Understanding Clair v4 Matchers configuration

[ggmoy-tt]

Hey Folks,

I finished the distributed deployment of Clair 4.3.5 inside a K8s cluster and everything seems to be working fine. However, I'm seeing some weird behaviors when putting specific matchers configurations. I'll try to explain below with different configurations.

1. A working configuration

Using the following configuration:

---
http_listen_addr: 0.0.0.0:6060
introspection_addr: 0.0.0.0:8089
log_level: info

indexer:
  connstring: host=DB_HOST port=5432 dbname=indexer user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  layer_scan_concurrency: 0
  migrations: true
  scanlock_retry: 10

matcher:
  connstring: host=DB_HOST port=5432 dbname=matcher user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  disable_updaters: false
  max_conn_pool: 0
  migrations: true
  period: 30m
  update_retention: 2
  updater_sets: {}

notifier:
  connstring: host=DB_HOST port=5432 dbname=notifier user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  matcher_addr: http://clair-v4/
  delivery_interval: 5s
  migrations: true
  poll_interval: 15s
  webhook:
    callback: http://clair-v4/notifier/api/v1/notifications
    target: https://hooks.slack.com/services/TXXXXXXXX/BYYYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ

matchers: {}

updaters:
  sets:
  - alpine

We get the following clairctl output, which I think it is correct:

$ clairctl report --host http://clair-v4/ gcr.io/REGISTRY/hydra:1.10.7 | sort
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42373 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42374 (fixed: 1.33.1-r4)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42375 (fixed: 1.33.1-r5)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42376 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42377 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42378 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42379 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42380 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42381 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42382 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42383 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42384 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42385 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42386 (fixed: 1.33.1-r6)

2. A NOT working configuration, after adding specific matchers names

Using the following configuration:

---
http_listen_addr: 0.0.0.0:6060
introspection_addr: 0.0.0.0:8089
log_level: info

indexer:
  connstring: host=DB_HOST port=5432 dbname=indexer user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  layer_scan_concurrency: 0
  migrations: true
  scanlock_retry: 10

matcher:
  connstring: host=DB_HOST port=5432 dbname=matcher user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  disable_updaters: false
  max_conn_pool: 0
  migrations: true
  period: 30m
  update_retention: 2
  updater_sets: {}

notifier:
  connstring: host=DB_HOST port=5432 dbname=notifier user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  matcher_addr: http://clair-v4/
  delivery_interval: 5s
  migrations: true
  poll_interval: 15s
  webhook:
    callback: http://clair-v4/notifier/api/v1/notifications
    target: https://hooks.slack.com/services/TXXXXXXXX/BYYYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ

matchers:
  names:
  - alpine

updaters:
  sets:
  - alpine

We get the following clairctl output, which I think it is NOT correct:

$ clairctl report --host http://clair-v4/ gcr.io/REGISTRY/hydra:1.10.7 | sort
hydra:1.10.7 ok

3. A working configuration, after adding -matcher at the end of the matcher name

Using the following configuration, which differs from the previous one only by the -matcher at the end of the matcher name:

---
http_listen_addr: 0.0.0.0:6060
introspection_addr: 0.0.0.0:8089
log_level: info

indexer:
  connstring: host=DB_HOST port=5432 dbname=indexer user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  layer_scan_concurrency: 0
  migrations: true
  scanlock_retry: 10

matcher:
  connstring: host=DB_HOST port=5432 dbname=matcher user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  disable_updaters: false
  max_conn_pool: 0
  migrations: true
  period: 30m
  update_retention: 2
  updater_sets: {}

notifier:
  connstring: host=DB_HOST port=5432 dbname=notifier user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  matcher_addr: http://clair-v4/
  delivery_interval: 5s
  migrations: true
  poll_interval: 15s
  webhook:
    callback: http://clair-v4/notifier/api/v1/notifications
    target: https://hooks.slack.com/services/TXXXXXXXX/BYYYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ

matchers:
  names:
  - alpine-matcher

updaters:
  sets:
  - alpine

We get the following clairctl output, which I think it is correct:

$ clairctl report --host http://clair-v4/ gcr.io/REGISTRY/hydra:1.10.7 | sort
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42373 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42374 (fixed: 1.33.1-r4)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42375 (fixed: 1.33.1-r5)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42376 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42377 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42378 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42379 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42380 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42381 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42382 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42383 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42384 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42385 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42386 (fixed: 1.33.1-r6)

Why is it working now? The Clair v4 documentation does not state anything about the -matcher at the end of the matcher's names.

4. A NOT working configuration, after adding ignore_vulns in the matcher configuration block

Using the following configuration, which differs from the previous one only by the added config block inside matchers:

---
http_listen_addr: 0.0.0.0:6060
introspection_addr: 0.0.0.0:8089
log_level: info

indexer:
  connstring: host=DB_HOST port=5432 dbname=indexer user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  layer_scan_concurrency: 0
  migrations: true
  scanlock_retry: 10

matcher:
  connstring: host=DB_HOST port=5432 dbname=matcher user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  disable_updaters: false
  max_conn_pool: 0
  migrations: true
  period: 30m
  update_retention: 2
  updater_sets: {}

notifier:
  connstring: host=DB_HOST port=5432 dbname=notifier user=DB_USER password=DB_PASS
    sslmode=verify-ca sslcert=/etc/clair/ssl/cert.pem sslkey=/etc/clair/ssl/key.pem
    sslrootcert=/etc/clair/ssl/ca.pem
  indexer_addr: http://clair-v4/
  matcher_addr: http://clair-v4/
  delivery_interval: 5s
  migrations: true
  poll_interval: 15s
  webhook:
    callback: http://clair-v4/notifier/api/v1/notifications
    target: https://hooks.slack.com/services/TXXXXXXXX/BYYYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ

matchers:
  names:
  - alpine-matcher
  config:
    alpine-matcher:
      ignore_vulns:
        - CVE-2021-42373

updaters:
  sets:
  - alpine

We get the following clairctl output, which I think it is NOT correct since it is still reporting CVE-2021-42373:

$ clairctl report --host http://clair-v4/ gcr.io/REGISTRY/hydra:1.10.7 | sort
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42373 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42374 (fixed: 1.33.1-r4)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42375 (fixed: 1.33.1-r5)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42376 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42377 (fixed: 0)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42378 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42379 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42380 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42381 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42382 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42383 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42384 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42385 (fixed: 1.33.1-r6)
hydra:1.10.7 found busybox 1.33.1-r3 CVE-2021-42386 (fixed: 1.33.1-r6)

I've been reading clair and claircore source code and it seems that ignore_vulns is not implemented. Could that be possible or I'm doing wrong reading the code?

Could someone help me understand why this behavior, please?

Thanks in advance,
Gustavo

[crozzy]

Hi Gustavo, thanks for the questions. I will attempt to shed some light.

3. A working configuration, after adding -matcher at the end of the matcher name

The alpine matcher's name is indeed alpine-matcher, https://github.com/quay/claircore/blob/main/alpine/matcher.go#L16, if you grep the logs for matchers created you should see the # of matchers create (maybe improved logging by naming the matchers here too?)

4. A NOT working configuration, after adding ignore_vulns in the matcher configuration block

You are right in your assumption, no matchers have the ability to ignore any vulns currently, the documented example is hypothetical example of how passing config values for matchers are passed to the respective factory constructor .
As far as whether Clair should be able to be configured to ignore certain vulns; I think the prevailing view is that Clair should report what it knows and the consumer should be responsible for manipulating that output, whether that is omission, formatting etc etc.

Having said that, you (more than us) are the target audience for this documentation. What do you think would be a decent docs change to ensure the issues you found aren't encountered over and over.

PS. We love to here about community uses of Clair and what problems you're trying to solve.

[crozzy]

quay/claircore#529 More verbosity about which matchers are enabled.