Clair Application Analysis

The Clair coordinate-based matching feature provides the ability to scan and evaluate Clair-identified container dependencies.

For reference on how to use Clair please refer to the Clair documentation.

What is Supported

Files named clair-scanner-output.json created by the client Clair scanner ( https://github.com/arminc/clair-scanner ).

Steps to analyze using the Sonatype IQ CLI

Create the clair-scanner-output.json by running the Clair scanner

For detailed instructions on Clair scanner please refer to the Clair scanner documentation.

Example command

clair-scanner --ip 10.0.1.144 -r clair-scanner-output.json vulnerables/web-dvwa

Example file content

{
    "image": "image",
    "vulnerabilities": [
        {
            "featurename": "apt",
            "featureversion": "1.4.8",
            "vulnerability": "CVE-2019-3462",
            "namespace": "debian:9",
            "description": "TEST",
            "link": "https://security-tracker.debian.org/tracker/CVE-2019-3462",
            "severity": "Critical",
            "fixedby": "1.4.9"
        },
        {
            "featurename": "libxslt",
            "featureversion": "1.1.29-2.1",
            "vulnerability": "CVE-2017-16997",
            "namespace": "debian:9",
            "description": "TEST",
            "link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
            "severity": "Critical",
            "fixedby": "2.24-11+deb9u4"
        }
    ]
}

Run a scan

Invoke a Sonatype IQ CLI scan of the directory containing clair-scanner-output.json. Instructions on how to do this can be found here Sonatype IQ CLI.

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the clair-scanner-output.json file. A custom Scan Target is needed.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/clair-scanner-output.json']], iqStage: 'build'

To find more information on configuring Jenkins, please go to Sonatype Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined. Add clair-scanner-output.json to the scan targets via "**/clair-scanner-output.json" to evaluate Clair. To find more information on configuring Bamboo, please go to Sonatype IQ for Bamboo.