Add fully support for Alpine based containers #12
Comments
|
Hello, Sure. There are two main steps to support that operating system:
As far as I know, there is no great trusted vulnerability source for it (only thing I found is that). Detection would be supported but vulnerability would probably have to be inserted manually. Any contributions are much appreciated. |
|
If you'd like this feature in Clair, you should rally upstream for the Alpine Linux package maintainers to curate a database of vulnerabilities. Grepping their git log would be able to extract some information, but that isn't an ideal data source. |
|
+1 yep, having this for Alpine would be great. I've came across this on the wiki, although not sure how useful or not it might be in this case - http://wiki.alpinelinux.org/wiki/Cvechecker. |
jzelinskie
added
help wanted
|
@stepanstipl @laurrentt Any interest in taking up the torch and trying to build this alpine checker for clair? I know @jzelinskie and @Quentin-M would happily jump on a video call or chat to give you a rundown of what is necessary. |
|
👍 on getting support in |
|
👍 |
|
@philips I would be happy to have some initial chat to get at least a rough idea what this would involve, in general I would be happy and interested to work on this feature, just not sure whether I can dedicate enough time |
|
@stepanstipl I talked to @Quentin-M and I think there are two sides
|
|
Just initiated a discussion on the alpine-devel mailing-list. Feel free to participate to share your thoughts and backup the request. |
|
+1 |
|
Please say +1 on the mailing-list thread linked above. There's little we can do until Alpine decides to maintain a proper vulnerability database. |
|
Would we care if the database was actually maintained by the Alpine Linux organization or could it be a 3rd party database? When I originally saw this issue I envisioned something like a GitHub project that housed a mapping of CVE to Alpine packages that could be maintained by users through pull requests (and initially seeded http://wiki.alpinelinux.org/wiki/Cvechecker). New CVE would be pull requests. Then the fetcher for Alpine would pull the git repository and parse the CVE mapping format (TBD). Plausible? |
I think this method would be a strain (and misuse) of GitHub/GitHub's API if all the Clair servers in the wild have to go to GitHub for the CVE information. Would it not? |
|
+1 |
1 similar comment
|
+1 |
|
This would be a pretty big win for container security in alpine. ^_^ |
|
@andyshinn That's a plausible solution, however, this is definitely not the greatest solution nor the one we aim for. I believe that security and thorough vulnerability tracking shall be treated as a first-class citizen and handled as close as possible to the source. Therefore, it should be handled upstream, by both the maintainers, the developers and the community. Additionally, Alpine already has an active Redmine tracking security issues, only not in a machine-readable manner. As a side note, Ubuntu tracks CVEs using |
|
+1 |
|
@paulmcgoldrick @sylus @JonathanRosado @dsampath @borzamircea @jeremyd @stepanstipl @lian All of the +1's on this issue to add Alpine support to Clair are great but it would be better if you lobbied upstream on the alpine-dev mailing list and could pitch in helping them figure out how the Alpine project is going to solve this: http://lists.alpinelinux.org/alpine-devel/5228.html |
philips
changed the title
|
Anyone want to take a swing at "fuzzy" alpine support for Clair: #187? |
|
@philips we are working towards this. It would be great to get your feedback. Thanks! |
|
Referencing #187 (comment). |
|
Closing this since I think #272 is the closest we're going to get. |
Include advisory name to CVE name
Many Docker projects are now using Alpine as base for their containers (Deis for example). Just last month the Alpine repo had
on the Docker hub.
The text was updated successfully, but these errors were encountered: