Support wolfi / chainguard detection

[jbergstroem]

Wolfi is an operating system tailored for containers. Clair currently doesn't recognize it so I thought it'd make sense to track support.

$ ./clair-scanner --ip 192.168.1.15 -c http://127.0.0.1:6060 cgr.dev/chainguard/node:20
2023/05/01 20:06:58 [INFO] ▶ Start clair-scanner
2023/05/01 20:07:00 [INFO] ▶ Server listening on port 9279
2023/05/01 20:07:00 [INFO] ▶ Analyzing c2b0d3cadf5af59393ce726798e315e7f56dc8c6d1e3ec55ce46cb6aab03c61a
2023/05/01 20:07:00 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 422 with message {"Error":{"Message":"worker: OS and/or package manager are not supported"}}

Relevant info

The following examples are from the generated container cgr.dev/chainguard/node:20 which is part of their automated builds.

OS detection

 $ cat /etc/os-release
ID=wolfi
NAME="Wolfi"
PRETTY_NAME="Wolfi"
VERSION_ID="20230201"
HOME_URL="https://wolfi.dev"

Wolfi mentions using apk as a package manager. Here's an example of the installed list:

$ head -n 20 /lib/apk/db/installed
P:glibc-locale-posix
V:2.37-r6
A:x86_64
L:GPL-3.0-or-later
T:POSIX locale data for glibc
o:glibc
m:
U:
D:
p:
c:be767d33fb37b5dc6c42961efe0472f888976899
i:[]
t:-62135596800
S:73758
I:416967
k:0
C:Q1ODlpjBNlf5+8UVI1uHjwELzSof8=
F:usr
F:usr/lib
F:usr/lib/locale

..which also seems to follow the apk package format.

Should a PR abstract alpine into apk and support both OS'es but with different identifiers? Put differently: I'm new to modifying clair and its ecosystem. How should I proceed with a PR to see it merged?

[dlorenc]

I'm with the Wolfi team, and we'd be happy to help here however possible!

[hdonnay]

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

[dlorenc]

👋

We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

Hey! Thanks for the response! We use the apk package manager (the same as Alpine) and publish a security feed, also in the same format as Alpine. The feed is available here: https://packages.wolfi.dev/os/security.json

[hdonnay]

I think the steps to take are:

• Split the apk indexer out of the alpine package
• Modularize the alpine Updater machinery and create an instance for alpine and wolfi
• Modularize the alpine Matcher machinery and create an instance for alpine and wolfi

I think the generic os-release scanner should be good enough to get distro detection. I don't have the details of all these paged in at the moment, though.

[jbergstroem]

Just noticed that /etc/issue is missing from wolfi images so the distributionscanner needs to make this optional.

[jbergstroem]

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Relevant info:

claircore/alpine/testdata/3.16/etc/issue

Line 1 in c5ea100

Welcome to Alpine Linux 3.16

claircore/alpine/testdata/3.16/etc/os-release

Line 4 in c5ea100

PRETTY_NAME="Alpine Linux v3.16"

claircore/alpine/distributionscanner.go

Line 41 in c5ea100

issueRegexp = regexp.MustCompile(`Alpine Linux ([[:digit:]]+\.[[:digit:]]+)`)

At least all the test data you have seem to cover using PRETTY_NAME which means for the scope of this issue/modularizing distributionscanner less changes are needed.

[luhring]

Hi! I'm with the Wolfi security team, and we just recently added more documentation for scanners wanting to implement support for Wolfi and the related "Chainguard distro". We've also added some test images for use in manual/automated tests in case that's valuable to you.

https://github.com/chainguard-dev/vulnerability-scanner-support

Also happy to field any questions that come up!

[amdawson]

Also happy to list clair on this page when you're ready, let us know!

https://www.chainguard.dev/scanners

[jbergstroem]

@hdonnay is there a reason to read version from /etc/issue over extracting it from PRETTY_NAME found in /etc/os-release?

Sorry for pinging you again but it would be good to get clarity on this before I move on! Thanks!

[luhring]

@jbergstroem I don't have context for Clair in particular, but this might help a little:

This section explains how scanners should identify the Wolfi/Chainguard distros. Definitely take a look at this! It's short.

tl;dr: Use /etc/os-release to identify the distro. You should use the id field to key off of, and you can use the pretty name for showing to users.

Do not use the version data here! That's explained in the docs, too. 😃

You won't find an /etc/issue.

[jbergstroem]

@luhring thanks for the info; I already had a look! Since the idea is to reuse the same framework for Alpine and Wolfi, I wanted to double-check why we need to read both /etc/issue and /etc/os-release for Alpine before proceeding.

[mattmoor]

JFYI since the discussion above @luhring put together this excellent resource on adding scanner support for our images: https://github.com/chainguard-dev/vulnerability-scanner-support