Skip to content
Snippets Groups Projects
K

klar Archived

Project ID: 13922331
Select Git revision
  • master default protected
  • check-report-keys
  • exit-with-error-if-vulnerabilities-found
  • switch-to-trivy
  • remove-custom-check-image-size
  • remove-containerd-workaround
  • upgrade-to-common-v2.22.1-946446200
  • test-append-newline-to-cacert
  • 196697-test-scan-duration-script-cs
  • test-downstrea-qa
  • 196697-add-scan-duration-check
  • 276886-print-version-with-strict-version-check
  • ensure-version-check-fails
  • 276886-print-version
  • fix-qa-test
  • dive-test
  • test-large-file
  • use-centos8-base-image
  • use-cento8-base-image-git-core
  • caneldem-master-patch-30972
  • v3.1.3
  • v3.1.2
  • v3.1.1
  • v3.0.1
  • v3.0.0
  • v2.6.0
  • v2.5.2
  • v2.5.1
  • v2.5.0
  • v2.4.9
  • v2.4.8
  • v2.4.7
  • v2.4.6
  • v2.4.5
  • v2.4.4
  • v2.4.3
  • v2.4.2
  • v2.4.1
  • v2.4.0
  • v2.3.2
40 results
  • Clone with SSH
  • Clone with HTTPS
  • Zamir Martins's avatar
    Zamir Martins authored
    Abort scans if IGNORE_DEPRECATION_ERROR environment variable is unset
    
    See merge request !85
    d401789a
    History

    klar analyzer

    GitLab Analyzer for Docker Containers.

    This analyzer is a wrapper around clair, a vulnerability static analysis for docker containers, utilizing klar to analyze images stored in a private or public Docker registry for security vulnerabilities.

    Technical Documentation

    See the Process Flow documentation for a technical overview of the Container Scanning components and walkthrough of the Container Scanning process.

    Environment Variables

    See the Available variables section in the GitLab Container Scanning docs.

    Due to this analyzer's deprecation, explicit user opt-in is required by setting the IGNORE_DEPRECATION_ERROR environment variable to any value. When absent, the analyzer aborts on start up.

    Development

    Build image

    $ ./script/build image

    Running the analyzer locally

    See the Running the standalone Container Scanning Tool section in the GitLab Container Scanning docs.

    Tests

    The integration tests depend on some background services in order to complete successfully.

    To start the background services:

    $ ./script/server start

    To stop the background services:

    $ ./script/server stop

    To run the unit tests:

    $ ./script/test unit

    To run the integration tests:

    $ ./script/test integration

    To run a specific integration test:

    $ ./script/test integration spec/integration/rhel_spec.rb

    To run the docker image analysis tests:

    $ IMAGE_NAME=registry.gitlab.com/gitlab-org/security-products/analyzers/klar:latest ./script/test image

    To run the project linters:

    $ ./script/test lint

    To run all the tests:

    $ ./script/test

    How to update the upstream Scanner

    1. Check for the latest versions of clair and klar at https://github.com/coreos/clair/tags and https://github.com/optiopay/klar/tags
    2. Compare with the values of SCANNER_VERSION and KLAR_EXECUTABLE_VERSION in the Dockerfile
    3. If an update is available, create a branch and bump the version in CHANGELOG.md
    4. Edit the Dockerfile and change the default values for the following Docker build arguments:
      1. CLAIR_VERSION
      2. KLAR_EXECUTABLE_VERSION
      3. KLAR_EXECUTABLE_SHA
    5. If updating the CLAIR_VERSION variable, also make sure to update the container-scanner/clair/config.yaml.template file to match the latest version of the config.yaml.sample from the clair repository, since the format of this file may change between versions. You'll also need to ensure that the POSTGRES-VULNERABILITIES-DB-URL placeholder variable is inserted into the host field of the database block in the new config.yaml.template file, for example:
      clair:
        database:
          type: pgsql
          options:
            source: POSTGRES-VULNERABILITIES-DB-CONNECTION-STRING
    6. Create a merge request which will automatically build and tag a new analyzer image using the following form: registry.gitlab.com/gitlab-org/security-products/analyzers/klar/tmp:af864bd61230d3d694eb01d6205b268b4ad63ac0 where the tag is the SHA of the most recent commit
    7. Create a new branch in the container-scanning test project and do the following:
      1. Modify the container_scanning section of .gitlab-ci.yml to reference the new analyzer image:
        container_scanning:
          allow_failure: false
          # the following is the only line you should need to add here
          image: registry.gitlab.com/gitlab-org/security-products/analyzers/klar/tmp:af864bd61230d3d694eb01d6205b268b4ad63ac0
          variables:
            GIT_STRATEGY: fetch
            CLAIR_DB_IMAGE_TAG: "2019-09-04"
          artifacts:
            paths: [gl-container-scanning-report.json]
      2. Trigger the pipeline for the above branch in the container-scanning test project and make sure it passes
    8. Merge the request created in step 5. and follow the release process to publish this update.

    Versioning and release process

    With the initial release of the Klar analyzer in 12.3, the associated vendored template was using a 12-3-stable docker image tag. This has been removed and starting with GitLab 12.4, it follows the usual release process as any other analyzer and doesn't need to be released as an x-y-stable docker image tag.

    Please check the common Versioning and release process documentation.

    Contributing

    Contributions are welcome, see CONTRIBUTING.md for more details.

    License

    This code is distributed under the GitLab Enterprise Edition (EE) license, see the LICENSE file.