the field of container mirror images, in particular to a Clair-based mirror image security scanning method.
Background
As the number of service product images increases, the image security becomes an important problem of service products, and most images have security vulnerabilities, which include image system layer vulnerabilities and image component vulnerabilities, and these vulnerabilities can enable hackers to tamper with image metadata and implant malicious codes through Dockerfiles, Docker composition files, and the like to implement attacks.
Disclosure of Invention
In order to solve the technical problem, the invention provides a Clair-based mirror image security scanning method.
The technical scheme of the invention is as follows:
a safe mirror image scanning method based on Clair,
firstly, extracting features of the mirror image by a Clair-based scanning tool, then matching the features with a CVE (composite video embedding) vulnerability library, and prompting if a vulnerability is found. The tool can cross check the operating system of the Docker image and whether any package installed on the operating system is matched with any known unsafe package version, perform vulnerability scanning in the image construction process, provide an API and provide construction blocking and alarming.
The method is realized by adopting a hardor integration container scanning tool component, the container scanning can traverse file systems in all images according to the component version of a CVE vulnerability source and a software Package (Package) in an image system
The versions are compared one by one and checked to judge whether the security vulnerability is included
Further, in the above-mentioned case,
the image warehouse hardor integrates a Clair image scanning tool, and controls Clair by encapsulating a hardrAPI interface at a cir-api application service end to access api.
And scanning the uploaded mirror image, and receiving an http post mirror image scanning request initiated by a hardor by a client, and simultaneously carrying out basic parameter verification.
And (3) directly initiating a request to the path of the Registry by the client by using token headers in the request parameters, downloading the mirror layer file, analyzing the content of the mirror file to obtain a fileMap, detecting the mirror operating system, traversing the decompressed file directory, and matching the characteristics with the CVE (composite video asset) vulnerability library.
Further, in the above-mentioned case,
and the cir-api server side initiates a scanning request to the jobs, the jobs takes the warehouse name and the tag as request parameters, and after receiving the request, the jobs initiates a request to the registry to judge whether the manifest of the current mirror image exists.
Taking out the digest of the current manifest, inserting the fetched digest, the warehouse name and the tag into a Job table by the Job as a record, wherein the state of the Job is pending, the Job system can newly establish the Job of a scanning task for scheduling at this time, the Job system obtains all Layer digest of the mirror image through the manifest file, packages a ClairLayer parameter object for each Layer, then circularly requests to call API of Clair according to the number of the layers, and after receiving the request, the Clair system firstly checks whether the parent Layer exists according to the ParentName.
If not, reporting an error;
if the version information of the operating system and the software package of the layer exists, the version feature data of the layer and the acquired public vulnerability CVE data are compared and matched by Clair, and a mirror vulnerability scanning result is returned.
The invention has the advantages that
Based on the manner of integrating the container components by the hardor, the invention carries out layered scanning component analysis on the mirror image to prevent hackers from maliciously implanting codes through dockerfile, dockerrompose and the like, thereby achieving the purpose of controlling service, wherein the Clair mirror image analysis is carried out according to the Layer level of the mirror image, the loophole condition of each Layer of the mirror image can be checked, the loophole scanning of the Clair is completed by comparing the software version with loophole feature codes in cve loophole sources, the version is compared with loophole data in a database, and if the version is matched, the mirror image is represented to have a corresponding loophole.
Drawings
FIG. 1 is a schematic diagram of the overall architecture of the present invention;
FIG. 2 is a Clair overall architecture diagram.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
According to the invention, the safety scanning of the images can be realized by integrating the Clair image scanning technology based on the hardor image warehouse, Clair depends on the CVE resource library to perform vulnerability matching scanning, traverses file systems in all images, checks whether software packages contain safety vulnerabilities one by one, and can also perform unified scanning on all images through daily timing scanning.
Mirror image security scanning mechanism based on container
1. Periodically obtaining vulnerability metadata updates from configured sources to a database
2. And matching the vulnerability characteristics with the CVE vulnerability database, and prompting if the vulnerability is found.
The image warehouse hardor integrates a Clair image scanning tool, and controls Clair by encapsulating a hardrAPI interface at a cir-api application service end to access api.
The method comprises the steps that an uploaded mirror image is scanned by a tool, a client receives an http post mirror image scanning request initiated by a hardor, basic parameter verification is conducted, the client directly initiates a request to a Registry path by means of token headers in request parameters, mirror layer files are downloaded, contents of the mirror layer files are analyzed, a fileMap is obtained, a mirror image operating system is detected, decompressed file directories are traversed, and the features are matched with a CVE (composite video express) vulnerability library.
The architecture is as shown in figure 1 of the drawings,
the cir-API server side initiates a scanning request to a Job, a warehouse name and a tag serve as request parameters, the Job initiates a request to a registry after receiving the request, judges whether a manifest of a current mirror image exists or not, takes out the digest of the current manifest, inserts the obtained digest, the warehouse name and the tag as a record into a jobtable, the Job is in a pending state, the Job system builds a jobb of a scanning task for scheduling at the moment, acquires all Layer digest of the mirror image through the manifest file, packages a ClairLayer parameter object for each Layer, then circularly requests to call an API of Clair according to the number of the layers, after receiving the request, the Clair system firstly checks whether a parent Layer exists or not according to a ParentName, and if the parent Layer does not exist, the parent is wrong. If the version information of the operating system and the software package of the layer exists, the Clair starts to detect the version information of the operating system and the software package of the layer, compares and matches the version feature data of the layer with the acquired public vulnerability CVE data and returns a mirror vulnerability scanning result
As shown in fig. 2, Clair mainly comprises the following modules:
obtainer (Fetcher) -gathering vulnerability data from common sources
Detector (Detector) -indicates the Feature contained in the container image
Container mirror formats known to Container Format-Clair, including Docker, ACI
Notification Hook (Notification Hook) -notify user/machine when new vulnerabilities are discovered or when existing vulnerabilities change
Database (Databases) -layers and vulnerabilities in storage containers
Worker-every Post Layer will start a Worker to do Layer Detect
The Clair overall treatment process is as follows:
clair periodically obtains vulnerability metadata from configured sources and then stores it in a database.
And the client processes the mirror image by using Clair API, acquires the characteristics of the mirror image and stores the characteristics in the database.
The client uses the Clair API to query the database for the vulnerability profile of the particular image, associating vulnerabilities and characteristics for each request, avoiding the need to rescan the image.
The above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. Clair-based mirror image security scanning method is characterized in that,
firstly, extracting features of the mirror image by a Clair-based scanning tool, then matching the features with a CVE (composite video embedding) vulnerability library, and prompting if a vulnerability is found.
2. The method of claim 1,
and traversing file systems in all images through cliar scanning, and comparing and checking one by one according to the component version of the CVE vulnerability source and the software package version in the image system to judge whether the security vulnerability is contained.
3. The method of claim 2,
the image warehouse hardor integrates a Clair image scanning tool, and controls Clair by encapsulating a hardrAPI interface at a cir-api application service end to access api.
4. The method of claim 3,
and scanning the uploaded mirror image, and receiving an http post mirror image scanning request initiated by a hardor by a client, and simultaneously carrying out basic parameter verification.
5. The method of claim 4,
and (3) directly initiating a request to the path of the Registry by the client by using token headers in the request parameters, downloading the mirror layer file, analyzing the content of the mirror file to obtain a fileMap, detecting the mirror operating system, traversing the decompressed file directory, and matching the characteristics with the CVE (composite video asset) vulnerability library.
6. The method of claim 5,
and the cir-api server side initiates a scanning request to the jobs, the jobs takes the warehouse name and the tag as request parameters, and after receiving the request, the jobs initiates a request to the registry to judge whether the manifest of the current mirror image exists.
7. The method of claim 6,
taking out the digest of the current manifest, inserting the fetched digest, the warehouse name and the tag into a Job table by the Job as a record, wherein the state of the Job is pending, the Job system can newly establish the Job of a scanning task for scheduling at this time, the Job system obtains all Layer digest of the mirror image through the manifest file, packages a ClairLayer parameter object for each Layer, then circularly requests to call API of Clair according to the number of the layers, and after receiving the request, the Clair system firstly checks whether the parent Layer exists according to the ParentName.
8. The method of claim 7,
if not, reporting an error;
if the version information of the operating system and the software package of the layer exists, the version feature data of the layer and the acquired public vulnerability CVE data are compared and matched by Clair, and a mirror vulnerability scanning result is returned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010909553.4A CN112084496A (en) | 2020-09-02 | 2020-09-02 | Clair-based mirror image security scanning method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010909553.4A CN112084496A (en) | 2020-09-02 | 2020-09-02 | Clair-based mirror image security scanning method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112084496A true CN112084496A (en) | 2020-12-15 |
Family
ID=73732767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010909553.4A Pending CN112084496A (en) | 2020-09-02 | 2020-09-02 | Clair-based mirror image security scanning method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112084496A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613041A (en) * | 2020-12-25 | 2021-04-06 | 南方电网深圳数字电网研究院有限公司 | Container mirror image detection method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170109536A1 (en) * | 2015-10-15 | 2017-04-20 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
| CN109918911A (en) * | 2019-03-18 | 2019-06-21 | 北京升鑫网络科技有限公司 | A kind of scan method and equipment of mirror image installation package informatin |
| CN110187955A (en) * | 2019-05-27 | 2019-08-30 | 四川大学 | A kind of Docker container contents safety detecting method and device that sound state combines |
-
2020
- 2020-09-02 CN CN202010909553.4A patent/CN112084496A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170109536A1 (en) * | 2015-10-15 | 2017-04-20 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
| CN109918911A (en) * | 2019-03-18 | 2019-06-21 | 北京升鑫网络科技有限公司 | A kind of scan method and equipment of mirror image installation package informatin |
| CN110187955A (en) * | 2019-05-27 | 2019-08-30 | 四川大学 | A kind of Docker container contents safety detecting method and device that sound state combines |
Non-Patent Citations (2)
| Title |
|---|
| 佚名: "Harbor仓库镜像扫描原理", 《HTTPS://WWW.H3399.CN/201902/661445.HTML》, 6 May 2020 (2020-05-06) * |
| 魏兴镇等: "SecDr:一种内容安全的Docker镜像仓库", 《计算机与现代化》, no. 5, 15 May 2018 (2018-05-15), pages 70 - 73 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613041A (en) * | 2020-12-25 | 2021-04-06 | 南方电网深圳数字电网研究院有限公司 | Container mirror image detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9929991B2 (en) | Just-in-time, email embedded URL reputation determination | |
| US9473568B2 (en) | Detecting code injections through cryptographic methods | |
| US9460405B2 (en) | Systems and methods for cloud data loss prevention integration | |
| US20200106793A1 (en) | Methods, systems, and computer program products for continuous cyber risk monitoring | |
| CN106878265B (en) | Data processing method and device | |
| EP2577523B1 (en) | Claim based content reputation service | |
| US20100106784A1 (en) | Electronic device with automatic software update function and method thereof | |
| CN110417718B (en) | Method, device, equipment and storage medium for processing risk data in website | |
| US10630721B1 (en) | Monitoring system for detecting and preventing a malicious program code from being uploaded from a client computer to a webpage computer server | |
| US20180069881A1 (en) | Forensic analysis | |
| CN104268475A (en) | Application running system | |
| CN104754374B (en) | Audio-video document detection management method and device | |
| CN112084496A (en) | Clair-based mirror image security scanning method | |
| US11941113B2 (en) | Known-deployed file metadata repository and analysis engine | |
| CN104580200B (en) | A kind of website protection method and device | |
| CN111314326A (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN111221804A (en) | Method, device and storage medium for preventing data from being unauthorized based on abstract syntax tree | |
| CN112565366B (en) | Distributed file importing method, device, equipment and storage medium | |
| WO2020228564A1 (en) | Application service method and device | |
| US9740728B2 (en) | System and method for tracking the conversion of non-destructive evaluation (NDE) data to electronic format | |
| US20210110051A1 (en) | Code correlated scan initiations | |
| CN111262934A (en) | File analysis method and device | |
| CN111949612B (en) | Unstructured data storage middleware system based on hadoop and use method thereof | |
| US20220366045A1 (en) | Known-Deployed File Metadata Repository and Analysis Engine | |
| US20220366042A1 (en) | Known-Deployed File Metadata Repository and Analysis Engine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201215 |
|
| RJ01 | Rejection of invention patent application after publication |