├── .chglog
    ├── CHANGELOG.tpl.md
    └── config.yml
├── .clang-format
├── .dockerignore
├── .gitattributes
├── .github
    ├── CONTRIBUTING.md
    ├── ISSUE_TEMPLATE.md
    ├── actions
    │   ├── documentation
    │   │   └── action.yml
    │   ├── go-cache
    │   │   └── action.yml
    │   ├── go-tidy
    │   │   └── action.yml
    │   └── set-image-expiration
    │   │   └── action.yml
    ├── dependabot.yml
    ├── issue-close-app.yml
    ├── script
    │   └── nightly-module.sh
    └── workflows
    │   ├── .gitignore
    │   ├── .yamllint
    │   ├── Makefile
    │   ├── check-fast-forward.yml
    │   ├── config-ci.yml
    │   ├── cut-release.yml
    │   ├── documentation.yml
    │   ├── fast-forward.yml
    │   ├── main.yml
    │   ├── nightly-ci.yml
    │   ├── nightly.yml
    │   ├── prepare-release.yml
    │   ├── tests.yml
    │   └── v2-issues.yml
├── .gitignore
├── CHANGELOG.md
├── CODEOWNERS
├── DCO
├── Dockerfile
├── Documentation
    ├── SUMMARY.md
    ├── clairv4_arch.png
    ├── concepts.md
    ├── concepts
    │   ├── api_internal.md
    │   ├── authentication.md
    │   ├── indexing.md
    │   ├── matching.md
    │   ├── notifications.md
    │   ├── operation.md
    │   └── updatersandairgap.md
    ├── contribution.md
    ├── contribution
    │   ├── building.md
    │   ├── commit_style.md
    │   └── releases.md
    ├── howto.md
    ├── howto
    │   ├── api.md
    │   ├── clairv4_combo_multi_db.png
    │   ├── clairv4_combo_single_db.png
    │   ├── clairv4_distributed_multi_db.png
    │   ├── clairv4_distributed_single_db.png
    │   ├── deployment.md
    │   ├── getting_started.md
    │   └── testing.md
    ├── listing_test.go
    ├── reference.md
    ├── reference
    │   ├── api.md
    │   ├── clairctl.md
    │   ├── config.md
    │   ├── indexer.md
    │   ├── matcher.md
    │   ├── metrics.md
    │   └── notifier.md
    ├── reference_test.go
    └── whatis.md
├── LICENSE
├── Makefile
├── NOTICE
├── README.md
├── ROADMAP.md
├── book.toml
├── clair-error
    ├── errors.go
    └── notifications.go
├── cmd
    ├── build.go
    ├── clair
    │   ├── main.go
    │   ├── os_other.go
    │   └── os_unix.go
    ├── clairctl
    │   ├── admin.go
    │   ├── client.go
    │   ├── config.go
    │   ├── delete.go
    │   ├── export.go
    │   ├── import.go
    │   ├── import_test.go
    │   ├── jsonformatter.go
    │   ├── main.go
    │   ├── manifest.go
    │   ├── report.go
    │   ├── textformatter.go
    │   └── xmlformatter.go
    ├── config.go
    ├── config_test.go
    └── testdata
    │   ├── ComplexJSON
    │       ├── config.json
    │       ├── config.json.d
    │       │   └── dropin.json
    │       └── want.json
    │   ├── ComplexYAML
    │       ├── config.yaml
    │       ├── config.yaml.d
    │       │   ├── dropin.yaml
    │       │   ├── empty.yaml
    │       │   ├── ignored.json-patch
    │       │   ├── later.yaml
    │       │   └── updater.yaml-patch
    │       └── want.json
    │   ├── Error
    │       ├── BadKind.toml
    │       ├── BadPatch.json
    │       ├── BadPatch.json.d
    │       │   ├── decode.json-patch
    │       │   └── invalid.json-patch
    │       ├── Indents.yaml
    │       ├── NotAnArray.json
    │       ├── NotAnArray.json.d
    │       │   └── badpatch.json-patch
    │       ├── NotAnObject.json
    │       ├── NotYAML.yaml
    │       └── TooShort.json
    │   ├── SimpleJSON
    │       ├── config.json
    │       └── want.json
    │   └── SimpleYAML
    │       ├── config.yaml
    │       └── want.json
├── code-of-conduct.md
├── config.yaml.sample
├── config
    ├── auth.go
    ├── auth_test.go
    ├── config.go
    ├── config_test.go
    ├── database.go
    ├── defaults.go
    ├── doc.go
    ├── enums.go
    ├── enums_string.go
    ├── enums_test.go
    ├── go.mod
    ├── go.sum
    ├── indexer.go
    ├── introspection.go
    ├── lint.go
    ├── lint_test.go
    ├── matcher.go
    ├── matchers.go
    ├── notifier.go
    ├── otlp.go
    ├── otlpcompressor_string.go
    ├── reflect.go
    ├── tags_test.go
    ├── tls.go
    ├── updaters.go
    └── validate.go
├── contrib
    ├── cmd
    │   └── quaybackstop
    │   │   ├── Dockerfile
    │   │   ├── clair.go
    │   │   ├── main.go
    │   │   ├── main_old.go
    │   │   ├── quay.go
    │   │   ├── sig_linux.go
    │   │   └── sig_other.go
    └── openshift
    │   ├── build_and_deploy.sh
    │   ├── grafana
    │       ├── dashboard-clair.configmap.yaml.tpl
    │       └── dashboards
    │       │   └── dashboard-clair.configmap.yaml
    │   ├── manifests
    │       ├── backstop.yaml
    │       ├── db-job.yaml
    │       └── manifests.yaml
    │   └── pr_check.sh
├── docker-compose.yaml
├── etc
    ├── .gitignore
    ├── config.mk
    ├── container.mk
    ├── dev.mk
    ├── dist.mk
    └── doc.mk
├── go.mod
├── go.sum
├── health
    ├── readinesshandler.go
    └── readinesshandler_test.go
├── httptransport
    ├── auth.go
    ├── auth_test.go
    ├── client
    │   ├── httpclient.go
    │   ├── indexer.go
    │   ├── matcher.go
    │   └── matcher_test.go
    ├── common.go
    ├── concurrentlimit.go
    ├── concurrentlimit_test.go
    ├── discoveryhandler.go
    ├── discoveryhandler_test.go
    ├── error.go
    ├── error_test.go
    ├── gone.go
    ├── indexer_v1.go
    ├── indexer_v1_test.go
    ├── instrumentation.go
    ├── instrumentation_test.go
    ├── matcher_v1.go
    ├── matcher_v1_test.go
    ├── notification_v1.go
    ├── notification_v1_test.go
    ├── openapi.etag
    ├── openapi.json
    ├── openapigen.go
    ├── robotshandler.go
    ├── robotshandler_test.go
    ├── server.go
    └── server_test.go
├── indexer
    ├── mock.go
    └── service.go
├── initialize
    ├── auto
    │   ├── auto.go
    │   ├── auto_test.go
    │   ├── cpu.go
    │   ├── cpu_linux.go
    │   ├── cpu_linux_test.go
    │   ├── memory.go
    │   ├── memory_linux.go
    │   ├── memory_linux_test.go
    │   └── profiling.go
    ├── logging.go
    └── services.go
├── internal
    ├── codec
    │   ├── codec.go
    │   ├── codec_test.go
    │   └── reader.go
    └── httputil
    │   ├── client.go
    │   ├── client_test.go
    │   ├── ratelimiter.go
    │   ├── ratelimiter_test.go
    │   ├── responserecorder.go
    │   ├── responserecorder_test.go
    │   └── signer.go
├── introspection
    ├── otlp.go
    └── server.go
├── local-dev
    ├── clair
    │   ├── .gitignore
    │   ├── config.yaml
    │   ├── config.yaml.d
    │   │   └── .gitignore
    │   ├── init.sql
    │   └── quay.yaml.d
    │   │   └── .gitignore
    ├── grafana
    │   └── provisioning
    │   │   ├── dashboards
    │   │       ├── dashboard.json
    │   │       └── dashboard.yml
    │   │   └── datasources
    │   │       └── datasource.yml
    ├── pgadmin
    │   ├── passfile.txt
    │   └── servers.json
    ├── prometheus
    │   └── prometheus.yml
    ├── pyroscope
    │   └── server.yml
    ├── quay
    │   └── config.yaml
    └── traefik
    │   ├── config
    │       ├── clair.yaml
    │       ├── dashboard.yaml
    │       ├── grafana.yaml
    │       ├── jaeger.yaml
    │       ├── pgadmin.yaml
    │       ├── postgresql.yaml
    │       ├── prom.yaml
    │       ├── pyroscope.yaml
    │       ├── quay.yaml
    │       └── rabbitmq.yaml
    │   └── traefik.yaml
├── matcher
    ├── mock.go
    └── service.go
├── middleware
    ├── auth
    │   ├── handler.go
    │   ├── httpauth_psk.go
    │   └── httpauth_psk_test.go
    └── compress
    │   ├── handler.go
    │   └── handler_test.go
├── notifier
    ├── amqp
    │   ├── deliverer.go
    │   ├── deliverer_integration_test.go
    │   ├── directdeliverer.go
    │   ├── directdeliverer_integration_test.go
    │   ├── doc.go
    │   └── failover.go
    ├── callback.go
    ├── callback_test.go
    ├── deliverer.go
    ├── delivery.go
    ├── locker.go
    ├── migrations
    │   ├── 01-init.sql
    │   ├── 02-constraints.sql
    │   ├── 03-constraints.sql
    │   ├── 04-drop-key.sql
    │   └── migrations.go
    ├── mockstore.go
    ├── notification.go
    ├── notificationhandle.go
    ├── pager.go
    ├── poller.go
    ├── postgres
    │   ├── e2e_test.go
    │   ├── get_status.go
    │   ├── notifications.go
    │   ├── notifications_test.go
    │   ├── pagination_test.go
    │   ├── postgres_test.go
    │   ├── receipt.go
    │   ├── set_status.go
    │   ├── store.go
    │   ├── store_test.go
    │   └── testdata
    │   │   └── .gitignore
    ├── processor.go
    ├── processor_create_test.go
    ├── processor_safe_test.go
    ├── receipt.go
    ├── service.go
    ├── service
    │   ├── mock.go
    │   ├── notifier.go
    │   └── testmode.go
    ├── stomp
    │   ├── deliverer.go
    │   ├── directdeliverer.go
    │   ├── doc.go
    │   ├── failover.go
    │   └── integration_test.go
    ├── store.go
    ├── summary_test.go
    ├── vulnsummary.go
    └── webhook
    │   ├── cmd
    │       └── webhookd
    │       │   └── main.go
    │   ├── deliverer.go
    │   └── deliverer_test.go
└── openapi.yaml


/.chglog/CHANGELOG.tpl.md:
--------------------------------------------------------------------------------
 1 | {{ if .Versions -}}
 2 | <a name="unreleased"></a>
 3 | ## [Unreleased]
 4 | 
 5 | {{ if .Unreleased.CommitGroups -}}
 6 | {{ range .Unreleased.CommitGroups -}}
 7 | ### {{ .Title }}
 8 | {{ range .Commits -}}
 9 | - [{{.Hash.Short}}]({{ $.Info.RepositoryURL  }}/commit/{{ .Hash.Long }}): {{ .Subject }}
10 | {{ if .Refs -}}{{ range .Refs }} -{{if .Action}}{{ .Action }} {{ end }} [#{{ .Ref }}]({{ $.Info.RepositoryURL  }}/issues/{{ .Ref }}){{ end -}}
11 | {{ end -}}
12 | {{ end -}}
13 | {{ end -}}
14 | {{ end -}}
15 | 
16 | {{ range .Versions }}
17 | <a name="{{ .Tag.Name }}"></a>
18 | ## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }}
19 | {{ range .CommitGroups -}}
20 | ### {{ .Title }}
21 | {{ range .Commits -}}
22 | - [{{.Hash.Short}}]({{ $.Info.RepositoryURL  }}/commit/{{ .Hash.Long }}): {{ .Subject }}
23 | {{ if .Refs -}}{{ range .Refs }} - {{if .Action}}{{ .Action }}{{ end }} [#{{ .Ref }}]({{ $.Info.RepositoryURL  }}/issues/{{ .Ref }}){{ end -}}
24 | {{ end -}}
25 | {{ end -}}
26 | {{ end -}}
27 | 
28 | {{- if .RevertCommits -}}
29 | ### Reverts
30 | {{ range .RevertCommits -}}
31 | - {{ .Revert.Header }}
32 | {{ end }}
33 | {{ end -}}
34 | 
35 | {{- if .MergeCommits -}}
36 | ### Pull Requests
37 | {{ range .MergeCommits -}}
38 | - {{ .Header }}
39 | {{ end }}
40 | {{ end -}}
41 | 
42 | {{- if .NoteGroups -}}
43 | {{ range .NoteGroups -}}
44 | ### {{ .Title }}
45 | {{ range .Notes }}
46 | {{ .Body }}
47 | {{ end }}
48 | {{ end -}}
49 | {{ end -}}
50 | {{ end -}}
51 | 
52 | {{- if .Versions }}
53 | [Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD
54 | {{ range .Versions -}}
55 | {{ if .Tag.Previous -}}
56 | [{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
57 | {{ end -}}
58 | {{ end -}}
59 | {{ end -}}
60 | {{ end -}}
61 | 


--------------------------------------------------------------------------------
/.chglog/config.yml:
--------------------------------------------------------------------------------
 1 | style: github
 2 | template: CHANGELOG.tpl.md
 3 | info:
 4 |   title: CHANGELOG
 5 |   repository_url: https://github.com/quay/clair
 6 | options:
 7 |   tag_filter_pattern: '^v'
 8 |   sort: semver
 9 |   commits:
10 |     sort_by: Scope
11 |   commit_groups:
12 |     group_by: Scope
13 |   header:
14 |     pattern: '^(.*?):\s*(.*)$'
15 |     pattern_maps:
16 |       - Scope
17 |       - Subject
18 |   issues:
19 |     prefix: 
20 |       - "#"
21 | 
22 |   refs:
23 |     actions:
24 |       - Closes
25 |       - Fixes
26 |       - PullRequest
27 | 
28 |   notes:
29 |     keywords:
30 |       - BREAKING CHANGE
31 |       - NOTE
32 | 


--------------------------------------------------------------------------------
/.clang-format:
--------------------------------------------------------------------------------
1 | ---
2 | Language:        Proto
3 | BasedOnStyle:    Google
4 | ...
5 | 
6 | 


--------------------------------------------------------------------------------
/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Files
 2 | DCO
 3 | .dockerignore
 4 | LICENSE
 5 | *.md
 6 | NOTICE
 7 | *.oci
 8 | *.tar*
 9 | /clairctl-*
10 | !testdata/**
11 | # Directories
12 | /book
13 | /contrib
14 | !/contrib/cmd
15 | /Documenatation
16 | /etc
17 | /local-dev
18 | /.github
19 | # Allow `.git` to get sent for build vcs stamping.
20 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | cmd/build.go export-subst
2 | *.go diff=golang
3 | 


--------------------------------------------------------------------------------
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | Clair is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub pull requests.
 4 | This document outlines some of the conventions on development workflow, commit message formatting, contact points and other resources to make it easier to get your contribution accepted.
 5 | 
 6 | # Certificate of Origin
 7 | 
 8 | By contributing to this project you agree to the Developer Certificate of Origin [DCO](../DCO).
 9 | This document was created by the Linux Kernel community and is a simple statement that you, as a contributor, have the legal right to make the contribution.
10 | See the [DCO](../DCO) file for details.
11 | 
12 | # Email and Chat
13 | 
14 | The project currently uses a mailing list and IRC channel:
15 | 
16 | - Email: [clair-dev@googlegroups.com](https://groups.google.com/forum/#!forum/clair-dev)
17 | - IRC: #[clair](irc://irc.freenode.org:6667/#clair) IRC channel on freenode.org
18 | 
19 | Please avoid emailing maintainers directly.
20 | They are very busy and read the mailing lists.
21 | 
22 | ## Getting Started
23 | 
24 | - Fork the repository on GitHub
25 | - Read the [README](../README.md) for build and test instructions
26 | - Play with the project, submit bugs, submit patches!
27 | 
28 | ## Contribution Flow
29 | 
30 | This is a rough outline of what a contributor's workflow looks like:
31 | 
32 | - Create a topic branch from where you want to base your work (usually main).
33 | - Make commits of logical units.
34 | - Make sure your commit messages are in the proper format (see below).
35 | - Push your changes to a topic branch in your fork of the repository.
36 | - Make sure the tests pass, and add any new tests as appropriate.
37 | - Submit a pull request to the original repository.
38 | 
39 | Thanks for your contributions!
40 | 
41 | ### Format of the Commit Message
42 | 
43 | We follow a rough convention for commit messages that is designed to answer two questions: what changed and why.
44 | The subject line should feature the what and the body of the commit should describe the why.
45 | 
46 | ```
47 | scripts: add the test-cluster command
48 | 
49 | this uses tmux to setup a test cluster that you can easily kill and
50 | start for debugging.
51 | 
52 | Fixes #38
53 | ```
54 | 
55 | The format can be described more formally as follows:
56 | 
57 | ```
58 | <subsystem>: <what changed>
59 | <BLANK LINE>
60 | <why this change was made>
61 | <BLANK LINE>
62 | <footer>
63 | ```
64 | 
65 | The first line is the subject and should be no longer than 70 characters, the second line is always blank, and other lines should be wrapped at 80 characters.
66 | This allows the message to be easier to read on GitHub as well as in various git tools.
67 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | <!--
 2 | 
 3 | Project discussion and other meta topics should be discussed on the mailing
 4 | list or in the discussions section.
 5 | 
 6 | GitHub issues are ONLY for bugs and features for the Clair API.
 7 | Please first create an issue on your client's repository before opening one here.
 8 | 
 9 | Are you using a development build of Clair?
10 | Your problem might be solved by switching to a stable release.
11 | 
12 | -->
13 | 
14 | ### Description of Problem / Feature Request
15 | 
16 | <!--- your content here --->
17 | 
18 | ### Expected Outcome
19 | 
20 | <!--- your content here --->
21 | 
22 | ### Actual Outcome
23 | 
24 | <!--- your content here --->
25 | <!-- Please attach or paste logs from both clair and clairctl. -->
26 | 
27 | ### Environment
28 | 
29 | <!--
30 | 
31 | Issues that do not contain the Environment section are AUTOMATICALLY CLOSED.
32 | If you're making a feature request, please specify "N/A" under the environment section.
33 | 
34 | Please note that issues against Clair v2 will be closed automatically unless
35 | someone has volunteered to work on it.
36 | -->
37 | 
38 | - Clair version/image: 
39 | - Clair client name/version: 
40 | - Host OS: 
41 | - Kernel (e.g. `uname -a`): 
42 | - Kubernetes version (use `kubectl version`): 
43 | - Network/Firewall setup: 
44 | 


--------------------------------------------------------------------------------
/.github/actions/documentation/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Documentation'
 2 | description: 'build with mdBook and optionally push'
 3 | inputs:
 4 |   publish:
 5 |     description: 'push resulting files to gh-pages'
 6 |     default: 'true'
 7 |   token:
 8 |     description: 'github token'
 9 |     default: ${{ github.token }}
10 | runs:
11 |   using: 'composite'
12 |   steps:
13 |     - uses: peaceiris/actions-mdbook@v1
14 |       with:
15 |         mdbook-version: 'latest'
16 |     - shell: sh
17 |       run: |
18 |         d="$(echo "${GITHUB_REF#refs/tags/}" | sed '/^refs\/heads\//d')"
19 |         if test -z "$d"; then
20 |           exec mdbook build
21 |         else
22 |           exec mdbook build --dest-dir "./book/${d}"
23 |         fi
24 |     - if: ${{ inputs.publish == 'true' }}
25 |       uses: peaceiris/actions-gh-pages@v3
26 |       with:
27 |         github_token: ${{ inputs.token }}
28 |         publish_dir: ./book
29 |         keep_files: true
30 | 


--------------------------------------------------------------------------------
/.github/actions/go-cache/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Go cache'
 2 | description: 'cache go modules, and build artifacts'
 3 | inputs:
 4 |   go:
 5 |     description: 'Go version to use'
 6 | runs:
 7 |   using: 'composite'
 8 |   steps:
 9 |     - uses: actions/cache@v4
10 |       with:
11 |         path: |
12 |           ~/.cache/go-build
13 |           ~/go/pkg/mod
14 |         key: ${{ runner.os }}-go${{ inputs.go }}-${{ hashFiles('**/go.sum') }}
15 |         restore-keys: |
16 |           ${{ runner.os }}-go${{ inputs.go }}
17 |     - shell: bash
18 |       run: |
19 |         find . -name go.mod -type f -printf '%h\n' | while read dir; do
20 |           cd "$dir"
21 |           go mod download
22 |         done
23 | 


--------------------------------------------------------------------------------
/.github/actions/go-tidy/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Go tidy'
 2 | description: 'check that all modules are tidy-clean'
 3 | inputs:
 4 |   go:
 5 |     description: 'Go version to use'
 6 |   dir:
 7 |     description: 'module root directory'
 8 |     default: '.'
 9 | runs:
10 |   using: 'composite'
11 |   steps:
12 |     - uses: ./.github/actions/go-cache
13 |       with:
14 |         go: ${{ inputs.go }}
15 |     - run: |
16 |         cd "${{ inputs.dir }}"
17 |         go mod tidy
18 |         git diff --exit-code
19 |       shell: bash
20 | 


--------------------------------------------------------------------------------
/.github/actions/set-image-expiration/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Set Image Expiration'
 2 | description: 'Use the Quay API to set an expiration time on an image'
 3 | inputs:
 4 |   quay:
 5 |     description: 'Quay instance to issue calls to.'
 6 |     required: false
 7 |     default: 'quay.io'
 8 |   duration:
 9 |     description: 'Duration (in seconds) into the future to expire the image.'
10 |     required: false
11 |     default: '1209600'
12 |   repo:
13 |     description: 'Namespace & repository'
14 |     required: true
15 |   tag:
16 |     description: 'image tag'
17 |     required: true
18 |   token:
19 |     description: 'API token'
20 |     required: true
21 | runs:
22 |   using: 'composite'
23 |   steps:
24 |     - id: add-mask
25 |       name: Add Mask
26 |       shell: sh
27 |       run: |
28 |         printf '::add-mask::%s\n' "${{ inputs.token }}"
29 |     - id: write-script
30 |       name: Prepare Request
31 |       shell: sh
32 |       run: |
33 |         jq -n -c --argjson e "$(($(date -u +%s) + ${{ inputs.duration }}))" '{expiration: $e}' > "${RUNNER_TEMP}/expiration.json"
34 |         cat <<. >"${RUNNER_TEMP}/run"
35 |         #!/usr/bin/env -S curl -K
36 |         silent
37 |         show-error
38 |         fail-with-body
39 |         data-binary="@${RUNNER_TEMP}/expiration.json"
40 |         header="Authorization: Bearer ${{ inputs.token }}"
41 |         header="Content-Type: application/json"
42 |         header="Accept: application/json"
43 |         request=PUT
44 |         url="https://${{ inputs.quay }}/api/v1/repository/${{ inputs.repo }}/tag/${{ inputs.tag }}"
45 |         .
46 |         chmod +x "${RUNNER_TEMP}/run"
47 |     - id: call
48 |       name: Execute Request
49 |       shell: sh
50 |       run: '${RUNNER_TEMP}/run'
51 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | updates:
 3 |   - package-ecosystem: "github-actions"
 4 |     directory: "/"
 5 |     schedule:
 6 |       interval: "weekly"
 7 |   - package-ecosystem: "gomod"
 8 |     directory: "/"
 9 |     allow:
10 |       - dependency-type: "direct"
11 |     schedule:
12 |       interval: "weekly"
13 |     commit-message:
14 |       prefix: "chore"
15 |       include: "scope"
16 |     groups:
17 |       otel:
18 |         patterns:
19 |           - "go.opentelemetry.io/otel/*"
20 |       golang-x:
21 |         patterns:
22 |           - "golang.org/x/*"
23 |   - package-ecosystem: "gomod"
24 |     directory: "/config"
25 |     allow:
26 |       - dependency-type: "direct"
27 |     schedule:
28 |       interval: "weekly"
29 |     commit-message:
30 |       prefix: "chore"
31 |       include: "scope"
32 |     groups:
33 |       otel:
34 |         patterns:
35 |           - "go.opentelemetry.io/otel/*"
36 |       golang-x:
37 |         patterns:
38 |           - "golang.org/x/*"
39 | 


--------------------------------------------------------------------------------
/.github/issue-close-app.yml:
--------------------------------------------------------------------------------
1 | comment: "This issue is closed because it does not meet our issue template. Please read it."
2 | issueConfigs:
3 | - content:
4 |   - "### Environment"
5 | 


--------------------------------------------------------------------------------
/.github/script/nightly-module.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -e
 3 | : "${CLAIRCORE_BRANCH:=main}"
 4 | cd "$(git rev-parse --show-toplevel)"
 5 | test -d vendor && rm -rf vendor
 6 | 
 7 | echo "::group::Edits"
 8 | go mod edit \
 9 | 	"-replace=github.com/quay/claircore=github.com/quay/claircore@${CLAIRCORE_BRANCH}"
10 | go mod tidy
11 | go mod download # Shouldn't be needed, but just to be safe...
12 | echo "::endgroup::"
13 | 
14 | clair_version="$(git describe --tags --always --dirty --match 'v4.*')"
15 | echo "clair_version=${clair_version}" >> "$GITHUB_OUTPUT"
16 | 
17 | cat <<. >>"$GITHUB_STEP_SUMMARY"
18 | ### Changes
19 | 
20 | - **Go version:** $(go version)
21 | - **Clair version:** ${clair_version}
22 | .
23 | {
24 | 	echo '```patch'
25 | 	git diff
26 | 	echo '```' 
27 | } >>"$GITHUB_STEP_SUMMARY"
28 | 


--------------------------------------------------------------------------------
/.github/workflows/.gitignore:
--------------------------------------------------------------------------------
1 | yq
2 | yajsv
3 | *.json-schema
4 | 


--------------------------------------------------------------------------------
/.github/workflows/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | extends: default
3 | rules:
4 |   line-length: false
5 |   truthy:
6 |     check-keys: false
7 | 


--------------------------------------------------------------------------------
/.github/workflows/Makefile:
--------------------------------------------------------------------------------
 1 | check: github-workflow.json-schema yajsv yq
 2 | 	for f in *.yml; do ./yq -o json "$$f" > "$${f%yml}json"; done
 3 | 	./yajsv -s $< *.json
 4 | 	rm *.json
 5 | 	command -v yamllint >/dev/null 2>&1 && yamllint .
 6 | 
 7 | clean:
 8 | 	rm -rf yq yajsv github-workflow.json-schema
 9 | 
10 | .PHONY: check clean
11 | 
12 | yq:
13 | 	cd /tmp && GOBIN=$(PWD) go install github.com/mikefarah/yq/v4@latest
14 | 
15 | yajsv:
16 | 	cd /tmp && GOBIN=$(PWD) go install github.com/neilpa/yajsv@latest
17 | 
18 | github-workflow.json-schema:
19 | 	curl -sSLf https://github.com/SchemaStore/schemastore/raw/master/src/schemas/json/github-workflow.json > $@
20 | 


--------------------------------------------------------------------------------
/.github/workflows/check-fast-forward.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Check Fast Forward
 3 | on:
 4 |   pull_request:
 5 |     types: [opened, reopened, synchronize]
 6 | jobs:
 7 |   check-fast-forward:
 8 |     runs-on: ubuntu-latest
 9 | 
10 |     permissions:
11 |       contents: read
12 |       # We appear to need write permission for both pull-requests and
13 |       # issues in order to post a comment to a pull request.
14 |       pull-requests: write
15 |       issues: write
16 | 
17 |     steps:
18 |       - name: Checking if fast forwarding is possible
19 |         uses: sequoia-pgp/fast-forward@v1
20 |         with:
21 |           merge: false
22 |           comment: on-error
23 | 


--------------------------------------------------------------------------------
/.github/workflows/config-ci.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Config module CI
 3 | 
 4 | on:
 5 |   push:
 6 |     paths:
 7 |       - config/**
 8 |     branches:
 9 |       - main
10 |       - release-4.*
11 |   pull_request:
12 |     paths:
13 |       - config/**
14 |     branches:
15 |       - main
16 |       - release-4.*
17 | 
18 | jobs:
19 |   commit-check:
20 |     name: Commit Check
21 |     runs-on: ubuntu-latest
22 |     steps:
23 |       - name: Commit Check
24 |         uses: gsactions/commit-message-checker@v2
25 |         with:
26 |           pattern: |
27 |             ^[^:!]+: .+\n\n.*$
28 |           error: 'Commit must begin with <scope>: <subject>'
29 |           flags: 'gm'
30 |           excludeTitle: true
31 |           excludeDescription: true
32 |           checkAllCommitMessages: true
33 |           accessToken: ${{ secrets.GITHUB_TOKEN }}
34 | 
35 |   tidy:
36 |     name: Tidy
37 |     runs-on: ubuntu-latest
38 |     steps:
39 |       - name: Checkout
40 |         id: checkout
41 |         if: ${{ !cancelled() }}
42 |         uses: actions/checkout@v4
43 |       - name: Setup Go
44 |         id: setupgo
45 |         if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}
46 |         uses: actions/setup-go@v5
47 |         with:
48 |           cache: false
49 |           go-version-file: ./config/go.mod
50 |       - name: Go Tidy
51 |         if: ${{ !cancelled() && steps.checkout.conclusion == 'success' && steps.setupgo.conclusion == 'success' }}
52 |         working-directory: ./config
53 |         run: |
54 |           trap 'echo "::error file=go.mod,title=Tidy Check::Commit would leave go.mod untidy"' ERR
55 |           go mod tidy
56 |           git diff --exit-code
57 | 
58 |   tests:
59 |     name: Tests
60 |     if: ${{ !cancelled() }}
61 |     uses: ./.github/workflows/tests.yml
62 |     with:
63 |       cd: config
64 |       package_expr: ./...
65 |       qemu: false
66 | 


--------------------------------------------------------------------------------
/.github/workflows/documentation.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Deploy Main Documentation
 3 | 
 4 | on:
 5 |   push:
 6 |     branches:
 7 |       - main
 8 |     paths:
 9 |       - 'Documentation/**'
10 | 
11 | jobs:
12 |   deploy-documentation:
13 |     name: Deploy Documentation
14 |     runs-on: ubuntu-latest
15 |     steps:
16 |       - uses: actions/checkout@v4
17 |       - uses: ./.github/actions/documentation
18 | 


--------------------------------------------------------------------------------
/.github/workflows/fast-forward.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Fast Forward
 3 | on:
 4 |   issue_comment:
 5 |     types: [created, edited]
 6 |   pull_request_review:
 7 |     types: [submitted]
 8 | jobs:
 9 |   fast-forward:
10 |     # Only run if the comment or approval contains the /fast-forward command,
11 |     # or if it was a dependabot PR.
12 |     if: >-
13 |       ${{
14 |       ( github.event.issue.pull_request && contains(github.event.comment.body, '/fast-forward')) ||
15 |       (
16 |         github.event.review && github.event.review.state == 'approved' && (
17 |           github.event.pull_request.user.url == 'https://api.github.com/users/dependabot%5Bbot%5D' ||
18 |           contains(github.event.review.body, '/fast-forward')
19 |         ))
20 |       }}
21 |     runs-on: ubuntu-latest
22 | 
23 |     permissions:
24 |       contents: write
25 |       pull-requests: write
26 |       issues: write
27 | 
28 |     steps:
29 |       - name: Fast forwarding
30 |         uses: sequoia-pgp/fast-forward@v1
31 |         with:
32 |           merge: true
33 |           comment: on-error
34 | 


--------------------------------------------------------------------------------
/.github/workflows/nightly-ci.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Nightly CI
 3 | 
 4 | on:
 5 |   schedule:
 6 |     - cron: '30 4 * * *'
 7 |   workflow_dispatch:
 8 |     inputs:
 9 |       package_expr:
10 |         required: false
11 |         type: string
12 |         description: 'Package expression(s) passed to `go test`'
13 | 
14 | jobs:
15 |   defaults:
16 |     name: Check Input
17 |     runs-on: ubuntu-latest
18 |     outputs:
19 |       package_expr: ${{ steps.config.outputs.package_expr }}
20 |     steps:
21 |       - name: Checkout
22 |         id: checkout
23 |         uses: actions/checkout@v4
24 |       - name: Make package expressions
25 |         id: config
26 |         if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}
27 |         run: |
28 |           if test -n "${{ inputs.package_expr }}"; then
29 |             printf 'package_expr=%s\n' '${{ inputs.package_expr }}' >> "$GITHUB_OUTPUT"
30 |           else
31 |             printf 'package_expr=%s\n' "$(go list -m github.com/quay/clair{core,}/... | awk '{printf("%s/... ",$1)}')" >> "$GITHUB_OUTPUT"
32 |           fi
33 | 
34 |   tests:
35 |     name: Tests
36 |     needs: ['defaults']
37 |     uses: ./.github/workflows/tests.yml
38 |     with:
39 |       package_expr: ${{ needs.defaults.outputs.package_expr }}
40 |       qemu: true
41 | 


--------------------------------------------------------------------------------
/.github/workflows/prepare-release.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Prepare Release
 3 | 
 4 | on:
 5 |   workflow_dispatch:
 6 |     inputs:
 7 |       branch:
 8 |         description: 'the branch to prepare the release against'
 9 |         required: true
10 |         default: 'main'
11 |       tag:
12 |         description: 'the tag to be released'
13 |         required: true
14 | 
15 | jobs:
16 |   prepare:
17 |     name: Prepare Release
18 |     runs-on: 'ubuntu-latest'
19 |     steps:
20 |       - name: Checkout
21 |         uses: actions/checkout@v4
22 |         with:
23 |           fetch-depth: 0
24 |           ref: ${{ github.event.inputs.branch }}
25 |       - name: Changelog
26 |         shell: bash
27 |         run: |
28 |           curl -o /tmp/git-chglog.tar.gz -fsSL\
29 |             https://github.com/git-chglog/git-chglog/releases/download/v0.14.0/git-chglog_0.14.0_linux_amd64.tar.gz
30 |           tar xvf /tmp/git-chglog.tar.gz --directory /tmp
31 |           chmod u+x /tmp/git-chglog
32 |           echo "creating change log for tag: ${{ github.event.inputs.tag }}"
33 | 
34 |           # if this is a release branch filter our change
35 |           # log to only include logs with the same minor
36 |           # versions
37 |           # otherwise just filter v4 for full v4 history
38 |           # on main branch
39 |           filter_tag="--tag-filter-pattern v4"
40 |           branch=${{ github.event.inputs.branch }}
41 |           echo "discovered branch $branch"
42 |           if [[ ${branch%-*} == "release" ]]; then
43 |             filter_tag="--tag-filter-pattern v${branch#release-}"
44 |           fi
45 | 
46 |           /tmp/git-chglog $filter_tag --next-tag "${{ github.event.inputs.tag }}" -o CHANGELOG.md v4.0.0-alpha.2..
47 |       - name: Create Pull Request
48 |         uses: peter-evans/create-pull-request@v7
49 |         with:
50 |           title: "${{ github.event.inputs.tag }} Changelog Bump"
51 |           body: "This is an automated changelog commit."
52 |           commit-message: "chore: ${{ github.event.inputs.tag }} changelog bump"
53 |           branch: "ready-${{ github.event.inputs.tag }}"
54 |           signoff: true
55 |           delete-branch: true
56 | 


--------------------------------------------------------------------------------
/.github/workflows/v2-issues.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: 'Manage v2 Issues'
 3 | on:
 4 |   workflow_dispatch:
 5 |     inputs:
 6 |       debug:
 7 |         description: 'Run in debug mode (i.e. dry-run)'
 8 |         required: false
 9 |         default: false
10 |   schedule:
11 |     - cron: '30 1 * * *'
12 | 
13 | jobs:
14 |   stale:
15 |     runs-on: ubuntu-latest
16 |     steps:
17 |       - uses: actions/stale@v9
18 |         with:
19 |           only-labels: 'V2'
20 |           exempt-issue-labels: 'V2/active'
21 |           days-before-stale: 14
22 |           days-before-issue-stale: 0
23 |           days-before-close: 14
24 |           remove-stale-when-updated: false
25 |           ignore-updates: true
26 |           debug-only: ${{ github.event.inputs.debug || false }}
27 |           enable-statistics: true
28 |           operations-per-run: 1000
29 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | vendor/
2 | book/
3 | clairctl
4 | !clairctl/
5 | 


--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | *	@quay/clair
2 | 


--------------------------------------------------------------------------------
/DCO:
--------------------------------------------------------------------------------
 1 | Developer Certificate of Origin
 2 | Version 1.1
 3 | 
 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 5 | 660 York Street, Suite 102,
 6 | San Francisco, CA 94110 USA
 7 | 
 8 | Everyone is permitted to copy and distribute verbatim copies of this
 9 | license document, but changing it is not allowed.
10 | 
11 | 
12 | Developer's Certificate of Origin 1.1
13 | 
14 | By making a contribution to this project, I certify that:
15 | 
16 | (a) The contribution was created in whole or in part by me and I
17 |     have the right to submit it under the open source license
18 |     indicated in the file; or
19 | 
20 | (b) The contribution is based upon previous work that, to the best
21 |     of my knowledge, is covered under an appropriate open source
22 |     license and I have the right under that license to submit that
23 |     work with modifications, whether created in whole or in part
24 |     by me, under the same open source license (unless I am
25 |     permitted to submit under a different license), as indicated
26 |     in the file; or
27 | 
28 | (c) The contribution was provided directly to me by some other
29 |     person who certified (a), (b) or (c) and I have not modified
30 |     it.
31 | 
32 | (d) I understand and agree that this project and the contribution
33 |     are public and that a record of the contribution (including all
34 |     personal information I submit with it, including my sign-off) is
35 |     maintained indefinitely and may be redistributed consistent with
36 |     this project or the open source license(s) involved.
37 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | # syntax=docker.io/docker/dockerfile:1.7
 2 | 
 3 | # Copyright 2024 clair authors
 4 | #
 5 | # Licensed under the Apache License, Version 2.0 (the "License");
 6 | # you may not use this file except in compliance with the License.
 7 | # You may obtain a copy of the License at
 8 | #
 9 | #     http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | 
17 | ARG GOTOOLCHAIN=local
18 | ARG GO_VERSION=1.23
19 | FROM --platform=$BUILDPLATFORM quay.io/projectquay/golang:${GO_VERSION} AS build
20 | WORKDIR /build
21 | RUN --mount=type=cache,target=/root/.cache/go-build \
22 | 	--mount=type=cache,target=/go/pkg/mod \
23 | 	--mount=type=bind,source=go.mod,target=go.mod \
24 | 	--mount=type=bind,source=go.sum,target=go.sum \
25 | 	go mod download
26 | 
27 | ARG TARGETOS
28 | ARG TARGETARCH
29 | ARG TARGETVARIANT
30 | ARG CLAIR_VERSION=""
31 | # This script needs to use `go build` instead of `go install` to cross-compile.
32 | RUN --mount=type=bind,target=. \
33 | 	--mount=type=cache,target=/root/.cache/go-build \
34 | 	--mount=type=cache,target=/go/pkg/mod \
35 | 	--network=none \
36 | 	<<.
37 | set -e
38 | export GOOS="$TARGETOS" GOARCH="$TARGETARCH" GOBIN=/out/bin
39 | if [ -n "$TARGETVARIANT" ]; then
40 | 	case "$TARGETARCH" in
41 | 	amd64)  export GOAMD64="$TARGETVARIANT" ;;
42 | 	ppc64*) export GOPPC64="$TARGETVARIANT" ;;
43 | 	esac
44 | fi
45 | if [ -n "${CLAIR_VERSION}" ]; then
46 | 	vstr="${CLAIR_VERSION} (user)"
47 | 	cat <<msg >&2
48 | Setting reported version to "${vstr}".
49 | 
50 | This hook into the go build process is not needed if building using a prepared
51 | source archive and will go away in the future.
52 | 
53 | Please open an issue if this would prevent a desired use-case.
54 | msg
55 | 	varg=" -X 'github.com/quay/clair/v4/cmd.Version=${vstr}'"
56 | fi
57 | install -d "${GOBIN}"
58 | go build \
59 | 	-ldflags="-s -w$varg" -trimpath \
60 | 	-o "${GOBIN}" \
61 | 	./cmd/...
62 | .
63 | 
64 | FROM scratch AS ctl
65 | COPY --from=build /out/bin/clairctl* /
66 | 
67 | FROM registry.access.redhat.com/ubi8/ubi-minimal AS final
68 | ENTRYPOINT ["/usr/bin/clair"]
69 | VOLUME /config
70 | EXPOSE 6060
71 | ENV CLAIR_CONF=/config/config.yaml\
72 | 	CLAIR_MODE=combo\
73 | 	SSL_CERT_DIR="/etc/ssl/certs:/etc/pki/tls/certs:/var/run/certs"
74 | USER nobody:nobody
75 | # The WORKDIR command creates an empty layer, there's nothing we can do.
76 | WORKDIR /run
77 | COPY --from=build /out/bin/* /usr/bin/
78 | 


--------------------------------------------------------------------------------
/Documentation/SUMMARY.md:
--------------------------------------------------------------------------------
 1 | # Summary
 2 | 
 3 | - [What is ClairV4](./whatis.md)
 4 | - [How Tos](./howto.md)
 5 |   - [Getting Started With ClairV4](./howto/getting_started.md)
 6 |   - [Deployment Models](./howto/deployment.md)
 7 |   - [API Definition](./howto/api.md)
 8 |   - [Testing ClairV4](./howto/testing.md)
 9 | - [Concepts](./concepts.md)
10 |   - [Indexing](./concepts/indexing.md)
11 |   - [Matching](./concepts/matching.md)
12 |   - [Internal API](./concepts/api_internal.md)
13 |   - [Authentication](./concepts/authentication.md)
14 |   - [Notifications](./concepts/notifications.md)
15 |   - [Updaters and Airgap](./concepts/updatersandairgap.md)
16 |   - [Operation](./concepts/operation.md)
17 | - [Contribution](./contribution.md)
18 |   - [Building](./contribution/building.md)
19 |   - [Commit Style](./contribution/commit_style.md)
20 |   - [Releases](./contribution/releases.md)
21 | - [Reference](./reference.md)
22 |   - [Api](./reference/api.md)
23 |   - [Clairctl](./reference/clairctl.md)
24 |   - [Config](./reference/config.md)
25 |   - [Indexer](./reference/indexer.md)
26 |   - [Matcher](./reference/matcher.md)
27 |   - [Notifier](./reference/notifier.md)
28 |   - [Metrics](./reference/metrics.md)
29 | 


--------------------------------------------------------------------------------
/Documentation/clairv4_arch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/Documentation/clairv4_arch.png


--------------------------------------------------------------------------------
/Documentation/concepts.md:
--------------------------------------------------------------------------------
1 | # Concepts
2 | 
3 | The following sections give a conceptual overview of how Clair works internally.
4 | 
5 | - [Internal API](./concepts/api_internal.md)
6 | - [Authentication](./concepts/authentication.md)
7 | - [Notifications](./concepts/notifications.md)
8 | - [Updaters and Airgap](./concepts/updatersandairgap.md)
9 | 


--------------------------------------------------------------------------------
/Documentation/concepts/api_internal.md:
--------------------------------------------------------------------------------
 1 | # Internal
 2 | 
 3 | Internal endpoints are underneath `/api/v1/internal` and are meant for
 4 | communication between Clair microservices. If Clair is operating in combo mode,
 5 | these endpoints may not exist. Any sort of API ingress should disallow clients
 6 | to talk to these endpoints.
 7 | 
 8 | We do not formally expose these APIs in our OpenAPI spec. 
 9 | Further information and usage is an effort left to the reader.
10 | 
11 | ## Updates Diffs
12 | 
13 | The `update_diff/` endpoint exposes the api for diffing two update operations. 
14 | This is used by the notifier to determine the added and removed vulnerabilities on security databsae update.
15 | 
16 | ## Update Operation
17 | 
18 | The `update_operation` endpoint exposes the api for viewing updaters' activity. 
19 | This is used by the notifier to determine if new updates have occurred and triggers an update diff to see what has changed.
20 | 
21 | ## AffectedManifest
22 | 
23 | The `affected_manifest` endpoint exposes the api for retreiving affected manifests given a list of Vulnerabilities.
24 | This is used by the notifier to determine the manifests that need to have a notification generated.
25 | 


--------------------------------------------------------------------------------
/Documentation/concepts/authentication.md:
--------------------------------------------------------------------------------
 1 | # Authentication
 2 | 
 3 | Previous versions of Clair used [jwtproxy] to gate authentication. For ease of
 4 | building and deployment, v4 handles authentication itself.
 5 | 
 6 | Authentication is configured by specifying configuration objects underneath the
 7 | `auth` key of the configuration. Multiple authentication configurations may be
 8 | present, but they will be used preferentially in the order laid out below.
 9 | 
10 | [jwtproxy]: https://github.com/quay/jwtproxy
11 | 
12 | ### PSK
13 | 
14 | Clair implements JWT-based authentication using a pre-shared key.
15 | 
16 | #### Configuration
17 | 
18 | The `auth` stanza of the configuration file requires two parameters: `iss`, which
19 | is the issuer to validate on all incoming requests; and `key`, which is a base64
20 | encoded symmetric key for validating the requests.
21 | 
22 | ```yaml
23 | auth:
24 |   psk:
25 |     key: >-
26 |       MDQ4ODBlNDAtNDc0ZC00MWUxLThhMzAtOTk0MzEwMGQwYTMxCg==
27 |     iss: 'issuer'
28 | ```
29 | 
30 | 


--------------------------------------------------------------------------------
/Documentation/concepts/indexing.md:
--------------------------------------------------------------------------------
 1 | # Indexing
 2 | 
 3 | The [Indexer](../reference/indexer.md) service is responsble for "indexing a manifest".
 4 | 
 5 | Indexing involves taking a manifest representing a container image and computing its constituent parts. The indexer is trying to discover what packages exist in the image, what distribution the image is derived from, and what package repositories are used within the image. Once this information is computed it is persisted in an IndexReport.
 6 | 
 7 | The IndexReport is an intermediate data structure describing the contents of a container image. This report can be fed to a [Matcher](../reference/matcher.md) node for vulnerability analysis.
 8 | 
 9 | ## Content Addressability
10 | 
11 | ClairV4 treats all manifests and layers as [content addressable](https://en.wikipedia.org/wiki/Content-addressable_storage). In the context of ClairV4 this means once we index a specific manifest we will not index it again unless it's required, and likewise with individual layers. This allows a large reduction in work. 
12 | 
13 | For example, consider how many images in a registry may use "ubuntu:artful" as a base layer. It could be a large majority of images if the developers prefer basing their images off ubuntu. Treating the layers and manifests as content addressable means we will only fetch and scan the base layer once.
14 | 
15 | There are of course conditions where ClairV4 should re-index a manifest. 
16 | 
17 | When an internal component such as a package scanner is updated, Clair will know to perform the scan with the new package scanner. Clair has enough information to determine that a component has changed and the IndexReport may be different this time around. 
18 | 
19 | A client can track ClairV4's `index_state` endpoint to understand when an internal component has changed and subsequently issue re-indexes. See our [api](../howto/api.md) guide to learn how to view our api specification.
20 | 
21 | ## Summary
22 | 
23 | In summary, you should understand that Indexing is the process Clair uses to understand the contents of layers.
24 | 
25 | For a more indepth look at indexing check out the [ClairCore Documentation](https://quay.github.io/claircore/)
26 | 


--------------------------------------------------------------------------------
/Documentation/concepts/matching.md:
--------------------------------------------------------------------------------
 1 | # Matching
 2 | 
 3 | A [Matcher](../reference/matcher.md) node is responsible for matching vulnerabilities to a provided IndexReport. 
 4 | 
 5 | Matchers by default are also responsible for keeping the database of vulnerabilities up to date. Matchers will typically run a set of Updaters which periodically probe their data sources for new contents, storing new vulnerabilities in the database when discovered.
 6 | 
 7 | The matcher API is designed to be called often and will always provide the most up-to-date VulnerabilityReport when queried. This VulnerabilityReport summaries both a manifest's contents and any vulnerabilities affecting the contents.
 8 | 
 9 | See our [api](../howto/api.md) guide to learn how to view our api specification and work with the Matcher api.
10 | 
11 | # Remote Matching
12 | 
13 | A remote matcher behaves similarly to a matcher, except that it uses api calls to fetch vulnerability data for a provided IndexReport.
14 | Remote matchers are useful when it is not possible to persist data from a given source into the database.
15 | 
16 | The `crda` remote matcher is responsible for fetching vulnerabilities from Red Hat Code Ready Dependency Analytics (CRDA).
17 | By default, this matcher serves 100 requests per minute.
18 | The rate-limiting can be lifted by requesting a dedicated API key, which is done via [this form][CRDA-Request-Form].
19 | 
20 | [CRDA-Request-Form]: https://developers.redhat.com/content-gateway/link/3872178
21 | 
22 | ## Summary
23 | 
24 | In summary you should understand that a Matcher node provides vulnerability reports given the output of an Indexing process. By default it will also run background Updaters keeping the vulnerability database up-to-date.
25 | 
26 | For a more indepth look at indexing check out the [ClairCore Documentation](https://quay.github.io/claircore/)
27 | 


--------------------------------------------------------------------------------
/Documentation/concepts/operation.md:
--------------------------------------------------------------------------------
1 | # Operation
2 | 


--------------------------------------------------------------------------------
/Documentation/contribution.md:
--------------------------------------------------------------------------------
1 | # Contribuion
2 | The following sections provides information on how to contribute to Clair.
3 | 
4 | - [Building](./contribution/building.md)
5 | - [Commit Style](./contribution/commit_style.md)
6 | - [Releases](./contribution/releases.md)
7 | 


--------------------------------------------------------------------------------
/Documentation/contribution/building.md:
--------------------------------------------------------------------------------
 1 | # Building
 2 | 
 3 | This repo is intended to be built with familiar `go build` or `go install` invocations.
 4 | All binaries (excepting debugging tools) are underneath the `cmd` directory.
 5 | 
 6 | ### Cross-compiling
 7 | 
 8 | Currently Clair does not have any cgo dependencies, so there should not be any cross-compilation concerns.
 9 | 
10 | ## Container
11 | 
12 | A `Dockerfile` for the project is in the repo root.
13 | **The only upstream-supported means of using it is Buildkit via `buildctl`.**
14 | See the `container`, `container-build`, `dist-container`, and `dist-clairctl` make targets for example invocations.
15 | The `BUILDKIT_HOST` environment variable may need to be set, depending on how `buildkitd` is running in one's environment.
16 | 


--------------------------------------------------------------------------------
/Documentation/contribution/commit_style.md:
--------------------------------------------------------------------------------
 1 | # Commit Style
 2 | 
 3 | The Clair project utilizes well structured commits to keep the history useful and help with release automation.
 4 | We suggest signing off on your commits as well.
 5 | 
 6 | A typical commit will take on the following structure:
 7 | 
 8 | ```
 9 | <scope>: <subject>
10 | 
11 | <body>
12 | Fixes #1
13 | Pull Request #2
14 | 
15 | Signed-Off By: <email>
16 | ```
17 | 
18 | The header of the commit is regexp checked before commit and your commit will be kicked back if it does not conform.
19 | 
20 | ## Scope
21 | 
22 | This is the section of code this commit influences. 
23 | 
24 | You will often see scopes such as "notifier", "auth", "chore", "cicd".
25 | 
26 | We use this field to group commits by scope in our automated changelog generation.
27 | 
28 | It would be wise to take a look at our changelog before contributing to get an idea of the common scopes we use.
29 | 
30 | ## Subject
31 | 
32 | Subject is a short and concise summary of the change the commit is introducing. It should be a sentence fragment without starting capitalization and ending punctuation and limited to about 60 characters, to allow for the scope prefix and decoration in the git log.
33 | 
34 | ## Body
35 | 
36 | Body should be full of detail.
37 | 
38 | Explain what this commit is doing and why it is necessary.
39 | 
40 | You may include references to issues and pull requests as well. Our automated changelog process will discover references prefixed with "Fixes", "Closed" and "Pull Request"
41 | 
42 | 


--------------------------------------------------------------------------------
/Documentation/contribution/releases.md:
--------------------------------------------------------------------------------
 1 | # Releases
 2 | 
 3 | Clair releases are cut roughly every three months and actively maintained for
 4 | six.
 5 | 
 6 | This means that bugfixes should be landed on `master` (if applicable) and then
 7 | marked for backporting to a minor version's release branch. The process for
 8 | doing this is not yet formalized.
 9 | 
10 | ## Process
11 | 
12 | ### Minor
13 | 
14 | When cutting a new minor release, two things need to be done: creating a tag and
15 | creating a release branch. This can be done like so:
16 | 
17 | ```sh
18 | git tag -as v4.x.0 HEAD
19 | git push upstream HEAD:release-4.x tag v4.x.0
20 | ```
21 | 
22 | Then, a "release" needs to be created in the Github UI using the created tag.
23 | 
24 | ### Patch
25 | 
26 | A patch release is just like a minor release with the caveat that minor version
27 | tags should *only* appear on release branches and a new branch does not need to
28 | be created.
29 | 
30 | ```sh
31 | git checkout release-4.x
32 | git tag -as v4.x.1 HEAD
33 | git push upstream tag v4.x.1
34 | ```
35 | 
36 | Then, a "release" needs to be created in the Github UI using the created tag.
37 | 
38 | ### Creating Artifacts
39 | 
40 | Clair's artifact release process is automated and driven off the releases in
41 | Github.
42 | 
43 | Publishing a new release in the Github UI automatically triggers the creation of
44 | a complete source archive and a container. The archive is attached to the
45 | release, and the container is pushed to the
46 | [`quay.io/projectquay/clair`](https://quay.io/repository/projectquay/clair)
47 | repository.
48 | 
49 | This is all powered by a Github Action in `.github/workflows/cut-release.yml`.
50 | 
51 | A complete source archive can be created with `make dist`.
52 | A corresponding container can be created with `make dist-container`.
53 | See `etc/config.mk` for documentation on variables that control these targets.
54 | 


--------------------------------------------------------------------------------
/Documentation/howto.md:
--------------------------------------------------------------------------------
1 | # How Tos
2 | 
3 | The following sections provide instructions on accomplish specific goals in Clair.
4 | 
5 | - [API Definition](./howto/api.md)
6 | - [Deployment Models](./howto/deployment.md)
7 | - [Getting Started](./howto/getting_started.md)
8 | - [Testing ClairV4](./howto/testing.md)
9 | 


--------------------------------------------------------------------------------
/Documentation/howto/api.md:
--------------------------------------------------------------------------------
 1 | # API Definition
 2 | 
 3 | Clair provides its API definition via an OpenAPI specification. You can view our OpenAPI spec [here](https://raw.githubusercontent.com/quay/clair/main/openapi.yaml)
 4 | 
 5 | The OpenAPI spec can be used in a variety of ways.
 6 | * Generating http clients for your application
 7 | * Validating data returned from Clair
 8 | * Importing into a rest client such as [Postman](https://learning.postman.com/docs/integrations/available-integrations/working-with-openAPI/)
 9 | * API documentation via [Swagger Editor](https://petstore.swagger.io/#/)
10 | 
11 | See [Testing Clair](./testing.md) to learn how the local dev tooling starts a local swagger editor. This is handy for making changes to the spec in real time.
12 | 
13 | See [API Reference](../reference/api.md) for a markdown rendered API reference.
14 | 


--------------------------------------------------------------------------------
/Documentation/howto/clairv4_combo_multi_db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/Documentation/howto/clairv4_combo_multi_db.png


--------------------------------------------------------------------------------
/Documentation/howto/clairv4_combo_single_db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/Documentation/howto/clairv4_combo_single_db.png


--------------------------------------------------------------------------------
/Documentation/howto/clairv4_distributed_multi_db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/Documentation/howto/clairv4_distributed_multi_db.png


--------------------------------------------------------------------------------
/Documentation/howto/clairv4_distributed_single_db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/Documentation/howto/clairv4_distributed_single_db.png


--------------------------------------------------------------------------------
/Documentation/listing_test.go:
--------------------------------------------------------------------------------
 1 | package Documentation
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"io/fs"
 6 | 	"os"
 7 | 	"path"
 8 | 	"regexp"
 9 | 	"sort"
10 | 	"testing"
11 | 
12 | 	"github.com/google/go-cmp/cmp"
13 | )
14 | 
15 | // TestListing fails if the SUMMARY.md falls out of sync with the markdown files
16 | // in this directory.
17 | func TestListing(t *testing.T) {
18 | 	// Check that this is the docs test.
19 | 	// These files are copied into the "book" directory, so when left around in
20 | 	// a work tree, test will run there as well.
21 | 	if _, err := os.Stat("index.html"); err == nil {
22 | 		t.Skip("skip listing check in compiled docs")
23 | 	}
24 | 
25 | 	linkline, err := regexp.Compile(`\s*- \[.+\]\((.+)\)`)
26 | 	if err != nil {
27 | 		t.Fatal(err)
28 | 	}
29 | 	f, err := os.Open("SUMMARY.md")
30 | 	if err != nil {
31 | 		t.Fatal(err)
32 | 	}
33 | 	defer f.Close()
34 | 
35 | 	linked := []string{"SUMMARY.md"}
36 | 	s := bufio.NewScanner(f)
37 | 	for s.Scan() {
38 | 		ms := linkline.FindSubmatch(s.Bytes())
39 | 		switch {
40 | 		case ms == nil, len(ms) == 1:
41 | 			continue
42 | 		case len(ms) == 2:
43 | 			linked = append(linked, path.Clean(string(ms[1])))
44 | 		}
45 | 	}
46 | 	if err := s.Err(); err != nil {
47 | 		t.Error(err)
48 | 	}
49 | 	sort.Strings(linked)
50 | 
51 | 	var files []string
52 | 	err = fs.WalkDir(os.DirFS("."), ".", func(p string, d fs.DirEntry, err error) error {
53 | 		switch {
54 | 		case err != nil:
55 | 			return err
56 | 		case d.IsDir():
57 | 			return nil
58 | 		case path.Ext(d.Name()) != ".md":
59 | 			return nil
60 | 		}
61 | 		files = append(files, p)
62 | 		return nil
63 | 	})
64 | 	if err != nil {
65 | 		t.Error(err)
66 | 	}
67 | 	sort.Strings(files)
68 | 
69 | 	if !cmp.Equal(linked, files) {
70 | 		t.Error(cmp.Diff(linked, files))
71 | 	}
72 | }
73 | 


--------------------------------------------------------------------------------
/Documentation/reference.md:
--------------------------------------------------------------------------------
 1 | # Reference
 2 | The following sections provide reference information useful when exploring the documentation or working with Clair directly.
 3 | 
 4 | - [API](./reference/api.md)
 5 | - [Clairctl](./reference/clairctl.md)
 6 | - [Config](./reference/config.md)
 7 | - [Indexer](./reference/indexer.md)
 8 | - [Matcher](./reference/matcher.md)
 9 | - [Notifier](./reference/notifier.md)
10 | 


--------------------------------------------------------------------------------
/Documentation/reference/indexer.md:
--------------------------------------------------------------------------------
1 | # Indexer
2 | 
3 | When Clair is running in Indexer mode, it is responsible for receiving Manifests and generating IndexReports. An IndexReport is an intermediate representation of a manifest's content and is used to discover vulnerabilities.
4 | 


--------------------------------------------------------------------------------
/Documentation/reference/matcher.md:
--------------------------------------------------------------------------------
1 | # Matcher
2 | 
3 | When Clair is running in Matcher mode it is responsible for receiving IndexReports and generating VulnerabilityReports. A VulnerabilityReport describes the contents of a manifest and any vulnerabilities affecting it.
4 | 


--------------------------------------------------------------------------------
/Documentation/reference/metrics.md:
--------------------------------------------------------------------------------
1 | Clair exports [metrics](./config.md#metrics) on the [introspection
2 | port](./config.md#introspection_addr) in the Prometheus format.
3 | 
4 | The exact metrics exposed are not considered API (and so are subject to change
5 | between releases) but should be well described. An up-to-date grafana dashboard
6 | example is in `contrib/openshift/grafana`.
7 | 


--------------------------------------------------------------------------------
/Documentation/reference/notifier.md:
--------------------------------------------------------------------------------
1 | # Notifier 
2 | 
3 | When Clair is running in Notifier mode, it is responsible for generating notifications when new vulnerabilities affecting a previously indexed manifest enters the system. The notifier will send notifications via the configured mechanisms.
4 | 


--------------------------------------------------------------------------------
/Documentation/reference_test.go:
--------------------------------------------------------------------------------
 1 | package Documentation
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"fmt"
 6 | 	"os"
 7 | 	"reflect"
 8 | 	"regexp"
 9 | 	"sort"
10 | 	"strings"
11 | 	"testing"
12 | 
13 | 	"github.com/google/go-cmp/cmp"
14 | 	"github.com/quay/clair/config"
15 | )
16 | 
17 | func TestConfigReference(t *testing.T) {
18 | 	f, err := os.Open("reference/config.md")
19 | 	if err != nil {
20 | 		t.Fatal(err)
21 | 	}
22 | 	defer f.Close()
23 | 
24 | 	header := regexp.MustCompile("^#+ `\\$[^`]+`")
25 | 	var got []string
26 | 	s := bufio.NewScanner(f)
27 | 	for s.Scan() {
28 | 		if header.Match(s.Bytes()) {
29 | 			got = append(got, strings.Trim(s.Text(), " #`"))
30 | 		}
31 | 	}
32 | 	if err := s.Err(); err != nil {
33 | 		t.Error(err)
34 | 	}
35 | 	var want []string
36 | 	if err := walk(&want, "$", reflect.TypeOf(config.Config{})); err != nil {
37 | 		t.Error(err)
38 | 	}
39 | 	sort.Strings(want)
40 | 	sort.Strings(got)
41 | 	if !cmp.Equal(got, want) {
42 | 		t.Error(cmp.Diff(got, want))
43 | 	}
44 | }
45 | 
46 | type walkFunc func(interface{}) ([]string, error)
47 | 
48 | func walk(ws *[]string, path string, t reflect.Type) error {
49 | 	// Dereference the pointer, if this is a pointer.
50 | 	if t.Kind() == reflect.Ptr {
51 | 		t = t.Elem()
52 | 	}
53 | 	if t.Kind() == reflect.Struct {
54 | 		for i, lim := 0, t.NumField(); i < lim; i++ {
55 | 			f := t.Field(i)
56 | 			if f.Anonymous {
57 | 				if err := walk(ws, path, t.Field(i).Type); err != nil {
58 | 					return err
59 | 				}
60 | 				continue
61 | 			}
62 | 			var n string
63 | 			switch t := f.Tag.Get("json"); t {
64 | 			case "-", "":
65 | 				continue
66 | 			default:
67 | 				if i := strings.IndexByte(t, ','); i != -1 {
68 | 					t = t[:i]
69 | 				}
70 | 				n = t
71 | 			}
72 | 			p := fmt.Sprintf(`%s.%s`, path, n)
73 | 			*ws = append(*ws, p)
74 | 			if err := walk(ws, p, t.Field(i).Type); err != nil {
75 | 				return err
76 | 			}
77 | 		}
78 | 	}
79 | 	return nil
80 | }
81 | 


--------------------------------------------------------------------------------
/Documentation/whatis.md:
--------------------------------------------------------------------------------
 1 | # What is Clair
 2 | 
 3 | Clair is an application for parsing image contents and reporting vulnerabilities affecting the contents. This is done via static analysis and not at runtime.
 4 | 
 5 | Clair supports the extraction of contents and assignment of vulnerabilities from the following official base containers:
 6 | - Ubuntu
 7 | - Debian
 8 | - RHEL
 9 | - Suse
10 | - Oracle
11 | - Alpine
12 | - AWS Linux
13 | - VMWare Photon
14 | - Python
15 | 
16 | The above list defines Clair's current support matrix.
17 | 
18 | ## Architecture
19 | 
20 | Clair v4 utilizes the [ClairCore](https://quay.github.io/claircore/) library as its engine for examining contents and reporting vulnerabilities. At a high level you can consider Clair a service wrapper to the functionality provided in the ClairCore library. 
21 | 
22 | ![diagram of clairV4 highlevel architecture](./clairv4_arch.png)
23 | 
24 | The above diagram expresses the separation of concerns between Clair and the ClairCore library. Most development involving new distributions, vulnerability sources, and layer indexing will occur in ClairCore.
25 | 
26 | ## How Clair Works
27 | 
28 | Clair's analysis is broken into three distinct parts.
29 | 
30 | ### Indexing
31 | 
32 | Indexing starts with submitting a Manifest to Clair. On receipt, Clair will fetch layers, scan their contents, and return an intermediate representation called an IndexReport. 
33 | 
34 | Manifests are Clair's representation of a container image. Clair leverages the fact that OCI Manifests and Layers are content-addressed to reduce duplicated work.
35 | 
36 | Once a Manifest is indexed, the IndexReport is persisted for later retrieval. 
37 | 
38 | ### Matching
39 | 
40 | Matching is taking an IndexReport and correlating vulnerabilities affecting the manifest the report represents. 
41 | 
42 | Clair is continually ingesting new security data and a request to the matcher will always provide you with the most up to date vulnerability analysis of an IndexReport.
43 | 
44 | *How we implement indexing and matching in detail is covered in [ClairCore's](https://quay.github.io/claircore/) documentation.*
45 | 
46 | ### Notifications
47 | 
48 | Clair implements a notification service. 
49 | 
50 | When new vulnerabilities are discovered, the notifier service will determine if these vulnerabilities affect any indexed Manifests. The notifier will then take action according to its configuration.
51 | 
52 | ### Getting Started
53 | 
54 | At this point you'll probably want to check out [Getting Started With Clair](./howto/getting_started.md).
55 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | # Copyright 2024 clair authors
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | # Set the "DEBUG" variable to enable some debugging output for the Makefile
16 | # itself.
17 | 
18 | .ONESHELL:
19 | .SHELL = /usr/bin/bash
20 | .SHELLFLAGS = -o pipefail -uec
21 | .DELETE_ON_ERROR:
22 | comma:=,
23 | splice = $(subst $(eval ) ,$(comma),$1)
24 | # See this file for all the variables that can be tuned by the environment.
25 | include etc/config.mk
26 | # Append shell patterns to this to hook the "clean" target.
27 | rm_pat =
28 | 
29 | all:
30 | 	$(go) build ./cmd/...
31 | 
32 | # Use https://github.com/Mermade/widdershins to convert openapi.yaml to
33 | # markdown. You'll need to have npx to run this.
34 | Documentation/reference/api.md: openapi.yaml
35 | 	npx widdershins\
36 | 		--search false \
37 | 		--language_tabs 'python:Python' 'go:Golang' 'javascript:Javascript' \
38 | 		--summary $< \
39 | 		-o $@
40 | # Intended to be checked-in, so not cleaned.
41 | 
42 | contrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml: \
43 | 	local-dev/grafana/provisioning/dashboards/dashboard.json \
44 | 	contrib/openshift/grafana/dashboard-clair.configmap.yaml.tpl
45 | 	name=$$(sed 's/[\&/]/\\&/g;s/$$/\\n/;s/^/    /' $< | tr -d '\n')
46 | 	sed "s/GRAFANA_MANIFEST/$$name/"\
47 | 		$(word 2,$^)\
48 | 		> $@
49 | # Intended to be checked-in, so not cleaned.
50 | 
51 | include etc/container.mk
52 | include etc/dev.mk
53 | include etc/dist.mk
54 | include etc/doc.mk
55 | 
56 | rm_flag := -rf
57 | ifdef DEBUG
58 | rm_flag += -v
59 | endif
60 | .PHONY: clean
61 | clean:
62 | 	$(go) clean
63 | 	rm $(rm_flag) -- $(rm_pat)
64 | 


--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | CoreOS Project
2 | Copyright 2015 CoreOS, Inc
3 | 
4 | This product includes software developed at CoreOS, Inc.
5 | (http://www.coreos.com/).
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Clair
 2 | 
 3 | [![Docker Repository on Quay](https://quay.io/repository/projectquay/clair/status "Docker Repository on Quay")](https://quay.io/repository/projectquay/clair)
 4 | [![PkgGoDev](https://pkg.go.dev/badge/github.com/quay/clair/v4 "Go Documentation")](https://pkg.go.dev/github.com/quay/clair/v4)
 5 | [![IRC Channel](https://img.shields.io/badge/freenode-%23clair-blue.svg "IRC Channel")](http://webchat.freenode.net/?channels=clair)
 6 | 
 7 | **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 8 | Please use [releases] instead of the `main` branch in order to get stable binaries.
 9 | 
10 | ![Clair Logo](https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png)
11 | 
12 | Clair is an open source project for the [static analysis] of vulnerabilities in
13 | application containers (currently including [OCI] and [docker]).
14 | 
15 | Clients use the Clair API to index their container images and can then match it against known vulnerabilities.
16 | 
17 | Our goal is to enable a more transparent view of the security of container-based infrastructure.
18 | Thus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*.
19 | 
20 | [The book] contains all the documentation on Clair's architecture and operation.
21 | 
22 | [OCI]: https://github.com/opencontainers/image-spec/blob/master/spec.md
23 | [docker]: https://github.com/docker/docker/blob/master/image/spec/v1.2.md
24 | [releases]: https://github.com/quay/clair/releases
25 | [static analysis]: https://en.wikipedia.org/wiki/Static_program_analysis
26 | [The book]: https://quay.github.io/clair/
27 | 
28 | ## Community
29 | 
30 | - Mailing List: [clair-dev@googlegroups.com](https://groups.google.com/forum/#!forum/clair-dev)
31 | - IRC: #[clair](irc://irc.freenode.org:6667/#clair) on freenode.org
32 | - Bugs: [issues](https://github.com/quay/clair/issues)
33 | 
34 | ## Contributing
35 | 
36 | See [CONTRIBUTING](.github/CONTRIBUTING.md) for details on submitting patches and the contribution workflow.
37 | 
38 | ## License
39 | 
40 | Clair is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
41 | 


--------------------------------------------------------------------------------
/ROADMAP.md:
--------------------------------------------------------------------------------
 1 | # Clair Roadmap
 2 | 
 3 | This document defines a high level roadmap for Clair development.
 4 | 
 5 | The dates below should not be considered authoritative, but rather indicative of the projected timeline of the project.
 6 | The [milestones defined in GitHub](https://github.com/coreos/clair/milestones) represent the most up-to-date and issue-for-issue plans.
 7 | 
 8 | The roadmap below outlines new features that will be added to Clair, and while subject to change, define what future stable will look like.
 9 | 
10 | - Support multiple namespaces per image
11 |   - This enables language-level package managers (e.g. npm, pip) in the future
12 | - Take advantage of OCI/Docker content-addressiblity to avoid duplicated work
13 |   - This simplifies the amount of work required for an offline clair in the future
14 | - Support mappings between source packages and binary packages
15 | - Versioned detectors that are present in API results
16 |   - This will enable clients to determine when images need to be reindexed
17 | - gRPC API that works on sets of layers rather than individual layers
18 | - Structured logging in JSON
19 | - Improve coverage and readability of documentation
20 | 


--------------------------------------------------------------------------------
/book.toml:
--------------------------------------------------------------------------------
 1 | [book]
 2 | title = "Clair Documentation"
 3 | authors = ["Clair Authors"]
 4 | description = "Documentation for Clair."
 5 | src = "Documentation"
 6 | language = "en"
 7 | 
 8 | [build]
 9 | build-dir = "book"
10 | create-missing = true
11 | 
12 | [output.html]
13 | git-repository-url= "https://github.com/quay/clair"
14 | preferred-dark-theme = "coal"
15 | 


--------------------------------------------------------------------------------
/cmd/clair/os_other.go:
--------------------------------------------------------------------------------
1 | //go:build !unix
2 | 
3 | package main
4 | 
5 | import "os"
6 | 
7 | var platformShutdown = []os.Signal{}
8 | 


--------------------------------------------------------------------------------
/cmd/clair/os_unix.go:
--------------------------------------------------------------------------------
 1 | //go:build unix
 2 | 
 3 | package main
 4 | 
 5 | import (
 6 | 	"os"
 7 | 	"syscall"
 8 | )
 9 | 
10 | var platformShutdown = []os.Signal{syscall.SIGTERM}
11 | 


--------------------------------------------------------------------------------
/cmd/clairctl/config.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"encoding/json"
 5 | 	"errors"
 6 | 	"fmt"
 7 | 	"os"
 8 | 
 9 | 	"github.com/quay/zlog"
10 | 	"github.com/urfave/cli/v2"
11 | 	"gopkg.in/yaml.v3"
12 | )
13 | 
14 | var CheckConfigCmd = &cli.Command{
15 | 	Name:  "check-config",
16 | 	Usage: "print a fully-resolved clair config",
17 | 	Description: `Check-config can be used to check that drop-in config files are being merged correctly.
18 | 
19 | The output is not currently suitable to be fed back into Clair.`,
20 | 	Action:    checkConfigAction,
21 | 	ArgsUsage: "FILE[...]",
22 | 	Flags: []cli.Flag{
23 | 		&cli.StringFlag{
24 | 			Name:    "out",
25 | 			Aliases: []string{"o"},
26 | 			Usage:   "output format: json, yaml",
27 | 			Value:   "json",
28 | 		},
29 | 	},
30 | }
31 | 
32 | func checkConfigAction(c *cli.Context) error {
33 | 	done := make(map[string]struct{})
34 | 	todo := c.Args().Slice()
35 | 	ctx := c.Context
36 | 	var enc interface {
37 | 		Encode(any) error
38 | 	}
39 | 	if len(todo) == 0 {
40 | 		return errors.New("missing needed arguments")
41 | 	}
42 | Again:
43 | 	switch v := c.String("out"); v {
44 | 	case "json":
45 | 		j := json.NewEncoder(os.Stdout)
46 | 		j.SetIndent("", "\t")
47 | 		enc = j
48 | 	case "yaml":
49 | 		zlog.Warn(ctx).Msg("some values do no round-trip the yaml encoder correctly -- make sure to consult the documentation")
50 | 		y := yaml.NewEncoder(os.Stdout)
51 | 		y.SetIndent(2)
52 | 		enc = y
53 | 	default:
54 | 		zlog.Info(ctx).Str("out", v).Msg("unknown 'out' kind, using 'json'")
55 | 		c.Set("out", "json")
56 | 		goto Again
57 | 	}
58 | 	for _, f := range todo {
59 | 		if _, ok := done[f]; ok {
60 | 			continue
61 | 		}
62 | 		done[f] = struct{}{}
63 | 		if len(todo) > 1 {
64 | 			fmt.Println("#", f)
65 | 		}
66 | 		cfg, err := loadConfig(f)
67 | 		if err != nil {
68 | 			return err
69 | 		}
70 | 		if err := enc.Encode(cfg); err != nil {
71 | 			return err
72 | 		}
73 | 	}
74 | 	return nil
75 | }
76 | 


--------------------------------------------------------------------------------
/cmd/clairctl/delete.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"errors"
 5 | 	"os"
 6 | 
 7 | 	"github.com/quay/claircore"
 8 | 	"github.com/urfave/cli/v2"
 9 | 
10 | 	"github.com/quay/clair/v4/internal/httputil"
11 | )
12 | 
13 | var DeleteCmd = &cli.Command{
14 | 	Name:        "delete",
15 | 	Description: "Delete index reports for given manifest digests.",
16 | 	Action:      deleteAction,
17 | 	Usage:       "deletes index reports for given manifest digests",
18 | 	ArgsUsage:   "digest...",
19 | 	Flags: []cli.Flag{
20 | 		&cli.StringFlag{
21 | 			Name:    "host",
22 | 			Usage:   "URL for the clairv4 v1 API.",
23 | 			Value:   "http://localhost:6060/",
24 | 			EnvVars: []string{"CLAIR_API"},
25 | 		},
26 | 	},
27 | }
28 | 
29 | func deleteAction(c *cli.Context) error {
30 | 	args := c.Args()
31 | 	if args.Len() == 0 {
32 | 		return errors.New("missing needed arguments")
33 | 	}
34 | 	ds := []claircore.Digest{}
35 | 	for i := 0; i < args.Len(); i++ {
36 | 		d, err := claircore.ParseDigest(args.Get(i))
37 | 		if err != nil {
38 | 			return err
39 | 		}
40 | 		ds = append(ds, d)
41 | 	}
42 | 
43 | 	fi, err := os.Stat(c.Path("config"))
44 | 	useCfg := err == nil && !fi.IsDir()
45 | 	ctx := c.Context
46 | 	hc, err := httputil.NewClient(ctx, false)
47 | 	if err != nil {
48 | 		return err
49 | 	}
50 | 
51 | 	var s *httputil.Signer
52 | 	if useCfg {
53 | 		cfg, err := loadConfig(c.Path("config"))
54 | 		if err != nil {
55 | 			return err
56 | 		}
57 | 		s, err = httputil.NewSigner(ctx, cfg, commonClaim)
58 | 		if err != nil {
59 | 			return err
60 | 		}
61 | 		if err = s.Add(ctx, c.String("host")); err != nil {
62 | 			return err
63 | 		}
64 | 
65 | 	}
66 | 	cc, err := NewClient(hc, c.String("host"), s)
67 | 	if err != nil {
68 | 		return err
69 | 	}
70 | 	err = cc.DeleteIndexReports(c.Context, ds)
71 | 	if err != nil {
72 | 		return err
73 | 	}
74 | 	return nil
75 | }
76 | 


--------------------------------------------------------------------------------
/cmd/clairctl/import_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"context"
 6 | 	"fmt"
 7 | 	"io"
 8 | 	"net/http"
 9 | 	"net/http/httptest"
10 | 	"os"
11 | 	"reflect"
12 | 	"testing"
13 | )
14 | 
15 | // TestImportArg checks that the import subcommand's magic URL handling is
16 | // correct.
17 | func TestImportArg(t *testing.T) {
18 | 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
19 | 		w.WriteHeader(http.StatusOK)
20 | 		fmt.Fprint(w, "http")
21 | 	}))
22 | 	defer srv.Close()
23 | 
24 | 	tt := []struct {
25 | 		In  string
26 | 		Err bool
27 | 		Ok  func(*testing.T, io.ReadCloser)
28 | 	}{
29 | 		{
30 | 			In: "import_test.go",
31 | 			Ok: func(t *testing.T, in io.ReadCloser) {
32 | 				if got, want := reflect.TypeOf(in), reflect.TypeOf(&os.File{}); got != want {
33 | 					t.Errorf("got: %T, want: %T", got, want)
34 | 				}
35 | 			},
36 | 		},
37 | 		{
38 | 			In: "./import_test.go",
39 | 			Ok: func(t *testing.T, in io.ReadCloser) {
40 | 				if got, want := reflect.TypeOf(in), reflect.TypeOf(&os.File{}); got != want {
41 | 					t.Errorf("got: %T, want: %T", got, want)
42 | 				}
43 | 			},
44 | 		},
45 | 		{
46 | 			In: srv.URL,
47 | 			Ok: func(t *testing.T, rc io.ReadCloser) {
48 | 				b := bytes.Buffer{}
49 | 				if _, err := b.ReadFrom(rc); err != nil {
50 | 					t.Errorf("read error: %v", err)
51 | 				}
52 | 				if got, want := b.String(), "http"; got != want {
53 | 					t.Errorf("got: %q, want: %q", got, want)
54 | 				}
55 | 			},
56 | 		},
57 | 		{
58 | 			In:  "invalid",
59 | 			Err: true,
60 | 			Ok:  func(*testing.T, io.ReadCloser) {},
61 | 		},
62 | 	}
63 | 
64 | 	ctx := context.Background()
65 | 	for _, tc := range tt {
66 | 		rc, err := openInput(ctx, srv.Client(), tc.In)
67 | 		t.Logf("%q: %T; %v", tc.In, rc, err)
68 | 		if (err != nil) && !tc.Err {
69 | 			t.Error()
70 | 		}
71 | 		tc.Ok(t, rc)
72 | 		if rc != nil {
73 | 			rc.Close()
74 | 		}
75 | 	}
76 | }
77 | 


--------------------------------------------------------------------------------
/cmd/clairctl/jsonformatter.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"io"
 5 | 
 6 | 	"github.com/quay/clair/v4/internal/codec"
 7 | )
 8 | 
 9 | var _ Formatter = (*jsonFormatter)(nil)
10 | 
11 | // JsonFormatter is a very simple formatter; it just calls
12 | // (*json.Encoder).Encode.
13 | type jsonFormatter struct {
14 | 	enc *codec.Encoder
15 | 	c   io.Closer
16 | }
17 | 
18 | func (f *jsonFormatter) Format(r *Result) error {
19 | 	return f.enc.Encode(r.Report)
20 | }
21 | func (f *jsonFormatter) Close() error {
22 | 	codec.PutEncoder(f.enc)
23 | 	return f.c.Close()
24 | }
25 | 


--------------------------------------------------------------------------------
/cmd/clairctl/textformatter.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"io"
 5 | 	"path"
 6 | 	"text/tabwriter"
 7 | 	"text/template"
 8 | )
 9 | 
10 | var _ Formatter = (*textFormatter)(nil)
11 | 
12 | // TextFormatter uses a custom text template and a tabwriter to present columnar
13 | // output.
14 | type textFormatter struct {
15 | 	tmpl *template.Template
16 | 	w    *tabwriter.Writer
17 | 	io.Closer
18 | }
19 | 
20 | var funcmap = template.FuncMap{
21 | 	"base": path.Base,
22 | }
23 | 
24 | func newTextFormatter(w io.WriteCloser) (*textFormatter, error) {
25 | 	tmpl, err := template.New("report").Funcs(funcmap).Parse(tabwriterTmpl)
26 | 	if err != nil {
27 | 		return nil, err
28 | 	}
29 | 	tw := tabwriter.NewWriter(w, 0, 0, 1, ' ', 0)
30 | 	r := textFormatter{
31 | 		tmpl:   tmpl,
32 | 		w:      tw,
33 | 		Closer: w,
34 | 	}
35 | 	return &r, nil
36 | }
37 | 
38 | const tabwriterTmpl = `
39 | {{- define "ok" -}}
40 | {{base .Name}}	ok
41 | {{end}}
42 | {{- define "err" -}}
43 | {{base .Name}}	error	{{.Err}}
44 | {{end}}
45 | {{- define "found" -}}
46 | {{with $r := .}}{{range $id, $v := .Report.PackageVulnerabilities}}{{range $d := $v -}}
47 | {{base $r.Name}}	found	{{with index $r.Report.Packages $id}}{{.Name}}	{{.Version}}{{end}}
48 | 	{{- with index $r.Report.Vulnerabilities $d}}	{{.Name}}
49 | 	{{- with .FixedInVersion}}	(fixed: {{.}}){{end}}{{end}}
50 | {{end}}{{end}}{{end}}{{end}}
51 | {{- /* The following is the actual bit of the template that runs per item. */ -}}
52 | {{if .Err}}{{template "err" .}}
53 | {{- else if ne (len .Report.PackageVulnerabilities) 0}}{{template "found" .}}
54 | {{- else}}{{template "ok" .}}
55 | {{- end}}`
56 | 
57 | func (f *textFormatter) Format(r *Result) error {
58 | 	defer f.w.Flush()
59 | 	return f.tmpl.Execute(f.w, r)
60 | }
61 | 


--------------------------------------------------------------------------------
/cmd/config_test.go:
--------------------------------------------------------------------------------
 1 | package cmd_test
 2 | 
 3 | import (
 4 | 	"encoding/json"
 5 | 	"os"
 6 | 	"path/filepath"
 7 | 	"strings"
 8 | 	"testing"
 9 | 
10 | 	"github.com/google/go-cmp/cmp"
11 | 	"github.com/quay/clair/config"
12 | 
13 | 	"github.com/quay/clair/v4/cmd"
14 | )
15 | 
16 | func TestLoadConfig(t *testing.T) {
17 | 	ms, err := filepath.Glob(`testdata/*/config.*[^d]`)
18 | 	if err != nil {
19 | 		panic("programmer error")
20 | 	}
21 | 	for _, m := range ms {
22 | 		name := filepath.Base(filepath.Dir(m))
23 | 		t.Run(name, func(t *testing.T) {
24 | 			wantpath := filepath.Join(filepath.Dir(m), "want.json")
25 | 			wf, err := os.Open(wantpath)
26 | 			if err != nil {
27 | 				t.Fatal(err)
28 | 			}
29 | 			defer wf.Close()
30 | 			var got, want config.Config
31 | 			if err := json.NewDecoder(wf).Decode(&want); err != nil {
32 | 				t.Error(err)
33 | 			}
34 | 			if err := cmd.LoadConfig(&got, m, true); err != nil {
35 | 				t.Error(err)
36 | 			}
37 | 			if !cmp.Equal(got, want) {
38 | 				t.Error(cmp.Diff(got, want))
39 | 			}
40 | 		})
41 | 	}
42 | 	ms, err = filepath.Glob(`testdata/Error/*[^d]`)
43 | 	if err != nil {
44 | 		panic("programmer error")
45 | 	}
46 | 	t.Run("Error", func(t *testing.T) {
47 | 		for _, m := range ms {
48 | 			name := filepath.Base(m)
49 | 			name = strings.TrimSuffix(name, filepath.Ext(name))
50 | 			t.Run(name, func(t *testing.T) {
51 | 				var got config.Config
52 | 				err := cmd.LoadConfig(&got, m, false)
53 | 				t.Log(err)
54 | 				if err == nil {
55 | 					t.Fail()
56 | 				}
57 | 			})
58 | 		}
59 | 	})
60 | }
61 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexJSON/config.json:
--------------------------------------------------------------------------------
1 | {
2 | 	"http_listen_addr": ":80",
3 | 	"log_level": "error",
4 | 	"matcher": {}
5 | }
6 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexJSON/config.json.d/dropin.json:
--------------------------------------------------------------------------------
1 | {
2 |   "log_level": "error"
3 | }
4 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexJSON/want.json:
--------------------------------------------------------------------------------
1 | {
2 | 	"http_listen_addr": ":80",
3 | 	"log_level": "error"
4 | }
5 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | log_level: debug-color
 3 | introspection_addr: ":8089"
 4 | http_listen_addr: ":6060"
 5 | updaters:
 6 |   sets:
 7 |     - ubuntu
 8 |     - debian
 9 |     - rhel
10 |     - alpine
11 | auth:
12 |   psk:
13 |     key: 'c2VjcmV0'
14 |     iss:
15 |       - quay
16 |       - clairctl
17 | indexer:
18 |   connstring: host=clair-database user=clair dbname=indexer sslmode=disable
19 |   scanlock_retry: 10
20 |   layer_scan_concurrency: 5
21 |   migrations: true
22 | matcher:
23 |   indexer_addr: http://clair-indexer:6060/
24 |   connstring: host=clair-database user=clair dbname=matcher sslmode=disable
25 |   max_conn_pool: 100
26 |   migrations: true
27 | matchers: {}
28 | notifier:
29 |   indexer_addr: http://clair-indexer:6060/
30 |   matcher_addr: http://clair-matcher:6060/
31 |   connstring: host=clair-database user=clair dbname=notifier sslmode=disable
32 |   migrations: true
33 |   delivery_interval: 30s
34 |   poll_interval: 1m
35 |   webhook:
36 |     target: "http://webhook-target/"
37 |     callback: "http://clair-notifier:6060/notifier/api/v1/notification/"
38 |   # amqp:
39 |   #   direct: true
40 |   #   exchange:
41 |   #     name: ""
42 |   #     type: "direct"
43 |   #     durable: true
44 |   #     auto_delete: false
45 |   #   uris: ["amqp://guest:guest@clair-rabbitmq:5672/"]
46 |   #   routing_key: "notifications"
47 |   #   callback: "http://clair-notifier/notifier/api/v1/notifications"
48 | # tracing and metrics config
49 | trace:
50 |   name: "jaeger"
51 | #  probability: 1
52 |   jaeger:
53 |     agent:
54 |       endpoint: "clair-jaeger:6831"
55 |     service_name: "clair"
56 | metrics:
57 |   name: "prometheus"
58 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml.d/dropin.yaml:
--------------------------------------------------------------------------------
1 | log_level: null
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml.d/empty.yaml:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml.d/ignored.json-patch:
--------------------------------------------------------------------------------
1 | # This file is ignored -- look at all this invalid JSON!
2 | [
3 |   {
4 |     "op": "add",
5 |     "path": "/updaters/sets/-",
6 |     "value": "osv",
7 |   },
8 | ]
9 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml.d/later.yaml:
--------------------------------------------------------------------------------
1 | log_level: panic
2 | updaters:
3 |   sets:
4 |     - rhel
5 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/config.yaml.d/updater.yaml-patch:
--------------------------------------------------------------------------------
1 | - op: add
2 |   path: /updaters/sets/-
3 |   value: osv
4 | 


--------------------------------------------------------------------------------
/cmd/testdata/ComplexYAML/want.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "log_level": "panic",
 3 |   "introspection_addr": ":8089",
 4 |   "http_listen_addr": ":6060",
 5 |   "updaters": {
 6 |     "sets": [
 7 |       "rhel",
 8 |       "osv"
 9 |     ]
10 |   },
11 |   "auth": {
12 |     "psk": {
13 |       "key": "c2VjcmV0",
14 |       "iss": [
15 |         "quay",
16 |         "clairctl"
17 |       ]
18 |     }
19 |   },
20 |   "indexer": {
21 |     "connstring": "host=clair-database user=clair dbname=indexer sslmode=disable",
22 |     "scanlock_retry": 10,
23 |     "layer_scan_concurrency": 5,
24 |     "migrations": true
25 |   },
26 |   "matcher": {
27 |     "indexer_addr": "http://clair-indexer:6060/",
28 |     "connstring": "host=clair-database user=clair dbname=matcher sslmode=disable",
29 |     "max_conn_pool": 100,
30 |     "migrations": true
31 |   },
32 |   "notifier": {
33 |     "indexer_addr": "http://clair-indexer:6060/",
34 |     "matcher_addr": "http://clair-matcher:6060/",
35 |     "connstring": "host=clair-database user=clair dbname=notifier sslmode=disable",
36 |     "migrations": true,
37 |     "delivery_interval": "30s",
38 |     "poll_interval": "1m",
39 |     "webhook": {
40 |       "target": "http://webhook-target/",
41 |       "callback": "http://clair-notifier:6060/notifier/api/v1/notification/"
42 |     }
43 |   },
44 |   "trace": {
45 |     "name": "jaeger",
46 |     "jaeger": {
47 |       "agent": {
48 |         "endpoint": "clair-jaeger:6831"
49 |       },
50 |       "service_name": "clair"
51 |     }
52 |   },
53 |   "metrics": {
54 |     "name": "prometheus"
55 |   }
56 | }
57 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/BadKind.toml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/clair/e75e2e2b43d2990f656c7505f0dcc61c4a3219eb/cmd/testdata/Error/BadKind.toml


--------------------------------------------------------------------------------
/cmd/testdata/Error/BadPatch.json:
--------------------------------------------------------------------------------
1 | {}
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/BadPatch.json.d/decode.json-patch:
--------------------------------------------------------------------------------
1 | [
2 |   [
3 |     null
4 |   ]
5 | ]
6 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/BadPatch.json.d/invalid.json-patch:
--------------------------------------------------------------------------------
1 | [
2 |   {
3 |     "op": "invalid",
4 |     "path": "any",
5 |     "value": null
6 |   }
7 | ]
8 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/Indents.yaml:
--------------------------------------------------------------------------------
 1 | auth:
 2 |     psk:
 3 |         iss:
 4 |             - quay
 5 |             - clairctl
 6 |         key: dmVyeXNlY3JldA0K  #gitleaks:allow
 7 | http_listen_addr: :80
 8 | indexer:
 9 |     connstring: host=/var/run/postgresql
10 |     migrations: true
11 |     airgap: true
12 |     scanner:
13 |     repo:
14 |       rhel-repository-scanner:
15 |         repo2cpe_mapping_file: /config/repository-to-cpe.json
16 |     package:
17 |       rhel_containerscanner:
18 |         name2repos_mapping_file: /config/container-name-repos-map.json
19 | log_level: info
20 | matcher:
21 |     connstring: host=/var/run/postgresql
22 |     migrations: true
23 |     disable_updaters: true
24 | metrics:
25 |     name: prometheus
26 | notifier:
27 |     connstring: host=/var/run/postgresql
28 |     delivery_interval: 1m0s
29 |     migrations: true
30 |     poll_interval: 5m0s
31 |     webhook:
32 |         callback: http://clair/notifier/api/v1/notifications
33 |         target: https://quay/secscan/notification
34 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/NotAnArray.json:
--------------------------------------------------------------------------------
1 | {}
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/NotAnArray.json.d/badpatch.json-patch:
--------------------------------------------------------------------------------
1 | {}
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/NotAnObject.json:
--------------------------------------------------------------------------------
1 | []
2 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/NotYAML.yaml:
--------------------------------------------------------------------------------
1 | key:
2 | 	- no tabs allowed
3 | 


--------------------------------------------------------------------------------
/cmd/testdata/Error/TooShort.json:
--------------------------------------------------------------------------------
1 | 0


--------------------------------------------------------------------------------
/cmd/testdata/SimpleJSON/config.json:
--------------------------------------------------------------------------------
1 | {
2 | 	"http_listen_addr": ":80",
3 | 	"log_level": "error",
4 | 	"matcher": {}
5 | }
6 | 


--------------------------------------------------------------------------------
/cmd/testdata/SimpleJSON/want.json:
--------------------------------------------------------------------------------
1 | {
2 | 	"http_listen_addr": ":80",
3 | 	"log_level": "error"
4 | }
5 | 


--------------------------------------------------------------------------------
/cmd/testdata/SimpleYAML/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | log_level: debug-color
 3 | introspection_addr: ":8089"
 4 | http_listen_addr: ":6060"
 5 | updaters:
 6 |   sets:
 7 |     - ubuntu
 8 |     - debian
 9 |     - rhel
10 |     - alpine
11 | auth:
12 |   psk:
13 |     key: 'c2VjcmV0'
14 |     iss:
15 |       - quay
16 |       - clairctl
17 | indexer:
18 |   connstring: host=clair-database user=clair dbname=indexer sslmode=disable
19 |   scanlock_retry: 10
20 |   layer_scan_concurrency: 5
21 |   migrations: true
22 | matcher:
23 |   indexer_addr: http://clair-indexer:6060/
24 |   connstring: host=clair-database user=clair dbname=matcher sslmode=disable
25 |   max_conn_pool: 100
26 |   migrations: true
27 | matchers: {}
28 | notifier:
29 |   indexer_addr: http://clair-indexer:6060/
30 |   matcher_addr: http://clair-matcher:6060/
31 |   connstring: host=clair-database user=clair dbname=notifier sslmode=disable
32 |   migrations: true
33 |   delivery_interval: 30s
34 |   poll_interval: 1m
35 |   webhook:
36 |     target: "http://webhook-target/"
37 |     callback: "http://clair-notifier:6060/notifier/api/v1/notification/"
38 |   # amqp:
39 |   #   direct: true
40 |   #   exchange:
41 |   #     name: ""
42 |   #     type: "direct"
43 |   #     durable: true
44 |   #     auto_delete: false
45 |   #   uris: ["amqp://guest:guest@clair-rabbitmq:5672/"]
46 |   #   routing_key: "notifications"
47 |   #   callback: "http://clair-notifier/notifier/api/v1/notifications"
48 | # tracing and metrics config
49 | trace:
50 |   name: "jaeger"
51 | #  probability: 1
52 |   jaeger:
53 |     agent:
54 |       endpoint: "clair-jaeger:6831"
55 |     service_name: "clair"
56 | metrics:
57 |   name: "prometheus"
58 | 


--------------------------------------------------------------------------------
/cmd/testdata/SimpleYAML/want.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "log_level": "debug-color",
 3 |   "introspection_addr": ":8089",
 4 |   "http_listen_addr": ":6060",
 5 |   "updaters": {
 6 |     "sets": [
 7 |       "ubuntu",
 8 |       "debian",
 9 |       "rhel",
10 |       "alpine"
11 |     ]
12 |   },
13 |   "auth": {
14 |     "psk": {
15 |       "key": "c2VjcmV0",
16 |       "iss": [
17 |         "quay",
18 |         "clairctl"
19 |       ]
20 |     }
21 |   },
22 |   "indexer": {
23 |     "connstring": "host=clair-database user=clair dbname=indexer sslmode=disable",
24 |     "scanlock_retry": 10,
25 |     "layer_scan_concurrency": 5,
26 |     "migrations": true
27 |   },
28 |   "matcher": {
29 |     "indexer_addr": "http://clair-indexer:6060/",
30 |     "connstring": "host=clair-database user=clair dbname=matcher sslmode=disable",
31 |     "max_conn_pool": 100,
32 |     "migrations": true
33 |   },
34 |   "notifier": {
35 |     "indexer_addr": "http://clair-indexer:6060/",
36 |     "matcher_addr": "http://clair-matcher:6060/",
37 |     "connstring": "host=clair-database user=clair dbname=notifier sslmode=disable",
38 |     "migrations": true,
39 |     "delivery_interval": "30s",
40 |     "poll_interval": "1m",
41 |     "webhook": {
42 |       "target": "http://webhook-target/",
43 |       "callback": "http://clair-notifier:6060/notifier/api/v1/notification/"
44 |     }
45 |   },
46 |   "trace": {
47 |     "name": "jaeger",
48 |     "jaeger": {
49 |       "agent": {
50 |         "endpoint": "clair-jaeger:6831"
51 |       },
52 |       "service_name": "clair"
53 |     }
54 |   },
55 |   "metrics": {
56 |     "name": "prometheus"
57 |   }
58 | }
59 | 


--------------------------------------------------------------------------------
/config/auth.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"encoding"
 5 | 	"encoding/base64"
 6 | 	"fmt"
 7 | )
 8 | 
 9 | // Base64 is a byte slice that encodes to and from base64-encoded strings.
10 | type Base64 []byte
11 | 
12 | var (
13 | 	_ encoding.TextMarshaler   = (Base64)(nil)
14 | 	_ encoding.TextUnmarshaler = (*Base64)(nil)
15 | )
16 | 
17 | // MarshalText implements encoding.TextMarshaler.
18 | func (b Base64) MarshalText() ([]byte, error) {
19 | 	sz := base64.StdEncoding.EncodedLen(len(b))
20 | 	out := make([]byte, sz)
21 | 	base64.StdEncoding.Encode(out, b)
22 | 	return out, nil
23 | }
24 | 
25 | // UnmarshalText implements encoding.TextUnmarshaler.
26 | func (b *Base64) UnmarshalText(in []byte) error {
27 | 	sz := base64.StdEncoding.DecodedLen(len(in))
28 | 	s := make([]byte, sz)
29 | 	n, err := base64.StdEncoding.Decode(s, in)
30 | 	if err != nil {
31 | 		return err
32 | 	}
33 | 	*b = s[:n]
34 | 	return nil
35 | }
36 | 
37 | // Auth holds the specific configs for different authentication methods.
38 | //
39 | // These should be pointers to structs, so that it's possible to distinguish
40 | // between "absent" and "present and misconfigured."
41 | type Auth struct {
42 | 	PSK       *AuthPSK       `yaml:"psk,omitempty" json:"psk,omitempty"`
43 | 	Keyserver *AuthKeyserver `yaml:"keyserver,omitempty" json:"keyserver,omitempty"`
44 | }
45 | 
46 | // Any reports whether any sort of authentication is configured.
47 | func (a Auth) Any() bool {
48 | 	return a.PSK != nil
49 | }
50 | 
51 | func (a *Auth) lint() ([]Warning, error) {
52 | 	return nil, nil
53 | }
54 | 
55 | // AuthKeyserver is the configuration for doing authentication with the Quay
56 | // keyserver protocol.
57 | //
58 | // The "Intraservice" key is only needed when the overall config mode is not
59 | // "combo".
60 | //
61 | // Deprecated: This authentication method was never used. It was planned for
62 | // integration with Quay, but ultimately the Quay team decided to remove the
63 | // keyserver feature altogether.
64 | type AuthKeyserver struct {
65 | 	API          string `yaml:"api" json:"api"`
66 | 	Intraservice Base64 `yaml:"intraservice" json:"intraservice"`
67 | }
68 | 
69 | func (a *AuthKeyserver) lint() ([]Warning, error) {
70 | 	return nil, &Warning{
71 | 		inner: fmt.Errorf(`authentication method deprecated: %w`, ErrDeprecated),
72 | 	}
73 | }
74 | 
75 | // AuthPSK is the configuration for doing pre-shared key based authentication.
76 | //
77 | // The "Issuer" key is what the service expects to verify as the "issuer" claim.
78 | type AuthPSK struct {
79 | 	Key    Base64   `yaml:"key" json:"key"`
80 | 	Issuer []string `yaml:"iss" json:"iss"`
81 | }
82 | 
83 | func (a *AuthPSK) validate(_ Mode) ([]Warning, error) {
84 | 	if len(a.Key) == 0 {
85 | 		return nil, &Warning{
86 | 			msg: "key is empty",
87 | 		}
88 | 	}
89 | 	if len(a.Issuer) == 0 {
90 | 		return nil, &Warning{
91 | 			path: ".iss",
92 | 			msg:  "no issuers defined",
93 | 		}
94 | 	}
95 | 	return nil, nil
96 | }
97 | 


--------------------------------------------------------------------------------
/config/auth_test.go:
--------------------------------------------------------------------------------
  1 | package config_test
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"encoding/json"
  6 | 	"testing"
  7 | 	"testing/quick"
  8 | 
  9 | 	"github.com/google/go-cmp/cmp"
 10 | 
 11 | 	"github.com/quay/clair/config"
 12 | )
 13 | 
 14 | func TestBase64(t *testing.T) {
 15 | 	roundtrip := func(in []byte) bool {
 16 | 		b1 := config.Base64(in)
 17 | 		txt, err := b1.MarshalText()
 18 | 		if err != nil {
 19 | 			return false
 20 | 		}
 21 | 		out := new(config.Base64)
 22 | 		if err := out.UnmarshalText(txt); err != nil {
 23 | 			return false
 24 | 		}
 25 | 		return bytes.Equal(in, []byte(*out))
 26 | 	}
 27 | 	if err := quick.Check(roundtrip, nil); err != nil {
 28 | 		t.Error(err)
 29 | 	}
 30 | }
 31 | 
 32 | func TestAuthUnmarshal(t *testing.T) {
 33 | 	t.Run("PSK", func(t *testing.T) {
 34 | 		type testcase struct {
 35 | 			In   string
 36 | 			Want config.AuthPSK
 37 | 		}
 38 | 		tt := []testcase{
 39 | 			{
 40 | 				In: `{"key":"ZGVhZGJlZWZkZWFkYmVlZg==","iss":["iss"]}`,
 41 | 				Want: config.AuthPSK{
 42 | 					Key:    []byte("deadbeefdeadbeef"),
 43 | 					Issuer: []string{"iss"},
 44 | 				},
 45 | 			},
 46 | 		}
 47 | 
 48 | 		check := func(t *testing.T, tc testcase) {
 49 | 			v := config.AuthPSK{}
 50 | 			if err := json.Unmarshal([]byte(tc.In), &v); err != nil {
 51 | 				t.Error(err)
 52 | 			}
 53 | 			if got, want := v, tc.Want; !cmp.Equal(got, want) {
 54 | 				t.Error(cmp.Diff(got, want))
 55 | 			}
 56 | 		}
 57 | 		for _, tc := range tt {
 58 | 			check(t, tc)
 59 | 		}
 60 | 	})
 61 | 
 62 | 	t.Run("Keyserver", func(t *testing.T) {
 63 | 		type testcase struct {
 64 | 			In   string
 65 | 			Want config.AuthKeyserver
 66 | 		}
 67 | 		tt := []testcase{
 68 | 			{
 69 | 				In: `{"api":"quay/keys","intraservice":"ZGVhZGJlZWZkZWFkYmVlZg=="}`,
 70 | 				Want: config.AuthKeyserver{
 71 | 					API:          "quay/keys",
 72 | 					Intraservice: []byte("deadbeefdeadbeef"),
 73 | 				},
 74 | 			},
 75 | 		}
 76 | 
 77 | 		check := func(t *testing.T, tc testcase) {
 78 | 			v := config.AuthKeyserver{}
 79 | 			if err := json.Unmarshal([]byte(tc.In), &v); err != nil {
 80 | 				t.Error(err)
 81 | 			}
 82 | 			if got, want := v, tc.Want; !cmp.Equal(got, want) {
 83 | 				t.Error(cmp.Diff(got, want))
 84 | 			}
 85 | 		}
 86 | 		for _, tc := range tt {
 87 | 			check(t, tc)
 88 | 		}
 89 | 	})
 90 | }
 91 | 
 92 | func TestAuthMarshal(t *testing.T) {
 93 | 	want := `{"key":"ZGVhZGJlZWZkZWFkYmVlZg==","iss":["iss"]}`
 94 | 	in := config.AuthPSK{
 95 | 		Key:    []byte("deadbeefdeadbeef"),
 96 | 		Issuer: []string{"iss"},
 97 | 	}
 98 | 	gotb, err := json.Marshal(in)
 99 | 	if err != nil {
100 | 		t.Error(err)
101 | 	}
102 | 	if got := string(gotb); !cmp.Equal(got, want) {
103 | 		t.Error(cmp.Diff(got, want))
104 | 	}
105 | }
106 | 


--------------------------------------------------------------------------------
/config/database.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"net/url"
 5 | 	"os"
 6 | 	"strings"
 7 | )
 8 | 
 9 | func checkDSN(s string) (w []Warning, err error) {
10 | 	switch {
11 | 	case s == "":
12 | 		// Nothing specified, make sure something's in the environment.
13 | 		envSet := false
14 | 		for _, k := range os.Environ() {
15 | 			if strings.HasPrefix(k, `PG`) {
16 | 				envSet = true
17 | 				break
18 | 			}
19 | 		}
20 | 		if !envSet {
21 | 			w = append(w, Warning{
22 | 				msg: "connection string is empty and no relevant environment variables found",
23 | 			})
24 | 		}
25 | 	case strings.HasPrefix(s, "postgresql://"):
26 | 		// Looks like a URL
27 | 		if _, err := url.Parse(s); err != nil {
28 | 			w = append(w, Warning{inner: err})
29 | 		}
30 | 	case strings.ContainsRune(s, '='):
31 | 		// Looks like a DSN
32 | 	case strings.Contains(s, `://`):
33 | 		w = append(w, Warning{
34 | 			msg: "connection string looks like a URL but scheme is unrecognized",
35 | 		})
36 | 	default:
37 | 		w = append(w, Warning{
38 | 			msg: "unable to make sense of connection string",
39 | 		})
40 | 	}
41 | 	return w, nil
42 | }
43 | 


--------------------------------------------------------------------------------
/config/defaults.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import "time"
 4 | 
 5 | // These are defaults, used in the documented spots.
 6 | const (
 7 | 	// DefaultAddress is used if an "http_listen_addr" is not provided in the config.
 8 | 	DefaultAddress = ":6060"
 9 | 	// DefaultScanLockRetry is the default retry period for attempting locks
10 | 	// during the indexing process. Its name is a historical accident.
11 | 	DefaultScanLockRetry = 1
12 | 	// DefaultMatcherPeriod is the default interval for running updaters.
13 | 	DefaultMatcherPeriod = 6 * time.Hour
14 | 	// DefaultUpdateRetention is the number of updates per vulnerability
15 | 	// database to retain.
16 | 	DefaultUpdateRetention = 10
17 | 	// DefaultNotifierPollInterval is the default (and minimum) interval for the
18 | 	// notifier's change poll interval. The notifier will poll the database for
19 | 	// updated vulnerability databases at this rate.
20 | 	DefaultNotifierPollInterval = 6 * time.Hour
21 | 	// DefaultNotifierDeliveryInterval is the default (and minimum) interval for
22 | 	// the notifier's delivery interval. The notifier will attempt to deliver
23 | 	// outstanding notifications at this rate.
24 | 	DefaultNotifierDeliveryInterval = 1 * time.Hour
25 | )
26 | 


--------------------------------------------------------------------------------
/config/doc.go:
--------------------------------------------------------------------------------
 1 | // Package config is the configuration package for Clair's binaries. See the
 2 | // [Config] type for the main entry point.
 3 | //
 4 | // It's currently meant for reading configurations and tested against YAML and
 5 | // JSON.
 6 | //
 7 | // # Version Scheme
 8 | //
 9 | // This package uses an idiosyncratic versioning scheme:
10 | //
11 | //   - The major version tracks the input format.
12 | //   - The minor version tracks the Go source API.
13 | //   - The patch version increases with fixes and additions.
14 | //
15 | // This means that any valid configuration accepted by `v1.0.0` should continue
16 | // to be accepted for all revisions of the v1 module, but `v1.1.0` may force
17 | // changes on a program importing the module.
18 | package config
19 | 
20 | // This package can't use "omitempty" tags on slices because "not present" and
21 | // "empty" aren't distinguished. This would be much easier if code didn't
22 | // serialize our config struct. It's impossible to implement custom YAML
23 | // marshalling without importing the yaml.v3 package.
24 | 


--------------------------------------------------------------------------------
/config/enums.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"encoding"
 5 | 	"errors"
 6 | 	"fmt"
 7 | 	"strings"
 8 | )
 9 | 
10 | //go:generate -command stringer go run golang.org/x/tools/cmd/stringer@v0.8.0
11 | //go:generate stringer -type Mode,LogLevel -linecomment -output enums_string.go
12 | 
13 | // A Mode is an operating mode recognized by Clair.
14 | //
15 | // This is not directly settable by serializing into a Config object.
16 | type Mode int
17 | 
18 | // Clair modes, with their string representations as the comments.
19 | const (
20 | 	ComboMode    Mode = iota // combo
21 | 	IndexerMode              // indexer
22 | 	MatcherMode              // matcher
23 | 	NotifierMode             // notifier
24 | )
25 | 
26 | // ParseMode returns a mode for the given string.
27 | //
28 | // The passed string is case-insensitive.
29 | func ParseMode(s string) (Mode, error) {
30 | 	for i, lim := 0, len(_Mode_index); i < lim; i++ {
31 | 		m := Mode(i)
32 | 		if strings.EqualFold(s, m.String()) {
33 | 			return m, nil
34 | 		}
35 | 	}
36 | 	return Mode(-1), fmt.Errorf(`unknown mode %q`, s)
37 | }
38 | 
39 | // A LogLevel is a log level recognized by Clair.
40 | //
41 | // The zero value is "info".
42 | type LogLevel int
43 | 
44 | // The recognized log levels, with their string representations as the comments.
45 | //
46 | // NB "Fatal" and "Panic" are not used in clair or claircore, and will result in
47 | // almost no logging.
48 | const (
49 | 	InfoLog       LogLevel = iota // info
50 | 	DebugColorLog                 // debug-color
51 | 	DebugLog                      // debug
52 | 	WarnLog                       // warn
53 | 	ErrorLog                      // error
54 | 	FatalLog                      // fatal
55 | 	PanicLog                      // panic
56 | )
57 | 
58 | // ParseLogLevel returns the log lever for the given string.
59 | //
60 | // The passed string is case-insensitive.
61 | func ParseLogLevel(s string) (LogLevel, error) {
62 | 	for i, lim := 0, len(_LogLevel_index); i < lim; i++ {
63 | 		l := LogLevel(i)
64 | 		if strings.EqualFold(s, l.String()) {
65 | 			return l, nil
66 | 		}
67 | 	}
68 | 	return LogLevel(-1), fmt.Errorf(`unknown log level %q`, s)
69 | }
70 | 
71 | // UnmarshalText implements encoding.TextUnmarshaler.
72 | func (l *LogLevel) UnmarshalText(b []byte) (err error) {
73 | 	*l, err = ParseLogLevel(string(b))
74 | 	if err != nil {
75 | 		return err
76 | 	}
77 | 	return nil
78 | }
79 | 
80 | // MarshalText implements encoding.TextMarshaler.
81 | func (l *LogLevel) MarshalText() ([]byte, error) {
82 | 	if l == nil {
83 | 		return nil, errors.New("invalid LogLevel pointer: <nil>")
84 | 	}
85 | 	i := *l
86 | 	if i < 0 || i >= LogLevel(len(_LogLevel_index)-1) {
87 | 		return nil, fmt.Errorf("invalid LogLevel: %q", l.String())
88 | 	}
89 | 	return []byte(_LogLevel_name[_LogLevel_index[i]:_LogLevel_index[i+1]]), nil
90 | }
91 | 
92 | // Assert LogLevel implements TextUnmarshaler and TextMarshaler.
93 | var (
94 | 	_ encoding.TextUnmarshaler = (*LogLevel)(nil)
95 | 	_ encoding.TextMarshaler   = (*LogLevel)(nil)
96 | )
97 | 


--------------------------------------------------------------------------------
/config/enums_string.go:
--------------------------------------------------------------------------------
 1 | // Code generated by "stringer -type Mode,LogLevel -linecomment -output enums_string.go"; DO NOT EDIT.
 2 | 
 3 | package config
 4 | 
 5 | import "strconv"
 6 | 
 7 | func _() {
 8 | 	// An "invalid array index" compiler error signifies that the constant values have changed.
 9 | 	// Re-run the stringer command to generate them again.
10 | 	var x [1]struct{}
11 | 	_ = x[ComboMode-0]
12 | 	_ = x[IndexerMode-1]
13 | 	_ = x[MatcherMode-2]
14 | 	_ = x[NotifierMode-3]
15 | }
16 | 
17 | const _Mode_name = "comboindexermatchernotifier"
18 | 
19 | var _Mode_index = [...]uint8{0, 5, 12, 19, 27}
20 | 
21 | func (i Mode) String() string {
22 | 	if i < 0 || i >= Mode(len(_Mode_index)-1) {
23 | 		return "Mode(" + strconv.FormatInt(int64(i), 10) + ")"
24 | 	}
25 | 	return _Mode_name[_Mode_index[i]:_Mode_index[i+1]]
26 | }
27 | func _() {
28 | 	// An "invalid array index" compiler error signifies that the constant values have changed.
29 | 	// Re-run the stringer command to generate them again.
30 | 	var x [1]struct{}
31 | 	_ = x[InfoLog-0]
32 | 	_ = x[DebugColorLog-1]
33 | 	_ = x[DebugLog-2]
34 | 	_ = x[WarnLog-3]
35 | 	_ = x[ErrorLog-4]
36 | 	_ = x[FatalLog-5]
37 | 	_ = x[PanicLog-6]
38 | }
39 | 
40 | const _LogLevel_name = "infodebug-colordebugwarnerrorfatalpanic"
41 | 
42 | var _LogLevel_index = [...]uint8{0, 4, 15, 20, 24, 29, 34, 39}
43 | 
44 | func (i LogLevel) String() string {
45 | 	if i < 0 || i >= LogLevel(len(_LogLevel_index)-1) {
46 | 		return "LogLevel(" + strconv.FormatInt(int64(i), 10) + ")"
47 | 	}
48 | 	return _LogLevel_name[_LogLevel_index[i]:_LogLevel_index[i+1]]
49 | }
50 | 


--------------------------------------------------------------------------------
/config/enums_test.go:
--------------------------------------------------------------------------------
 1 | package config_test
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/quay/clair/config"
 8 | )
 9 | 
10 | func TestEnumMarshal(t *testing.T) {
11 | 	t.Run("LogLevel", func(t *testing.T) {
12 | 		tt := [][]byte{
13 | 			[]byte("info"),
14 | 			[]byte("debug-color"),
15 | 			[]byte("debug"),
16 | 			[]byte("warn"),
17 | 			[]byte("error"),
18 | 			[]byte("fatal"),
19 | 			[]byte("panic"),
20 | 		}
21 | 		t.Run("Marshal", func(t *testing.T) {
22 | 			for i, want := range tt {
23 | 				l := config.LogLevel(i)
24 | 				got, err := l.MarshalText()
25 | 				if err != nil {
26 | 					t.Error(err)
27 | 					continue
28 | 				}
29 | 				if !bytes.Equal(got, want) {
30 | 					t.Errorf("got: %q, want: %q", got, want)
31 | 				}
32 | 			}
33 | 		})
34 | 		t.Run("Unmarshal", func(t *testing.T) {
35 | 			for want, in := range tt {
36 | 				var l config.LogLevel
37 | 				if err := l.UnmarshalText(in); err != nil {
38 | 					t.Error(err)
39 | 					continue
40 | 				}
41 | 				if got := int(l); got != want {
42 | 					t.Errorf("got: %q, want: %q", got, want)
43 | 				}
44 | 			}
45 | 		})
46 | 	})
47 | }
48 | 


--------------------------------------------------------------------------------
/config/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/quay/clair/config
2 | 
3 | go 1.22.0
4 | 
5 | require github.com/google/go-cmp v0.7.0
6 | 


--------------------------------------------------------------------------------
/config/go.sum:
--------------------------------------------------------------------------------
1 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
2 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
3 | 


--------------------------------------------------------------------------------
/config/lint.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"errors"
 5 | 	"strings"
 6 | )
 7 | 
 8 | // Lint runs lints on the provided Config.
 9 | //
10 | // An error is reported only if an error occurred while running the lints. An
11 | // invalid Config may still report a nil error along with a slice of Warnings.
12 | //
13 | // Most validation steps run by Validate will also run lints.
14 | func Lint(c *Config) ([]Warning, error) {
15 | 	return forEach(c, func(i interface{}) ([]Warning, error) {
16 | 		if l, ok := i.(linter); ok {
17 | 			return l.lint()
18 | 		}
19 | 		return nil, nil
20 | 	})
21 | }
22 | 
23 | // Types in this package can implement this interface to report common issues or
24 | // deprecation warnings.
25 | type linter interface {
26 | 	lint() ([]Warning, error)
27 | }
28 | 
29 | // Warning is a linter warning.
30 | //
31 | // Users can treat them like errors and use the sentinel values exported by this
32 | // package.
33 | type Warning struct {
34 | 	inner error
35 | 	path  string // json-schema style path
36 | 	msg   string
37 | }
38 | 
39 | // Should have inner xor msg
40 | 
41 | func (w *Warning) Error() string {
42 | 	var b strings.Builder
43 | 	if w.inner != nil {
44 | 		b.WriteString(w.inner.Error())
45 | 	} else {
46 | 		b.WriteString(w.msg)
47 | 	}
48 | 	b.WriteString(" (at ")
49 | 	b.WriteString(w.path)
50 | 	b.WriteRune(')')
51 | 	return b.String()
52 | }
53 | 
54 | func (w *Warning) Unwrap() error { return w.inner }
55 | 
56 | // These are some common kinds of Warnings.
57 | var (
58 | 	ErrDeprecated = errors.New("setting will be removed in a future release")
59 | )
60 | 


--------------------------------------------------------------------------------
/config/lint_test.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"os"
 6 | 	"strings"
 7 | )
 8 | 
 9 | func init() {
10 | 	// Forcibly clear PostgreSQL environment variables to get consistent example
11 | 	// results:
12 | 	for _, kv := range os.Environ() {
13 | 		k, _, _ := strings.Cut(kv, "=")
14 | 		if strings.HasPrefix(k, `PG`) {
15 | 			os.Unsetenv(k)
16 | 		}
17 | 	}
18 | }
19 | 
20 | func ExampleLint() {
21 | 	var c Config
22 | 	c.Auth.PSK = &AuthPSK{}
23 | 	ws, err := Lint(&c)
24 | 	fmt.Println("error:", err)
25 | 	for _, w := range ws {
26 | 		fmt.Printf("warning: %v\n", &w)
27 | 	}
28 | 	// Output:
29 | 	// error: <nil>
30 | 	// warning: http listen address not provided, default will be used (at $.http_listen_addr)
31 | 	// warning: introspection address not provided, default will be used (at $.introspection_addr)
32 | 	// warning: connection string is empty and no relevant environment variables found (at $.indexer.connstring)
33 | 	// warning: connection string is empty and no relevant environment variables found (at $.matcher.connstring)
34 | 	// warning: updater period is very aggressive: most sources are updated daily (at $.matcher.period)
35 | 	// warning: update garbage collection is off (at $.matcher.update_retention)
36 | 	// warning: connection string is empty and no relevant environment variables found (at $.notifier.connstring)
37 | 	// warning: interval is very fast: may result in increased workload (at $.notifier.poll_interval)
38 | 	// warning: interval is very fast: may result in increased workload (at $.notifier.delivery_interval)
39 | }
40 | 


--------------------------------------------------------------------------------
/config/matchers.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | // Matchers configures the individual matchers run by the matcher system.
 4 | type Matchers struct {
 5 | 	// Config holds configuration blocks for MatcherFactories and Matchers,
 6 | 	// keyed by name.
 7 | 	Config map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
 8 | 	// A slice of strings representing which matchers will be used.
 9 | 	//
10 | 	// If nil all default Matchers will be used
11 | 	//
12 | 	// The following names are supported by default:
13 | 	// "alpine"
14 | 	// "aws"
15 | 	// "debian"
16 | 	// "oracle"
17 | 	// "photon"
18 | 	// "python"
19 | 	// "rhel"
20 | 	// "suse"
21 | 	// "ubuntu"
22 | 	// "crda" - remotematcher calls hosted api via RPC.
23 | 	Names []string `yaml:"names,omitempty" json:"names,omitempty"`
24 | }
25 | 


--------------------------------------------------------------------------------
/config/otlpcompressor_string.go:
--------------------------------------------------------------------------------
 1 | // Code generated by "stringer -type OTLPCompressor -linecomment"; DO NOT EDIT.
 2 | 
 3 | package config
 4 | 
 5 | import "strconv"
 6 | 
 7 | func _() {
 8 | 	// An "invalid array index" compiler error signifies that the constant values have changed.
 9 | 	// Re-run the stringer command to generate them again.
10 | 	var x [1]struct{}
11 | 	_ = x[OTLPCompressUnset-0]
12 | 	_ = x[OTLPCompressNone-1]
13 | 	_ = x[OTLPCompressGzip-2]
14 | }
15 | 
16 | const _OTLPCompressor_name = "nonegzip"
17 | 
18 | var _OTLPCompressor_index = [...]uint8{0, 0, 4, 8}
19 | 
20 | func (i OTLPCompressor) String() string {
21 | 	if i < 0 || i >= OTLPCompressor(len(_OTLPCompressor_index)-1) {
22 | 		return "OTLPCompressor(" + strconv.FormatInt(int64(i), 10) + ")"
23 | 	}
24 | 	return _OTLPCompressor_name[_OTLPCompressor_index[i]:_OTLPCompressor_index[i+1]]
25 | }
26 | 


--------------------------------------------------------------------------------
/config/reflect.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"reflect"
 6 | 	"strings"
 7 | )
 8 | 
 9 | type walkFunc func(interface{}) ([]Warning, error)
10 | 
11 | func forEach(i interface{}, f walkFunc) ([]Warning, error) {
12 | 	var ws []Warning
13 | 	v := reflect.ValueOf(i)
14 | 	return ws, walk(&ws, "$", v, f)
15 | }
16 | 
17 | func walk(ws *[]Warning, path string, v reflect.Value, wf walkFunc) error {
18 | 	t := v.Type()
19 | 	var vi interface{}
20 | 	// Figure out if we should take the address to do the interface
21 | 	// assertion, or if the value is already a pointer.
22 | 	switch {
23 | 	case t.Kind() != reflect.Ptr && v.CanAddr():
24 | 		vi = v.Addr().Interface()
25 | 	case v.CanInterface() && v.IsValid() && !v.IsZero():
26 | 		vi = v.Interface()
27 | 	}
28 | 
29 | 	if vi != nil {
30 | 		w, err := wf(vi)
31 | 		if err != nil {
32 | 			return err
33 | 		}
34 | 		for i := range w {
35 | 			// Adjust the path here, so that the lint method doesn't need to
36 | 			// know where it is.
37 | 			w[i].path = path + w[i].path
38 | 		}
39 | 		*ws = append(*ws, w...)
40 | 	}
41 | 
42 | 	// Dereference the pointer, if this is a pointer.
43 | 	if t.Kind() == reflect.Ptr {
44 | 		t = t.Elem()
45 | 		v = v.Elem()
46 | 	}
47 | 	if !v.IsValid() {
48 | 		return nil
49 | 	}
50 | 	switch t.Kind() {
51 | 	case reflect.Struct:
52 | 		for i, lim := 0, t.NumField(); i < lim; i++ {
53 | 			f := t.Field(i)
54 | 			n := f.Name
55 | 			if t := f.Tag.Get("json"); t != "" && t != "-" {
56 | 				// Handle the comma options.
57 | 				if i := strings.IndexByte(t, ','); i != -1 {
58 | 					t = t[:i]
59 | 				}
60 | 				n = t
61 | 			}
62 | 			p := fmt.Sprintf(`%s.%s`, path, n)
63 | 			if err := walk(ws, p, v.Field(i), wf); err != nil {
64 | 				return err
65 | 			}
66 | 		}
67 | 	case reflect.Map:
68 | 		i := v.MapRange()
69 | 		for i.Next() {
70 | 			p := fmt.Sprintf(`%s.[%s]`, path, i.Key().String())
71 | 			if err := walk(ws, p, i.Value(), wf); err != nil {
72 | 				return err
73 | 			}
74 | 
75 | 		}
76 | 	case reflect.Slice:
77 | 		for i, lim := 0, v.Len(); i < lim; i++ {
78 | 			p := fmt.Sprintf(`%s.[%d]`, path, i)
79 | 			if err := walk(ws, p, v.Index(i), wf); err != nil {
80 | 				return err
81 | 			}
82 | 		}
83 | 	default:
84 | 		// everything else, just pass
85 | 	}
86 | 	return nil
87 | }
88 | 


--------------------------------------------------------------------------------
/config/tags_test.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"reflect"
 5 | 	"testing"
 6 | )
 7 | 
 8 | // TestTags checks that exported types and fields used in the root Config struct
 9 | // have struct tags.
10 | func TestTags(t *testing.T) {
11 | 	t.Logf("checking for: %v", wanttags)
12 | 	nt := reflect.TypeOf(Config{})
13 | 	t.Run(nt.Name(), func(t *testing.T) { typecheck(t, nt) })
14 | }
15 | 
16 | var wanttags = []string{`json`, `yaml`}
17 | 
18 | func typecheck(t *testing.T, typ reflect.Type) {
19 | 	for i, lim := 0, typ.NumField(); i < lim; i++ {
20 | 		f := typ.Field(i)
21 | 		if !f.IsExported() {
22 | 			continue
23 | 		}
24 | 		// track the number of names for this field
25 | 		vals := make(map[string]struct{})
26 | 		// track which tag has which name
27 | 		tagval := make(map[string]string)
28 | 		// If embedded, there shouldn't be any tags.
29 | 		if f.Anonymous {
30 | 			if f.Tag != "" {
31 | 				t.Errorf("%s.%s: unexpected tag %q", typ.Name(), f.Name, f.Tag)
32 | 			}
33 | 			goto Recurse
34 | 		}
35 | 		for _, n := range wanttags {
36 | 			if v, ok := f.Tag.Lookup(n); !ok {
37 | 				t.Errorf("%s.%s: missing %q tag", typ.Name(), f.Name, n)
38 | 			} else {
39 | 				vals[v] = struct{}{}
40 | 				tagval[n] = v
41 | 			}
42 | 		}
43 | 		if len(vals) != 1 {
44 | 			t.Errorf("different names for %q: %v", f.Name, tagval)
45 | 		}
46 | 	Recurse:
47 | 		// Recurse on structs and pointers-to-structs.
48 | 		switch nt := f.Type; nt.Kind() {
49 | 		case reflect.Ptr:
50 | 			pt := nt.Elem()
51 | 			if pt.Kind() != reflect.Struct {
52 | 				break
53 | 			}
54 | 			nt = nt.Elem()
55 | 			fallthrough
56 | 		case reflect.Struct:
57 | 			t.Run(nt.Name(), func(t *testing.T) { typecheck(t, nt) })
58 | 		}
59 | 	}
60 | }
61 | 


--------------------------------------------------------------------------------
/config/tls.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | import (
 4 | 	"crypto/tls"
 5 | 	"crypto/x509"
 6 | 	"errors"
 7 | 	"fmt"
 8 | 	"os"
 9 | )
10 | 
11 | // TLS describes some TLS settings.
12 | //
13 | // Some uses of this type ignore the RootCA member; see the documentation at the
14 | // use site to determine if that's the case.
15 | //
16 | // Using the environment variables "SSL_CERT_DIR" or "SSL_CERT_FILE" or
17 | // modifying the system's trust store are the ways to modify root CAs for all
18 | // outgoing TLS connections.
19 | type TLS struct {
20 | 	// The filesystem path where a root CA can be read.
21 | 	//
22 | 	// This can also be controlled by the SSL_CERT_FILE and SSL_CERT_DIR
23 | 	// environment variables, or adding the relevant certs to the system trust
24 | 	// store.
25 | 	RootCA string `yaml:"root_ca" json:"root_ca"`
26 | 	// The filesystem path where a TLS certificate can be read.
27 | 	Cert string `yaml:"cert" json:"cert"`
28 | 	// The filesystem path where a TLS private key can be read.
29 | 	Key string `yaml:"key" json:"key"`
30 | }
31 | 
32 | // Config returns a tls.Config modified according to the TLS struct.
33 | //
34 | // If the *TLS is nil, a default tls.Config is returned.
35 | func (t *TLS) Config() (*tls.Config, error) {
36 | 	var cfg tls.Config
37 | 	if t == nil {
38 | 		return &cfg, nil
39 | 	}
40 | 
41 | 	if t.RootCA != "" {
42 | 		p, err := x509.SystemCertPool()
43 | 		if err != nil {
44 | 			return nil, err
45 | 		}
46 | 		ca, err := os.ReadFile(t.RootCA)
47 | 		if err != nil {
48 | 			return nil, fmt.Errorf("failed to read tls root ca: %w", err)
49 | 		}
50 | 		if !p.AppendCertsFromPEM(ca) {
51 | 			return nil, errors.New("unable to add certificate to pool")
52 | 		}
53 | 		cfg.RootCAs = p
54 | 	}
55 | 
56 | 	cert, err := tls.LoadX509KeyPair(t.Cert, t.Key)
57 | 	if err != nil {
58 | 		return nil, fmt.Errorf("failed to read x509 cert and key pair: %w", err)
59 | 	}
60 | 	cfg.Certificates = append(cfg.Certificates, cert)
61 | 	cfg.MinVersion = tls.VersionTLS12
62 | 
63 | 	return &cfg, nil
64 | }
65 | 
66 | func (t *TLS) lint() ([]Warning, error) {
67 | 	if t.RootCA != "" {
68 | 		return []Warning{{
69 | 			path:  ".root_ca",
70 | 			inner: fmt.Errorf(`use environment variables "SSL_CERT_FILE" or "SSL_CERT_DIR": %w`, ErrDeprecated),
71 | 		}}, nil
72 | 	}
73 | 	return nil, nil
74 | }
75 | 
76 | func (t *TLS) validate(_ Mode) ([]Warning, error) {
77 | 	if (t.Cert != "" || t.Key != "") && (t.Cert == "" || t.Key == "") {
78 | 		return nil, errors.New("both tls cert and key are required")
79 | 	}
80 | 	for _, n := range []string{t.RootCA, t.Cert, t.Key} {
81 | 		if n == "" {
82 | 			continue
83 | 		}
84 | 		_, err := os.Stat(n)
85 | 		if err != nil {
86 | 			return nil, fmt.Errorf(`error accessing %q: %w`, n, err)
87 | 		}
88 | 	}
89 | 	return nil, nil
90 | }
91 | 


--------------------------------------------------------------------------------
/config/updaters.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | // Updaters configures updater behavior.
 4 | type Updaters struct {
 5 | 	// Filter is a regexp that disallows updaters that do not match from
 6 | 	// running.
 7 | 	// TODO(louis): this is only used in clairctl, should we keep this?
 8 | 	// it may offer an escape hatch for a particular updater name
 9 | 	// from running, vs disabling the updater set completely.
10 | 	Filter string `yaml:"filter,omitempty" json:"filter,omitempty"`
11 | 	// Config holds configuration blocks for UpdaterFactories and Updaters,
12 | 	// keyed by name.
13 | 	//
14 | 	// These are defined by the updater implementation and can't be documented
15 | 	// here. Improving the documentation for these is an open issue.
16 | 	Config map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
17 | 	// A slice of strings representing which updaters will be used.
18 | 	//
19 | 	// If nil all default UpdaterSets will be used
20 | 	//
21 | 	// The following sets are supported by default:
22 | 	// "alpine"
23 | 	// "aws"
24 | 	// "clair.cvss"
25 | 	// "debian"
26 | 	// "oracle"
27 | 	// "osv"
28 | 	// "photon"
29 | 	// "rhcc"
30 | 	// "rhel-vex"
31 | 	// "suse"
32 | 	// "ubuntu"
33 | 	Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"`
34 | }
35 | 


--------------------------------------------------------------------------------
/config/validate.go:
--------------------------------------------------------------------------------
 1 | package config
 2 | 
 3 | // Validate confirms the necessary values to support the desired Clair mode
 4 | // exist and sets default values.
 5 | func Validate(c *Config) ([]Warning, error) {
 6 | 	return forEach(c, func(i interface{}) ([]Warning, error) {
 7 | 		if v, ok := i.(validator); ok {
 8 | 			return v.validate(c.Mode)
 9 | 		}
10 | 		return nil, nil
11 | 	})
12 | }
13 | 
14 | // Types that want complex defaults or to fail validation can implement the
15 | // validator interface.
16 | type validator interface {
17 | 	validate(Mode) ([]Warning, error)
18 | }
19 | 


--------------------------------------------------------------------------------
/contrib/cmd/quaybackstop/Dockerfile:
--------------------------------------------------------------------------------
 1 | # syntax=docker.io/docker/dockerfile:1.7
 2 | 
 3 | # Copyright 2024 clair authors
 4 | #
 5 | # Licensed under the Apache License, Version 2.0 (the "License");
 6 | # you may not use this file except in compliance with the License.
 7 | # You may obtain a copy of the License at
 8 | #
 9 | #     http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | 
17 | # This Dockerfile expects the context to be the root of the repo, e.g.:
18 | #     go run github.com/moby/buildkit/cmd/buildctl@latest build \
19 | #     --frontend dockerfile.v0 \
20 | #     --local context=. --local dockerfile=contrib/cmd/quaybackstop
21 | 
22 | ARG GOTOOLCHAIN=local
23 | ARG GO_VERSION=1.23
24 | FROM --platform=$BUILDPLATFORM quay.io/projectquay/golang:${GO_VERSION} AS build
25 | WORKDIR /build
26 | RUN --mount=type=cache,target=/root/.cache/go-build \
27 | 	--mount=type=cache,target=/go/pkg/mod \
28 | 	--mount=type=bind,source=go.mod,target=go.mod \
29 | 	--mount=type=bind,source=go.sum,target=go.sum \
30 | 	go mod download
31 | 
32 | ARG TARGETOS
33 | ARG TARGETARCH
34 | ARG TARGETVARIANT
35 | RUN --mount=type=bind,target=. \
36 | 	--mount=type=cache,target=/root/.cache/go-build \
37 | 	--mount=type=cache,target=/go/pkg/mod \
38 | 	--network=none \
39 | 	<<.
40 | set -e
41 | export GOOS="$TARGETOS" GOARCH="$TARGETARCH" GOBIN=/out/bin CGO_ENABLED=0
42 | if [ -n "$TARGETVARIANT" ]; then
43 | 	case "$TARGETARCH" in
44 | 	amd64)  export GOAMD64="$TARGETVARIANT" ;;
45 | 	ppc64*) export GOPPC64="$TARGETVARIANT" ;;
46 | 	esac
47 | fi
48 | install -d "${GOBIN}"
49 | go build -ldflags="-s -w" -trimpath -o "${GOBIN}" ./contrib/cmd/quaybackstop
50 | .
51 | 
52 | FROM gcr.io/distroless/static:nonroot AS final
53 | COPY --from=build /out/bin/quaybackstop /
54 | WORKDIR /run
55 | USER 65532:65532
56 | ENTRYPOINT ["/quaybackstop"]
57 | 


--------------------------------------------------------------------------------
/contrib/cmd/quaybackstop/main_old.go:
--------------------------------------------------------------------------------
 1 | //go:build !go1.23
 2 | 
 3 | package main
 4 | 
 5 | import (
 6 | 	"fmt"
 7 | 	"os"
 8 | )
 9 | 
10 | func main() {
11 | 	fmt.Fprintln(os.Stderr, "This command was compiled with an old go version: 1.23 or greater is required.")
12 | 	os.Exit(2)
13 | }
14 | 


--------------------------------------------------------------------------------
/contrib/cmd/quaybackstop/sig_linux.go:
--------------------------------------------------------------------------------
 1 | //go:build linux
 2 | 
 3 | package main
 4 | 
 5 | import (
 6 | 	"os"
 7 | 	"syscall"
 8 | )
 9 | 
10 | var signals = []os.Signal{
11 | 	syscall.SIGTERM, syscall.SIGINT, syscall.SIGHUP,
12 | }
13 | 


--------------------------------------------------------------------------------
/contrib/cmd/quaybackstop/sig_other.go:
--------------------------------------------------------------------------------
1 | //go:build !linux
2 | 
3 | package main
4 | 
5 | import "os"
6 | 
7 | var signals = []os.Signal{}
8 | 


--------------------------------------------------------------------------------
/contrib/openshift/grafana/dashboard-clair.configmap.yaml.tpl:
--------------------------------------------------------------------------------
 1 | # WARNING: This is generated from local-dev/grafana/data/dashboards/dashboard.json
 2 | # please modify there and run make contrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml
 3 | apiVersion: v1
 4 | kind: ConfigMap
 5 | metadata:
 6 |   creationTimestamp: null
 7 |   name: grafana-dashboard-clair
 8 |   labels:
 9 |     grafana_dashboard: "true"
10 |   annotations:
11 |     grafana-folder: /grafana-dashboard-definitions/Clair
12 | data:
13 |   clair-dashboard.json: |-
14 | GRAFANA_MANIFEST
15 | 


--------------------------------------------------------------------------------
/contrib/openshift/manifests/db-job.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: v1
 3 | kind: Template
 4 | metadata:
 5 |   name: clair-db-jobs
 6 | parameters:
 7 | - name: SUBCOMMAND
 8 |   value: "pre"
 9 |   required: true
10 | - name: VERSION
11 |   value: ""
12 |   required: true
13 | - name: IMAGE
14 |   value: "quay.io/app-sre/clair"
15 |   required: true
16 | - name: IMAGE_TAG
17 |   value: ""
18 |   required: true
19 | - name: JOB_NAME
20 |   value: ""
21 |   required: true
22 | - name: SERVICE_ACCOUNT
23 |   value: "clair"
24 |   displayName: clair service account
25 |   required: true
26 | - name: SECRET_NAME
27 |   value: "config"
28 |   displayName: Name of the config secret
29 |   required: true
30 | 
31 | objects:
32 | - apiVersion: batch/v1
33 |   kind: Job
34 |   metadata:
35 |     name: clair-db-jobs-${JOB_NAME}
36 |   spec:
37 |     template:
38 |       metadata:
39 |         labels:
40 |           app: clair-db-jobs-${JOB_NAME}
41 |       spec:
42 |         serviceAccountName: ${{SERVICE_ACCOUNT}}
43 |         volumes:
44 |           - name: clair-config
45 |             secret:
46 |               secretName: ${{SECRET_NAME}}
47 |         backoffLimit: 1
48 |         completions: 1
49 |         parallelism: 1
50 |         restartPolicy: Never
51 |         containers:
52 |         - name: clair-db-jobs-${JOB_NAME}
53 |           image: ${IMAGE}:${IMAGE_TAG}
54 |           resources:
55 |             limits:
56 |               cpu: 100m
57 |               memory: 128Mi
58 |             requests:
59 |               cpu: 100m
60 |               memory: 128Mi
61 |           command: [clairctl]
62 |           args:
63 |           - "-D"
64 |           - "--config"
65 |           - "/etc/clair/config.yaml"
66 |           - "admin"
67 |           - ${SUBCOMMAND}
68 |           - ${VERSION}
69 |           volumeMounts:
70 |           - name: clair-config
71 |             mountPath: /etc/clair
72 | 
73 | 


--------------------------------------------------------------------------------
/contrib/openshift/pr_check.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | set -euo pipefail
 3 | [ -n "${DEBUG-}" ] && set -x
 4 | 
 5 | # This should be run from the repo root, but enforce that:
 6 | pushd "$(git rev-parse --show-toplevel)"
 7 | ./contrib/openshift/build_and_deploy.sh "-n${-//[^x]}${SKIP_LOGIN:+z}"
 8 | popd
 9 | 
10 | # If anything specific for the quay.io Clair instance needs to happen, add that here.
11 | 


--------------------------------------------------------------------------------
/etc/.gitignore:
--------------------------------------------------------------------------------
1 | config.local.mk
2 | 


--------------------------------------------------------------------------------
/etc/dist.mk:
--------------------------------------------------------------------------------
 1 | # The "dist" target builds a dist archive at git revision "VERSION".
 2 | .PHONY: dist
 3 | dist: clair-$(VERSION).tar.gz
 4 | 
 5 | # Clair-%.tar.gz builds a dist archive using the state of the tree at the commit
 6 | # indicated by the pattern.
 7 | clair-%.tar.gz: vendor/modules.txt
 8 | 	tarball=$(subst .gz,,$@)
 9 | 	prefix=$(subst .tar.gz,/,$@)
10 | 	$(git_archive) --format tar\
11 | 		--prefix "$$prefix"\
12 | 		--output "$$tarball"\
13 | 		$*
14 | 	dt=$$(tar --list --file "$$tarball" --utc --full-time "$${prefix}go.mod" | awk '{print $$4 "T" $$5 "Z"}')
15 | 	tar --append --file "$$tarball"\
16 | 		--transform "s,^,$${prefix},"\
17 | 		--mtime "$$(date -Iseconds --date $$dt)"\
18 | 		--sort name\
19 | 		--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime\
20 | 		vendor
21 | 	gzip -n -q -f "$$tarball"
22 | rm_pat += clair-*.tar.gz
23 | 


--------------------------------------------------------------------------------
/etc/doc.mk:
--------------------------------------------------------------------------------
1 | # Book builds the documentation into the `book` directory.
2 | book:
3 | 	mdbook build
4 | rm_pat += book
5 | 


--------------------------------------------------------------------------------
/health/readinesshandler.go:
--------------------------------------------------------------------------------
 1 | package health
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"sync/atomic"
 6 | )
 7 | 
 8 | var ready *uint32 = new(uint32)
 9 | 
10 | // Ready instructs the ReadinessHandler to begin serving 200 OK status.
11 | func Ready() {
12 | 	atomic.StoreUint32(ready, uint32(1))
13 | }
14 | 
15 | // Unready instructs the ReadinessHandler to begin serving 503
16 | // Service Unavailable.
17 | func Unready() {
18 | 	atomic.StoreUint32(ready, uint32(0))
19 | }
20 | 
21 | // ReadinessHandler will return a 200 OK or 503 "Service Unavailable" status
22 | // depending on whether the Ready or Unready functions have been called.
23 | //
24 | // The Ready() method must be called to begin returning 200 OK.
25 | func ReadinessHandler() http.Handler {
26 | 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
27 | 		h := w.Header()
28 | 		h.Set("X-Content-Type-Options", "nosniff")
29 | 		h.Set("Content-Type", "text/plain; charset=utf-8")
30 | 		h.Set("Content-Length", "0")
31 | 		h.Set("Cache-Control", "no-store")
32 | 		if r.Method != http.MethodGet {
33 | 			w.WriteHeader(http.StatusMethodNotAllowed)
34 | 			return
35 | 		}
36 | 
37 | 		if atomic.LoadUint32(ready) != 1 {
38 | 			w.WriteHeader(http.StatusServiceUnavailable)
39 | 		}
40 | 	})
41 | }
42 | 


--------------------------------------------------------------------------------
/health/readinesshandler_test.go:
--------------------------------------------------------------------------------
 1 | package health_test
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net/http"
 6 | 	"net/http/httptest"
 7 | 	"testing"
 8 | 
 9 | 	"github.com/quay/clair/v4/health"
10 | 	"github.com/quay/clair/v4/internal/httputil"
11 | )
12 | 
13 | func TestReadinessHandler(t *testing.T) {
14 | 	ctx := context.Background()
15 | 	server := httptest.NewServer(health.ReadinessHandler())
16 | 	client := server.Client()
17 | 
18 | 	req, err := httputil.NewRequestWithContext(ctx, http.MethodGet, server.URL, nil)
19 | 	if err != nil {
20 | 		t.Fatalf("failed to create request: %v", err)
21 | 	}
22 | 	// default handler state should return StatusServiceUnavailable
23 | 	resp, err := client.Do(req)
24 | 	if err != nil {
25 | 		t.Fatalf("failed to do request: %v", err)
26 | 	}
27 | 	if resp.StatusCode != http.StatusServiceUnavailable {
28 | 		t.Fatalf("expected %d got %d", http.StatusServiceUnavailable, resp.StatusCode)
29 | 	}
30 | 
31 | 	// signal to handler that process is ready. should return StatusOK
32 | 	health.Ready()
33 | 	resp, err = client.Do(req)
34 | 	if err != nil {
35 | 		t.Fatalf("failed to do request: %v", err)
36 | 	}
37 | 	if resp.StatusCode != http.StatusOK {
38 | 		t.Fatalf("expected %d got %d", http.StatusOK, resp.StatusCode)
39 | 	}
40 | 
41 | 	// signal to handler that process is unready. should return StatusServiceUnavailable
42 | 	health.Unready()
43 | 	resp, err = client.Do(req)
44 | 	if err != nil {
45 | 		t.Fatalf("failed to do request: %v", err)
46 | 	}
47 | 	if resp.StatusCode != http.StatusServiceUnavailable {
48 | 		t.Fatalf("expected %d got %d", http.StatusServiceUnavailable, resp.StatusCode)
49 | 	}
50 | }
51 | 


--------------------------------------------------------------------------------
/httptransport/auth.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"errors"
 5 | 	"net/http"
 6 | 
 7 | 	"github.com/quay/clair/config"
 8 | 
 9 | 	"github.com/quay/clair/v4/middleware/auth"
10 | )
11 | 
12 | // AuthHandler returns an http.Handler wrapping the provided Handler, as
13 | // described by the provided Config.
14 | func authHandler(cfg *config.Config, next http.Handler) (http.Handler, error) {
15 | 	var checks []auth.Checker
16 | 
17 | 	// Keep this ordered "best" to "worst".
18 | 	switch {
19 | 	case cfg.Auth.PSK != nil:
20 | 		cfg := cfg.Auth.PSK
21 | 		issuers := make([]string, 0, 1+len(cfg.Issuer))
22 | 		issuers = append(issuers, IntraserviceIssuer)
23 | 		issuers = append(issuers, cfg.Issuer...)
24 | 
25 | 		psk, err := auth.NewPSK(cfg.Key, issuers)
26 | 		if err != nil {
27 | 			return nil, err
28 | 		}
29 | 		checks = append(checks, psk)
30 | 	case cfg.Auth.Keyserver != nil:
31 | 		return nil, errors.New("quay keyserver support has been removed")
32 | 	default:
33 | 		return next, nil
34 | 	}
35 | 
36 | 	return auth.Handler(next, checks...), nil
37 | }
38 | 


--------------------------------------------------------------------------------
/httptransport/concurrentlimit.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 
 6 | 	"github.com/prometheus/client_golang/prometheus"
 7 | 	"github.com/prometheus/client_golang/prometheus/promauto"
 8 | 	"github.com/quay/zlog"
 9 | 	"golang.org/x/sync/semaphore"
10 | )
11 | 
12 | var concurrentLimitedCounter = promauto.NewCounterVec(
13 | 	prometheus.CounterOpts{
14 | 		Namespace: metricNamespace,
15 | 		Subsystem: metricSubsystem,
16 | 		Name:      "concurrencylimited_total",
17 | 		Help:      "Total number of requests that have been concurrency limited.",
18 | 	},
19 | 	[]string{"endpoint", "method"},
20 | )
21 | 
22 | // LimitHandler is a wrapper to help with concurrency limiting. This is slightly
23 | // more complicated than the naive approach to allow for filtering on multiple
24 | // aspects of the request.
25 | //
26 | // "Check" and "Next" need to be populated.
27 | type limitHandler struct {
28 | 	// The Check func inspects the request, and returns the semaphore to use and
29 | 	// the endpoint to use in metrics. If a nil is returned, the request is
30 | 	// allowed.
31 | 	Check func(*http.Request) (*semaphore.Weighted, string)
32 | 	// Next is the Handler to forward requests to, if allowed.
33 | 	Next http.Handler
34 | }
35 | 
36 | func (l *limitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
37 | 	sem, endpt := l.Check(r)
38 | 	if sem != nil {
39 | 		if !sem.TryAcquire(1) {
40 | 			concurrentLimitedCounter.WithLabelValues(endpt, r.Method).Add(1)
41 | 			ctx := r.Context()
42 | 			zlog.Info(ctx).
43 | 				Str("remote_addr", r.RemoteAddr).
44 | 				Str("method", r.Method).
45 | 				Str("request_uri", r.RequestURI).
46 | 				Int("status", http.StatusTooManyRequests).
47 | 				Msg("rate limited HTTP request")
48 | 
49 | 			apiError(ctx, w, http.StatusTooManyRequests, "server handling too many requests")
50 | 		}
51 | 		defer sem.Release(1)
52 | 	}
53 | 	l.Next.ServeHTTP(w, r)
54 | }
55 | 


--------------------------------------------------------------------------------
/httptransport/concurrentlimit_test.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net"
 6 | 	"net/http"
 7 | 	"net/http/httptest"
 8 | 	"sync"
 9 | 	"sync/atomic"
10 | 	"testing"
11 | 
12 | 	"github.com/quay/zlog"
13 | 	"golang.org/x/sync/semaphore"
14 | 
15 | 	"github.com/quay/clair/v4/internal/httputil"
16 | )
17 | 
18 | func TestConcurrentRequests(t *testing.T) {
19 | 	ctx := context.Background()
20 | 	ctx = zlog.Test(ctx, t)
21 | 	sem := semaphore.NewWeighted(1)
22 | 	// Ret controls when the http server returns.
23 | 	// Ready is strobed once the first request is seen.
24 | 	ret, ready := make(chan struct{}), make(chan struct{})
25 | 	ct := new(int64)
26 | 	var once sync.Once
27 | 	srv := httptest.NewUnstartedServer(&limitHandler{
28 | 		Check: func(_ *http.Request) (*semaphore.Weighted, string) {
29 | 			return sem, ""
30 | 		},
31 | 		Next: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
32 | 			atomic.AddInt64(ct, 1)
33 | 			once.Do(func() { close(ready) })
34 | 			<-ret
35 | 			w.WriteHeader(http.StatusNoContent)
36 | 		}),
37 | 	})
38 | 	srv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }
39 | 	srv.Start()
40 | 	defer srv.Close()
41 | 	c := srv.Client()
42 | 
43 | 	done := make(chan struct{})
44 | 	req, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)
45 | 	if err != nil {
46 | 		t.Fatal(err)
47 | 	}
48 | 	// Long-poll goroutine.
49 | 	go func() {
50 | 		defer close(done)
51 | 		res, err := c.Do(req)
52 | 		if err != nil {
53 | 			t.Error(err)
54 | 			return
55 | 		}
56 | 		defer res.Body.Close()
57 | 		if got, want := res.StatusCode, http.StatusNoContent; got != want {
58 | 			t.Errorf("got: %d, want: %d", got, want)
59 | 		}
60 | 	}()
61 | 
62 | 	// Wait for the above goroutine to hit the handler.
63 | 	<-ready
64 | 	for i := 0; i < 10; i++ {
65 | 		req, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)
66 | 		if err != nil {
67 | 			t.Errorf("%d: %v", i, err)
68 | 		}
69 | 		res, err := c.Do(req)
70 | 		if err != nil {
71 | 			t.Errorf("%d: %v", i, err)
72 | 		}
73 | 		res.Body.Close()
74 | 		if got, want := res.StatusCode, http.StatusTooManyRequests; got != want {
75 | 			t.Errorf("got: %d, want: %d", got, want)
76 | 		}
77 | 	}
78 | 	close(ret)
79 | 	<-done
80 | 	if got, want := *ct, int64(1); got != want {
81 | 		t.Errorf("got: %d requests, want: %d requests", got, want)
82 | 	}
83 | }
84 | 


--------------------------------------------------------------------------------
/httptransport/discoveryhandler.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"context"
 6 | 	_ "embed" // for json and etag
 7 | 	"errors"
 8 | 	"io"
 9 | 	"net/http"
10 | 	"time"
11 | 
12 | 	"github.com/quay/zlog"
13 | 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
14 | 
15 | 	"github.com/quay/clair/v4/internal/httputil"
16 | 	"github.com/quay/clair/v4/middleware/compress"
17 | )
18 | 
19 | //go:generate go run openapigen.go
20 | 
21 | var (
22 | 	//go:embed openapi.json
23 | 	openapiJSON []byte
24 | 	//go:embed openapi.etag
25 | 	openapiJSONEtag string
26 | )
27 | 
28 | // DiscoveryHandler serves the embedded OpenAPI spec.
29 | func DiscoveryHandler(_ context.Context, prefix string, topt otelhttp.Option) http.Handler {
30 | 	allow := []string{`application/json`, `application/vnd.oai.openapi+json`}
31 | 	// These functions are written back-to-front.
32 | 	var inner http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
33 | 		ctx := r.Context()
34 | 		if r.Method != http.MethodGet {
35 | 			apiError(ctx, w, http.StatusMethodNotAllowed, "endpoint only allows GET")
36 | 		}
37 | 		switch err := pickContentType(w, r, allow); {
38 | 		case errors.Is(err, nil):
39 | 		case errors.Is(err, ErrMediaType):
40 | 			apiError(ctx, w, http.StatusUnsupportedMediaType, "unable to negotiate common media type for %v", allow)
41 | 		default:
42 | 			apiError(ctx, w, http.StatusInternalServerError, "unexpected error: %v", err)
43 | 		}
44 | 		w.Header().Set("etag", openapiJSONEtag)
45 | 		var err error
46 | 		defer writerError(w, &err)()
47 | 		_, err = io.Copy(w, bytes.NewReader(openapiJSON))
48 | 	})
49 | 	inner = otelhttp.NewHandler(
50 | 		compress.Handler(discoverywrapper.wrap(prefix, inner)),
51 | 		"discovery",
52 | 		otelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),
53 | 		topt,
54 | 	)
55 | 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
56 | 		start := time.Now()
57 | 		r = withRequestID(r)
58 | 		ctx := r.Context()
59 | 		var status int
60 | 		var length int64
61 | 		w = httputil.ResponseRecorder(&status, &length, w)
62 | 		defer func() {
63 | 			switch err := http.NewResponseController(w).Flush(); {
64 | 			case errors.Is(err, nil):
65 | 			case errors.Is(err, http.ErrNotSupported):
66 | 				// Skip
67 | 			default:
68 | 				zlog.Warn(ctx).
69 | 					Err(err).
70 | 					Msg("unable to flush http response")
71 | 			}
72 | 			zlog.Info(ctx).
73 | 				Str("remote_addr", r.RemoteAddr).
74 | 				Str("method", r.Method).
75 | 				Str("request_uri", r.RequestURI).
76 | 				Int("status", status).
77 | 				Int64("written", length).
78 | 				Dur("duration", time.Since(start)).
79 | 				Msg("handled HTTP request")
80 | 		}()
81 | 		inner.ServeHTTP(w, r)
82 | 	})
83 | }
84 | 
85 | func init() {
86 | 	discoverywrapper.init("discovery")
87 | }
88 | 
89 | var discoverywrapper wrapper
90 | 


--------------------------------------------------------------------------------
/httptransport/error.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"context"
 6 | 	"encoding/json"
 7 | 	"errors"
 8 | 	"fmt"
 9 | 	"net/http"
10 | 
11 | 	"github.com/quay/zlog"
12 | )
13 | 
14 | // StatusClientClosedRequest is a nonstandard HTTP status code used when the
15 | // client has gone away.
16 | //
17 | // This convention is cribbed from Nginx.
18 | const statusClientClosedRequest = 499
19 | 
20 | // ApiError writes an untyped (that is, "application/json") error with the
21 | // provided HTTP status code and message.
22 | //
23 | // ApiError does not return, but instead causes the goroutine to exit.
24 | func apiError(ctx context.Context, w http.ResponseWriter, code int, f string, v ...interface{}) {
25 | 	const errheader = `Clair-Error`
26 | 	disconnect := false
27 | 	select {
28 | 	case <-ctx.Done():
29 | 		disconnect = true
30 | 	default:
31 | 	}
32 | 	if ev := zlog.Debug(ctx); ev.Enabled() {
33 | 		ev.
34 | 			Bool("disconnect", disconnect).
35 | 			Int("code", code).
36 | 			Str("error", fmt.Sprintf(f, v...)).
37 | 			Msg("http error response")
38 | 	} else {
39 | 		ev.Send()
40 | 	}
41 | 	if disconnect {
42 | 		// Exit immediately if there's no client to read the response, anyway.
43 | 		w.WriteHeader(statusClientClosedRequest)
44 | 		panic(http.ErrAbortHandler)
45 | 	}
46 | 
47 | 	h := w.Header()
48 | 	h.Del("link")
49 | 	h.Set("content-type", "application/json")
50 | 	h.Set("x-content-type-options", "nosniff")
51 | 	h.Set("trailer", errheader)
52 | 	w.WriteHeader(code)
53 | 
54 | 	var buf bytes.Buffer
55 | 	buf.WriteString(`{"code":"`)
56 | 	switch code {
57 | 	case http.StatusBadRequest:
58 | 		buf.WriteString("bad-request")
59 | 	case http.StatusMethodNotAllowed:
60 | 		buf.WriteString("method-not-allowed")
61 | 	case http.StatusNotFound:
62 | 		buf.WriteString("not-found")
63 | 	case http.StatusTooManyRequests:
64 | 		buf.WriteString("too-many-requests")
65 | 	default:
66 | 		buf.WriteString("internal-error")
67 | 	}
68 | 	buf.WriteByte('"')
69 | 	if f != "" {
70 | 		buf.WriteString(`,"message":`)
71 | 		b, _ := json.Marshal(fmt.Sprintf(f, v...)) // OK use of encoding/json.
72 | 		buf.Write(b)
73 | 	}
74 | 	buf.WriteByte('}')
75 | 
76 | 	if _, err := buf.WriteTo(w); err != nil {
77 | 		h.Set(errheader, err.Error())
78 | 	}
79 | 	switch err := http.NewResponseController(w).Flush(); {
80 | 	case errors.Is(err, nil):
81 | 	case errors.Is(err, http.ErrNotSupported):
82 | 		// Skip
83 | 	default:
84 | 		zlog.Warn(ctx).
85 | 			Err(err).
86 | 			Msg("unable to flush http response")
87 | 	}
88 | 	panic(http.ErrAbortHandler)
89 | }
90 | 


--------------------------------------------------------------------------------
/httptransport/error_test.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net/http"
 6 | 	"net/http/httptest"
 7 | 	"testing"
 8 | 
 9 | 	"github.com/quay/zlog"
10 | 
11 | 	"github.com/quay/clair/v4/internal/httputil"
12 | )
13 | 
14 | func TestClientDisconnect(t *testing.T) {
15 | 	var status int
16 | 	// Bunch of sequencing events:
17 | 	reqStart := make(chan struct{})
18 | 	reqDone := make(chan struct{})
19 | 	handlerDone := make(chan struct{})
20 | 
21 | 	// Server side:
22 | 	//	- Emit reqStart once the request is received.
23 | 	//	- Emit handlerDone once the request is done and "status" should be populated.
24 | 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
25 | 		defer func() { close(handlerDone) }()
26 | 		w = httputil.ResponseRecorder(&status, nil, w)
27 | 		ctx := zlog.Test(r.Context(), t) // The error handler emits logs.
28 | 		close(reqStart)
29 | 		<-ctx.Done()
30 | 		apiError(ctx, w, http.StatusOK, "hello from the handler")
31 | 	}))
32 | 	t.Cleanup(srv.Close)
33 | 
34 | 	ctx, done := context.WithCancel(context.Background())
35 | 	// Closing "done" will cancel the client connection.
36 | 	req, err := http.NewRequestWithContext(ctx, "GET", srv.URL+"/", nil)
37 | 	if err != nil {
38 | 		t.Fatal(err)
39 | 	}
40 | 	// Emit reqDone when the client connection is done.
41 | 	go func() {
42 | 		_, err = srv.Client().Do(req)
43 | 		close(reqDone)
44 | 	}()
45 | 
46 | 	<-reqStart
47 | 	done()
48 | 	<-reqDone
49 | 	t.Logf("got request error: %v", err)
50 | 	if err == nil {
51 | 		t.Error("expected non-nil error")
52 | 	}
53 | 
54 | 	<-handlerDone
55 | 	if got, want := status, statusClientClosedRequest; got != want {
56 | 		t.Errorf("bad status code recorded: got: %d, want: %d", got, want)
57 | 	}
58 | }
59 | 


--------------------------------------------------------------------------------
/httptransport/gone.go:
--------------------------------------------------------------------------------
1 | package httptransport
2 | 
3 | import "net/http"
4 | 
5 | var gone = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
6 | 	const msg = `{"code":"gone","message":"endpoint removed"}`
7 | 	http.Error(w, msg, http.StatusGone)
8 | })
9 | 


--------------------------------------------------------------------------------
/httptransport/instrumentation_test.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"net"
 7 | 	"net/http"
 8 | 	"net/http/httptest"
 9 | 	"strings"
10 | 	"testing"
11 | 
12 | 	"github.com/prometheus/client_golang/prometheus"
13 | 	"github.com/prometheus/client_golang/prometheus/testutil"
14 | 	"github.com/quay/zlog"
15 | )
16 | 
17 | func TestMetric(t *testing.T) {
18 | 	ctx := zlog.Test(context.Background(), t)
19 | 	want := strings.NewReader(`
20 | # HELP clair_http_test_request_total A total count of http requests for the given path
21 | # TYPE clair_http_test_request_total counter
22 | clair_http_test_request_total{code="200",handler="ok",method="get"} 1
23 | clair_http_test_request_total{code="504",handler="err",method="get"} 1
24 | clair_http_test_request_total{code="500",handler="err",method="get"} 1
25 | `)
26 | 
27 | 	reg := prometheus.NewRegistry()
28 | 	var wr wrapper
29 | 	wr.initRegisterer("test", reg)
30 | 	m := http.NewServeMux()
31 | 	m.Handle("/ok",
32 | 		wr.wrapFunc("ok", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
33 | 			fmt.Fprintln(w, "ok")
34 | 		})))
35 | 	m.Handle("/err",
36 | 		wr.wrapFunc("err", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
37 | 			if err := r.ParseForm(); err != nil {
38 | 				panic(err)
39 | 			}
40 | 			if r.Form.Has("panic") {
41 | 				panic("we're just normal men")
42 | 			}
43 | 			apiError(r.Context(), w, http.StatusGatewayTimeout, "expected error")
44 | 		})))
45 | 
46 | 	srv := httptest.NewUnstartedServer(m)
47 | 	srv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }
48 | 
49 | 	// Create a scope for doing the actual requests.
50 | 	//
51 | 	// Doing this and having the server teardown run synchronously should be
52 | 	// enough time to ensure the metrics are actually collected.
53 | 	func() {
54 | 		srv.Start()
55 | 		defer srv.Close()
56 | 
57 | 		c := srv.Client()
58 | 		for _, p := range []string{"ok", "err", "err?panic=1"} {
59 | 			u := srv.URL + "/" + p
60 | 			t.Logf("making request: %q", u)
61 | 			res, err := c.Get(u)
62 | 			if err != nil {
63 | 				t.Error(err)
64 | 			}
65 | 			t.Logf("got status: %q", res.Status)
66 | 		}
67 | 	}()
68 | 
69 | 	if err := testutil.GatherAndCompare(reg, want, "clair_http_test_request_total"); err != nil {
70 | 		t.Error(err)
71 | 	} else {
72 | 		t.Log("metrics OK")
73 | 	}
74 | }
75 | 


--------------------------------------------------------------------------------
/httptransport/openapi.etag:
--------------------------------------------------------------------------------
1 | "a16d4a25e54a4cfe7fbf4e234af1c7585e840fef19c4f84aba1e814233c3b281"


--------------------------------------------------------------------------------
/httptransport/openapigen.go:
--------------------------------------------------------------------------------
 1 | //go:build tools
 2 | // +build tools
 3 | 
 4 | // Openapigen is a script to take the OpenAPI YAML file, turn it into a JSON
 5 | // document, and write out files for use with the "embed" package.
 6 | package main
 7 | 
 8 | import (
 9 | 	"bytes"
10 | 	"crypto/sha256"
11 | 	"encoding/json"
12 | 	"flag"
13 | 	"fmt"
14 | 	"io"
15 | 	"log"
16 | 	"os"
17 | 	"path/filepath"
18 | 
19 | 	"gopkg.in/yaml.v3"
20 | )
21 | 
22 | func main() {
23 | 	inFile := flag.String("in", "../openapi.yaml", "input YAML file")
24 | 	outDir := flag.String("out", ".", "output directory")
25 | 	flag.Parse()
26 | 
27 | 	inF, err := os.Open(*inFile)
28 | 	if inF != nil {
29 | 		defer inF.Close()
30 | 	}
31 | 	if err != nil {
32 | 		log.Fatal(err)
33 | 	}
34 | 
35 | 	tmp := map[interface{}]interface{}{}
36 | 	if err := yaml.NewDecoder(inF).Decode(&tmp); err != nil {
37 | 		log.Fatal(err)
38 | 	}
39 | 	embed, err := json.Marshal(convert(tmp))
40 | 	if err != nil {
41 | 		log.Fatal(err)
42 | 	}
43 | 	ck := sha256.Sum256(embed)
44 | 
45 | 	outF, err := os.OpenFile(filepath.Join(*outDir, `openapi.json`), os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0644)
46 | 	if err != nil {
47 | 		log.Fatal(err)
48 | 	}
49 | 	defer outF.Close()
50 | 	if _, err := io.Copy(outF, bytes.NewReader(embed)); err != nil {
51 | 		log.Fatal(err)
52 | 	}
53 | 	outF, err = os.OpenFile(filepath.Join(*outDir, `openapi.etag`), os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0644)
54 | 	if err != nil {
55 | 		log.Fatal(err)
56 | 	}
57 | 	defer outF.Close()
58 | 	if _, err := fmt.Fprintf(outF, `"%x"`, ck); err != nil {
59 | 		log.Fatal(err)
60 | 	}
61 | }
62 | 
63 | // Convert yoinked from:
64 | // https://stackoverflow.com/questions/40737122/convert-yaml-to-json-without-struct/40737676#40737676
65 | func convert(i interface{}) interface{} {
66 | 	switch x := i.(type) {
67 | 	case map[interface{}]interface{}:
68 | 		m2 := map[string]interface{}{}
69 | 		for k, v := range x {
70 | 			m2[fmt.Sprint(k)] = convert(v)
71 | 		}
72 | 		return m2
73 | 	case []interface{}:
74 | 		for i, v := range x {
75 | 			x[i] = convert(v)
76 | 		}
77 | 	case map[string]interface{}:
78 | 		for k, v := range x {
79 | 			x[k] = convert(v)
80 | 		}
81 | 	}
82 | 	return i
83 | }
84 | 


--------------------------------------------------------------------------------
/httptransport/robotshandler.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"strings"
 6 | 	"time"
 7 | 
 8 | 	"github.com/quay/clair/v4/cmd"
 9 | )
10 | 
11 | var startup = time.Now()
12 | 
13 | const robotstxt = "User-agent: *\nDisallow: /\n"
14 | 
15 | // RobotsHandler provides a "robots.txt" endpoint.
16 | var robotsHandler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
17 | 	h := w.Header()
18 | 	h.Set("X-Content-Type-Options", "nosniff")
19 | 	h.Set("Content-Type", "text/plain; charset=utf-8")
20 | 	h.Set("Cache-Control", "no-store")
21 | 	d := cmd.CommitDate
22 | 	if d.IsZero() {
23 | 		d = startup
24 | 	}
25 | 	http.ServeContent(w, r, "robots.txt", d, strings.NewReader(robotstxt))
26 | })
27 | 


--------------------------------------------------------------------------------
/httptransport/robotshandler_test.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"net/http"
 6 | 	"net/http/httptest"
 7 | 	"net/http/httputil"
 8 | 	"testing"
 9 | 
10 | 	"github.com/google/go-cmp/cmp"
11 | )
12 | 
13 | func TestRobotsTXT(t *testing.T) {
14 | 	r := httptest.NewRequest(http.MethodGet, "/robots.txt", nil)
15 | 	w := httptest.NewRecorder()
16 | 	robotsHandler.ServeHTTP(w, r)
17 | 	res, err := httputil.DumpResponse(w.Result(), false)
18 | 	if err != nil {
19 | 		t.Error(err)
20 | 	}
21 | 	t.Logf("response:\n%s", string(res))
22 | 
23 | 	if got, want := w.Body.Bytes(), []byte(robotstxt); !bytes.Equal(got, want) {
24 | 		t.Error(cmp.Diff(string(got), string(want)))
25 | 	}
26 | }
27 | 


--------------------------------------------------------------------------------
/httptransport/server_test.go:
--------------------------------------------------------------------------------
 1 | package httptransport
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net"
 6 | 	"net/http"
 7 | 	"net/http/httptest"
 8 | 	"net/url"
 9 | 	"path"
10 | 	"testing"
11 | 
12 | 	"github.com/google/uuid"
13 | 	"github.com/quay/clair/config"
14 | 	"github.com/quay/claircore"
15 | 	"github.com/quay/claircore/libvuln/driver"
16 | 	"github.com/quay/zlog"
17 | 
18 | 	"github.com/quay/clair/v4/indexer"
19 | 	"github.com/quay/clair/v4/matcher"
20 | )
21 | 
22 | // TestUpdateEndpoints registers the handlers and tests that they're registered
23 | // at the correct endpoint.
24 | func TestUpdateEndpoints(t *testing.T) {
25 | 	m := &matcher.Mock{
26 | 		DeleteUpdateOperations_: func(context.Context, ...uuid.UUID) (int64, error) { return 0, nil },
27 | 		UpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {
28 | 			return nil, nil
29 | 		},
30 | 		LatestUpdateOperation_:  func(context.Context, driver.UpdateKind) (uuid.UUID, error) { return uuid.Nil, nil },
31 | 		LatestUpdateOperations_: func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error) { return nil, nil },
32 | 		UpdateDiff_:             func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) { return nil, nil },
33 | 		Scan_:                   func(context.Context, *claircore.IndexReport) (*claircore.VulnerabilityReport, error) { return nil, nil },
34 | 	}
35 | 	i := &indexer.Mock{
36 | 		Index_: func(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error) {
37 | 			return nil, nil
38 | 		},
39 | 		IndexReport_: func(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error) {
40 | 			return nil, true, nil
41 | 		},
42 | 		State_: func(ctx context.Context) (string, error) { return "", nil },
43 | 		AffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {
44 | 			return nil, nil
45 | 		},
46 | 	}
47 | 	ctx := zlog.Test(context.Background(), t)
48 | 	h, err := New(ctx, &config.Config{Mode: config.MatcherMode}, i, m, nil)
49 | 	if err != nil {
50 | 		t.Error(err)
51 | 	}
52 | 	srv := httptest.NewUnstartedServer(h)
53 | 	srv.Config.BaseContext = func(_ net.Listener) context.Context {
54 | 		return ctx
55 | 	}
56 | 	srv.Start()
57 | 	defer srv.Close()
58 | 	u, err := url.Parse(srv.URL)
59 | 	if err != nil {
60 | 		t.Error(err)
61 | 	}
62 | 	u.Path = path.Join(u.Path, UpdateOperationAPIPath, "")
63 | 	t.Log(u)
64 | 
65 | 	res, err := srv.Client().Get(u.String())
66 | 	if err != nil {
67 | 		t.Error(err)
68 | 	}
69 | 	if got, want := res.StatusCode, http.StatusOK; got != want {
70 | 		t.Errorf("got: %v, want: %v", got, want)
71 | 	}
72 | }
73 | 


--------------------------------------------------------------------------------
/indexer/mock.go:
--------------------------------------------------------------------------------
 1 | package indexer
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/quay/claircore"
 7 | )
 8 | 
 9 | var _ Service = (*Mock)(nil)
10 | 
11 | // Mock implements a mock indexer Service
12 | //
13 | // If a particular method is not provided an implementation to a constructed Mock
14 | // an "unexpected call" panic will occur.
15 | type Mock struct {
16 | 	Index_             func(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error)
17 | 	IndexReport_       func(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error)
18 | 	State_             func(ctx context.Context) (string, error)
19 | 	AffectedManifests_ func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error)
20 | 	DeleteManifests_   func(context.Context, ...claircore.Digest) ([]claircore.Digest, error)
21 | }
22 | 
23 | func (i *Mock) Index(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error) {
24 | 	if i.Index_ == nil {
25 | 		panic("mock indexer: unexpected call to Index")
26 | 	}
27 | 	return i.Index_(ctx, manifest)
28 | }
29 | 
30 | func (i *Mock) IndexReport(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error) {
31 | 	if i.IndexReport_ == nil {
32 | 		panic("mock indexer: unexpected call to IndexReport")
33 | 	}
34 | 	return i.IndexReport_(ctx, digest)
35 | }
36 | 
37 | func (i *Mock) State(ctx context.Context) (string, error) {
38 | 	if i.State_ == nil {
39 | 		panic("mock indexer: unexpected call to State")
40 | 	}
41 | 	return i.State_(ctx)
42 | }
43 | 
44 | func (i *Mock) AffectedManifests(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {
45 | 	if i.AffectedManifests_ == nil {
46 | 		panic("mock indexer: unexpected call to AffectedManifests")
47 | 	}
48 | 	return i.AffectedManifests_(ctx, vulns)
49 | }
50 | 
51 | func (i *Mock) DeleteManifests(ctx context.Context, d ...claircore.Digest) ([]claircore.Digest, error) {
52 | 	if i.DeleteManifests_ == nil {
53 | 		panic("mock indexer: unexpected call to DeleteManifests")
54 | 	}
55 | 	return i.DeleteManifests_(ctx, d...)
56 | }
57 | 


--------------------------------------------------------------------------------
/indexer/service.go:
--------------------------------------------------------------------------------
 1 | package indexer
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/quay/claircore"
 7 | )
 8 | 
 9 | // Service is an aggregate interface wrapping claircore.Libindex functionality.
10 | //
11 | // Implementation may use a local instance of claircore.Libindex or a remote
12 | // instance via http or grpc client.
13 | type Service interface {
14 | 	Indexer
15 | 	Reporter
16 | 	Stater
17 | 	Affected
18 | }
19 | 
20 | // StateReporter is an aggregate interface providing both a Reporter and
21 | // a Stater method set
22 | type StateReporter interface {
23 | 	Reporter
24 | 	Stater
25 | }
26 | 
27 | // StateIndexer is an aggregate interface providing both a Indexer
28 | // and a Stater method set
29 | type StateIndexer interface {
30 | 	Indexer
31 | 	Stater
32 | }
33 | 
34 | // Indexer is an interface for computing a IndexReport given a Manifest.
35 | type Indexer interface {
36 | 	Index(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error)
37 | 	DeleteManifests(context.Context, ...claircore.Digest) ([]claircore.Digest, error)
38 | }
39 | 
40 | // Reporter is an interface for retreiving an IndexReport given a manifest digest.
41 | type Reporter interface {
42 | 	IndexReport(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error)
43 | }
44 | 
45 | // Stater is an interface which provides a unique token symbolizing a Clair's state.
46 | type Stater interface {
47 | 	State(ctx context.Context) (string, error)
48 | }
49 | 
50 | // Affected is an interface for reporting the manifests affected by a set of vulnerabilities.
51 | type Affected interface {
52 | 	AffectedManifests(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error)
53 | }
54 | 


--------------------------------------------------------------------------------
/initialize/auto/auto.go:
--------------------------------------------------------------------------------
 1 | // Package auto does automatic detection and runtime configuration for certain
 2 | // environments.
 3 | //
 4 | // All top-level functions are not safe to call concurrently.
 5 | package auto
 6 | 
 7 | import (
 8 | 	"context"
 9 | 
10 | 	"github.com/quay/zlog"
11 | )
12 | 
13 | var msgs = []func(context.Context){}
14 | 
15 | func init() {
16 | 	CPU()
17 | 	Memory()
18 | 	Profiling()
19 | }
20 | 
21 | // PrintLogs uses zlog to report any messages queued up from the runs of
22 | // functions since the last call to PrintLogs.
23 | func PrintLogs(ctx context.Context) {
24 | 	for _, f := range msgs {
25 | 		f(ctx)
26 | 	}
27 | 	msgs = msgs[:0]
28 | }
29 | 
30 | // DebugLog is a helper to log static strings.
31 | func debugLog(m string) {
32 | 	msgs = append(msgs, func(ctx context.Context) {
33 | 		zlog.Debug(ctx).Msg(m)
34 | 	})
35 | }
36 | 
37 | // InfoLog is a helper to log static strings.
38 | func infoLog(m string) {
39 | 	msgs = append(msgs, func(ctx context.Context) {
40 | 		zlog.Info(ctx).Msg(m)
41 | 	})
42 | }
43 | 


--------------------------------------------------------------------------------
/initialize/auto/auto_test.go:
--------------------------------------------------------------------------------
 1 | package auto
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | )
 7 | 
 8 | func TestMain(m *testing.M) {
 9 | 	// Reset the logging slice, as the init function will have triggered and
10 | 	// written things into it.
11 | 	msgs = msgs[:0]
12 | 	os.Exit(m.Run())
13 | }
14 | 


--------------------------------------------------------------------------------
/initialize/auto/cpu.go:
--------------------------------------------------------------------------------
1 | //go:build !linux
2 | // +build !linux
3 | 
4 | package auto
5 | 
6 | // CPU is a no-op on this platform.
7 | func CPU() {}
8 | 


--------------------------------------------------------------------------------
/initialize/auto/memory.go:
--------------------------------------------------------------------------------
1 | //go:build !linux || (linux && !go1.19)
2 | 
3 | package auto
4 | 
5 | // Memory is a no-op on this platform.
6 | func Memory() {}
7 | 


--------------------------------------------------------------------------------
/initialize/auto/memory_linux_test.go:
--------------------------------------------------------------------------------
  1 | //go:build linux && go1.19
  2 | 
  3 | package auto
  4 | 
  5 | import (
  6 | 	"context"
  7 | 	"fmt"
  8 | 	"testing"
  9 | 	"testing/fstest"
 10 | 
 11 | 	"github.com/quay/zlog"
 12 | )
 13 | 
 14 | type memTestcase struct {
 15 | 	In   fstest.MapFS
 16 | 	Err  error
 17 | 	Name string
 18 | 	Want int64
 19 | }
 20 | 
 21 | func (tc memTestcase) Run(ctx context.Context, t *testing.T) {
 22 | 	t.Helper()
 23 | 	t.Run(tc.Name, func(t *testing.T) {
 24 | 		t.Helper()
 25 | 		ctx := zlog.Test(ctx, t)
 26 | 		lim, err := memLookup(tc.In)
 27 | 		if err != tc.Err {
 28 | 			t.Error(err)
 29 | 		}
 30 | 		if got, want := lim, tc.Want; tc.Err == nil && got != want {
 31 | 			t.Errorf("got: %v, want: %v", got, want)
 32 | 		}
 33 | 		PrintLogs(ctx)
 34 | 	})
 35 | }
 36 | 
 37 | func TestMemoryDetection(t *testing.T) {
 38 | 	const (
 39 | 		limInt   = 268435456
 40 | 		noLimInt = -1
 41 | 	)
 42 | 	var (
 43 | 		lim   = &fstest.MapFile{Data: []byte(fmt.Sprintln(limInt))}
 44 | 		noLim = &fstest.MapFile{Data: []byte(fmt.Sprintln(noLimInt))}
 45 | 	)
 46 | 	ctx := zlog.Test(context.Background(), t)
 47 | 	t.Run("V1", func(t *testing.T) {
 48 | 		tt := []memTestcase{
 49 | 			{
 50 | 				Name: "NoLimit",
 51 | 				In: fstest.MapFS{
 52 | 					"proc/self/cgroup": cgv1,
 53 | 					"sys/fs/cgroup/memory/user.slice/user-1000.slice/session-4.scope/memory.limit_in_bytes": noLim,
 54 | 				},
 55 | 				Want: noLimInt,
 56 | 			},
 57 | 			{
 58 | 				Name: "RootFallback",
 59 | 				In: fstest.MapFS{
 60 | 					"proc/self/cgroup":                           cgv1,
 61 | 					"sys/fs/cgroup/memory/memory.limit_in_bytes": noLim,
 62 | 				},
 63 | 				Want: noLimInt,
 64 | 			},
 65 | 			{
 66 | 				Name: "256MiB",
 67 | 				In: fstest.MapFS{
 68 | 					"proc/self/cgroup": cgv1,
 69 | 					"sys/fs/cgroup/memory/user.slice/user-1000.slice/session-4.scope/memory.limit_in_bytes": lim,
 70 | 				},
 71 | 				Want: limInt,
 72 | 			},
 73 | 		}
 74 | 		ctx := zlog.Test(ctx, t)
 75 | 		for _, tc := range tt {
 76 | 			tc.Run(ctx, t)
 77 | 		}
 78 | 	})
 79 | 	t.Run("V2", func(t *testing.T) {
 80 | 		tt := []memTestcase{
 81 | 			{
 82 | 				Name: "NoLimit",
 83 | 				In:   fstest.MapFS{"proc/self/cgroup": cgv2},
 84 | 				Want: noLimInt,
 85 | 			},
 86 | 			{
 87 | 				Name: "LimitMax",
 88 | 				In: fstest.MapFS{
 89 | 					"proc/self/cgroup": cgv2,
 90 | 					"sys/fs/cgroup/memory.max": &fstest.MapFile{
 91 | 						Data: []byte("max\n"),
 92 | 					},
 93 | 				},
 94 | 				Want: setMax,
 95 | 			},
 96 | 			{
 97 | 				Name: "256MiB",
 98 | 				In: fstest.MapFS{
 99 | 					"proc/self/cgroup":         cgv2,
100 | 					"sys/fs/cgroup/memory.max": lim,
101 | 				},
102 | 				Want: limInt,
103 | 			},
104 | 		}
105 | 		ctx := zlog.Test(ctx, t)
106 | 		for _, tc := range tt {
107 | 			tc.Run(ctx, t)
108 | 		}
109 | 	})
110 | }
111 | 


--------------------------------------------------------------------------------
/initialize/auto/profiling.go:
--------------------------------------------------------------------------------
 1 | package auto
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"os"
 7 | 	"runtime"
 8 | 	"strconv"
 9 | 	"strings"
10 | 	"time"
11 | 
12 | 	"github.com/quay/zlog"
13 | )
14 | 
15 | // Profiling enables block and mutex profiling.
16 | //
17 | // This function uses the magic environment variable "CLAIRDEBUG" to control the
18 | // values used. This escape hatch will go away in the future.
19 | func Profiling() {
20 | 	// Catch contention at a granularity of 1 microsecond.
21 | 	blockCur := 1000
22 | 	// Catch 1/10 mutex contention events.
23 | 	mutexCur := 10
24 | 	fromEnv := false
25 | 	if s, ok := os.LookupEnv(`CLAIRDEBUG`); ok {
26 | 		var err error
27 | 		for _, kv := range strings.Split(s, ",") {
28 | 			k, v, ok := strings.Cut(kv, "=")
29 | 			if !ok {
30 | 				continue
31 | 			}
32 | 			switch k {
33 | 			case "blockprofile":
34 | 				fromEnv = true
35 | 				blockCur, err = strconv.Atoi(v)
36 | 			case "mutexprofile":
37 | 				fromEnv = true
38 | 				mutexCur, err = strconv.Atoi(v)
39 | 			default:
40 | 			}
41 | 			if err != nil {
42 | 				panic(err)
43 | 			}
44 | 		}
45 | 	}
46 | 
47 | 	runtime.SetBlockProfileRate(blockCur)
48 | 	mutexPrev := runtime.SetMutexProfileFraction(mutexCur)
49 | 	msgs = append(msgs, func(ctx context.Context) {
50 | 		zlog.Info(ctx).
51 | 			Bool("from_env", fromEnv).
52 | 			Dur("block_rate", time.Duration(blockCur)*time.Nanosecond).
53 | 			Str("prev_mutex_frac", fmt.Sprintf("1/%d", mutexPrev)).
54 | 			Str("cur_mutex_frac", fmt.Sprintf("1/%d", mutexCur)).
55 | 			Msg("profiling rates configured")
56 | 	})
57 | }
58 | 


--------------------------------------------------------------------------------
/initialize/logging.go:
--------------------------------------------------------------------------------
 1 | package initialize
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"os"
 7 | 
 8 | 	"github.com/quay/clair/config"
 9 | 	"github.com/quay/zlog"
10 | 	"github.com/rs/zerolog"
11 | 	"github.com/rs/zerolog/log"
12 | )
13 | 
14 | // Logging configures zlog according to the provided configuration.
15 | func Logging(ctx context.Context, cfg *config.Config) error {
16 | 	l := zerolog.New(os.Stderr)
17 | 	switch cfg.LogLevel {
18 | 	case config.DebugColorLog:
19 | 		// set logger to use ConsoleWriter for colorized output
20 | 		l = l.Level(zerolog.DebugLevel).
21 | 			Output(zerolog.ConsoleWriter{Out: os.Stderr})
22 | 	case config.DebugLog:
23 | 		l = l.Level(zerolog.DebugLevel)
24 | 	case config.InfoLog:
25 | 		l = l.Level(zerolog.InfoLevel)
26 | 	case config.WarnLog:
27 | 		l = l.Level(zerolog.WarnLevel)
28 | 	case config.ErrorLog:
29 | 		l = l.Level(zerolog.ErrorLevel)
30 | 	case config.FatalLog:
31 | 		l = l.Level(zerolog.FatalLevel)
32 | 	case config.PanicLog:
33 | 		l = l.Level(zerolog.PanicLevel)
34 | 	default:
35 | 		return fmt.Errorf("unknown log level: %v", cfg.LogLevel)
36 | 	}
37 | 	l = l.With().
38 | 		Timestamp().
39 | 		Logger()
40 | 	zlog.Set(&l)
41 | 	log.Logger = zerolog.Nop()
42 | 	zlog.Debug(ctx).Str("component", "initialize/Logging").Msg("logging initialized")
43 | 	return nil
44 | }
45 | 


--------------------------------------------------------------------------------
/internal/codec/codec.go:
--------------------------------------------------------------------------------
 1 | // Package codec is a unified place for configuring and allocating JSON encoders
 2 | // and decoders.
 3 | package codec
 4 | 
 5 | import (
 6 | 	"io"
 7 | 	"sync"
 8 | 
 9 | 	"github.com/ugorji/go/codec"
10 | )
11 | 
12 | var jsonHandle codec.JsonHandle
13 | 
14 | func init() {
15 | 	// This is documented to cause "smart buffering".
16 | 	jsonHandle.WriterBufferSize = 4096
17 | 	jsonHandle.ReaderBufferSize = 4096
18 | 	// Force calling time.Time's Marshal function. This causes an allocation on
19 | 	// every time.Time value, but is the same behavior as the stdlib json
20 | 	// encoder. If we decide nulls are OK, this should get removed.
21 | 	jsonHandle.TimeNotBuiltin = true
22 | }
23 | 
24 | // Encoder and decoder pools, to reuse if possible.
25 | var (
26 | 	encPool = sync.Pool{
27 | 		New: func() interface{} {
28 | 			return codec.NewEncoder(nil, &jsonHandle)
29 | 		},
30 | 	}
31 | 	decPool = sync.Pool{
32 | 		New: func() interface{} {
33 | 			return codec.NewDecoder(nil, &jsonHandle)
34 | 		},
35 | 	}
36 | )
37 | 
38 | // Encoder encodes.
39 | type Encoder = codec.Encoder
40 | 
41 | // GetEncoder returns an encoder configured to write to w.
42 | func GetEncoder(w io.Writer) *Encoder {
43 | 	e := encPool.Get().(*Encoder)
44 | 	e.Reset(w)
45 | 	return e
46 | }
47 | 
48 | // PutEncoder returns an encoder to the pool.
49 | func PutEncoder(e *Encoder) {
50 | 	e.Reset(nil)
51 | 	encPool.Put(e)
52 | }
53 | 
54 | // Decoder decodes.
55 | type Decoder = codec.Decoder
56 | 
57 | // GetDecoder returns a decoder configured to read from r.
58 | func GetDecoder(r io.Reader) *Decoder {
59 | 	d := decPool.Get().(*Decoder)
60 | 	d.Reset(r)
61 | 	return d
62 | }
63 | 
64 | // PutDecoder returns a decoder to the pool.
65 | func PutDecoder(d *Decoder) {
66 | 	d.Reset(nil)
67 | 	decPool.Put(d)
68 | }
69 | 


--------------------------------------------------------------------------------
/internal/codec/codec_test.go:
--------------------------------------------------------------------------------
  1 | package codec
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"encoding/json"
  6 | 	"fmt"
  7 | 	"os"
  8 | 	"strings"
  9 | 	"testing"
 10 | 	"time"
 11 | 
 12 | 	"github.com/google/go-cmp/cmp"
 13 | )
 14 | 
 15 | func Example() {
 16 | 	enc := GetEncoder(os.Stdout)
 17 | 	defer PutEncoder(enc)
 18 | 	enc.MustEncode([]string{"a", "slice", "of", "strings"})
 19 | 	fmt.Fprintln(os.Stdout)
 20 | 	enc.MustEncode(nil)
 21 | 	fmt.Fprintln(os.Stdout)
 22 | 	enc.MustEncode(map[string]string{})
 23 | 	fmt.Fprintln(os.Stdout)
 24 | 	// Output: ["a","slice","of","strings"]
 25 | 	// null
 26 | 	// {}
 27 | }
 28 | 
 29 | func BenchmarkDecode(b *testing.B) {
 30 | 	b.ReportAllocs()
 31 | 	want := map[string]string{
 32 | 		"a": strings.Repeat(`A`, 2048),
 33 | 		"b": strings.Repeat(`B`, 2048),
 34 | 		"c": strings.Repeat(`C`, 2048),
 35 | 		"d": strings.Repeat(`D`, 2048),
 36 | 	}
 37 | 	got := make(map[string]string, len(want))
 38 | 	b.ResetTimer()
 39 | 
 40 | 	for i := 0; i < b.N; i++ {
 41 | 		dec := GetDecoder(JSONReader(want))
 42 | 		err := dec.Decode(&got)
 43 | 		PutDecoder(dec)
 44 | 		if err != nil {
 45 | 			b.Error(err)
 46 | 		}
 47 | 		if !cmp.Equal(got, want) {
 48 | 			b.Error(cmp.Diff(got, want))
 49 | 		}
 50 | 	}
 51 | }
 52 | 
 53 | func BenchmarkDecodeStdlib(b *testing.B) {
 54 | 	b.ReportAllocs()
 55 | 	want := map[string]string{
 56 | 		"a": strings.Repeat(`A`, 2048),
 57 | 		"b": strings.Repeat(`B`, 2048),
 58 | 		"c": strings.Repeat(`C`, 2048),
 59 | 		"d": strings.Repeat(`D`, 2048),
 60 | 	}
 61 | 	got := make(map[string]string, len(want))
 62 | 	b.ResetTimer()
 63 | 
 64 | 	for i := 0; i < b.N; i++ {
 65 | 		x, err := json.Marshal(want)
 66 | 		if err != nil {
 67 | 			b.Error(err)
 68 | 		}
 69 | 		if err := json.Unmarshal(x, &got); err != nil {
 70 | 			b.Error(err)
 71 | 		}
 72 | 		if !cmp.Equal(got, want) {
 73 | 			b.Error(cmp.Diff(got, want))
 74 | 		}
 75 | 	}
 76 | }
 77 | 
 78 | func TestTimeNotNull(t *testing.T) {
 79 | 	type s struct {
 80 | 		Time time.Time
 81 | 	}
 82 | 	var b bytes.Buffer
 83 | 	enc := GetEncoder(&b)
 84 | 	defer PutEncoder(enc)
 85 | 
 86 | 	// Example encoding of a populated time:
 87 | 	if err := enc.Encode(s{Time: time.Unix(0, 0).UTC()}); err != nil {
 88 | 		t.Error(err)
 89 | 	}
 90 | 	t.Log(b.String())
 91 | 	b.Reset()
 92 | 
 93 | 	// Now encode a zero time and make sure it's a string.
 94 | 	if err := enc.Encode(s{}); err != nil {
 95 | 		t.Error(err)
 96 | 	}
 97 | 	t.Log(b.String())
 98 | 	if strings.Contains(b.String(), "null") {
 99 | 		t.Error("wanted non-null encoding")
100 | 	}
101 | }
102 | 


--------------------------------------------------------------------------------
/internal/codec/reader.go:
--------------------------------------------------------------------------------
 1 | package codec
 2 | 
 3 | import "io"
 4 | 
 5 | // JSONReader returns an io.ReadCloser backed by a pipe being fed by a JSON
 6 | // encoder.
 7 | func JSONReader(v interface{}) io.ReadCloser {
 8 | 	r, w := io.Pipe()
 9 | 	// This unsupervised goroutine should be fine, because the writer will error
10 | 	// once the reader is closed.
11 | 	go func() {
12 | 		enc := GetEncoder(w)
13 | 		defer PutEncoder(enc)
14 | 		defer w.Close()
15 | 		if err := enc.Encode(v); err != nil {
16 | 			w.CloseWithError(err)
17 | 		}
18 | 	}()
19 | 	return r
20 | }
21 | 


--------------------------------------------------------------------------------
/internal/httputil/client.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"io"
 7 | 	"net"
 8 | 	"net/http"
 9 | 	"net/http/cookiejar"
10 | 	"os"
11 | 	"path/filepath"
12 | 	"strings"
13 | 	"syscall"
14 | 
15 | 	"golang.org/x/net/publicsuffix"
16 | 
17 | 	"github.com/quay/clair/v4/cmd"
18 | )
19 | 
20 | // NewClient constructs an [http.Client] that disallows access to public
21 | // networks, controlled by the localOnly flag.
22 | //
23 | // If disallowed, the reported error will be a [*net.AddrError] with the "Err"
24 | // value of "disallowed by policy".
25 | func NewClient(ctx context.Context, localOnly bool) (*http.Client, error) {
26 | 	tr := http.DefaultTransport.(*http.Transport).Clone()
27 | 	dialer := &net.Dialer{}
28 | 	// Set a control function if we're restricting subnets.
29 | 	if localOnly {
30 | 		dialer.Control = ctlLocalOnly
31 | 	}
32 | 	tr.DialContext = dialer.DialContext
33 | 
34 | 	jar, err := cookiejar.New(&cookiejar.Options{
35 | 		PublicSuffixList: publicsuffix.List,
36 | 	})
37 | 	if err != nil {
38 | 		return nil, err
39 | 	}
40 | 	return &http.Client{
41 | 		Transport: tr,
42 | 		Jar:       jar,
43 | 	}, nil
44 | }
45 | 
46 | func ctlLocalOnly(network, address string, _ syscall.RawConn) error {
47 | 	// Future-proof for QUIC by allowing UDP here.
48 | 	if !strings.HasPrefix(network, "tcp") && !strings.HasPrefix(network, "udp") {
49 | 		return &net.AddrError{
50 | 			Addr: network + "!" + address,
51 | 			Err:  "disallowed by policy",
52 | 		}
53 | 	}
54 | 	host, _, err := net.SplitHostPort(address)
55 | 	if err != nil {
56 | 		return &net.AddrError{
57 | 			Addr: network + "!" + address,
58 | 			Err:  "martian address",
59 | 		}
60 | 	}
61 | 	addr := net.ParseIP(host)
62 | 	if addr == nil {
63 | 		return &net.AddrError{
64 | 			Addr: network + "!" + address,
65 | 			Err:  "martian address",
66 | 		}
67 | 	}
68 | 	if !addr.IsPrivate() &&
69 | 		!addr.IsLoopback() &&
70 | 		!addr.IsLinkLocalUnicast() {
71 | 		return &net.AddrError{
72 | 			Addr: network + "!" + address,
73 | 			Err:  "disallowed by policy",
74 | 		}
75 | 	}
76 | 	return nil
77 | }
78 | 
79 | // NewRequestWithContext is a wrapper around [http.NewRequestWithContext] that
80 | // sets some defaults in the returned request.
81 | func NewRequestWithContext(ctx context.Context, method, url string, body io.Reader) (*http.Request, error) {
82 | 	// The one OK use of the normal function.
83 | 	req, err := http.NewRequestWithContext(ctx, method, url, body)
84 | 	if err != nil {
85 | 		return nil, err
86 | 	}
87 | 	p, err := os.Executable()
88 | 	if err != nil {
89 | 		p = `clair?`
90 | 	} else {
91 | 		p = filepath.Base(p)
92 | 	}
93 | 	req.Header.Set("user-agent", fmt.Sprintf("%s/%s", p, cmd.Version))
94 | 	return req, nil
95 | }
96 | 


--------------------------------------------------------------------------------
/internal/httputil/client_test.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import (
 4 | 	"errors"
 5 | 	"net"
 6 | 	"testing"
 7 | )
 8 | 
 9 | func TestLocalOnly(t *testing.T) {
10 | 	tt := []struct {
11 | 		Network string
12 | 		Addr    string
13 | 		Err     *net.AddrError
14 | 	}{
15 | 		{
16 | 			Network: "tcp4",
17 | 			Addr:    "192.168.0.1:443",
18 | 			Err:     nil,
19 | 		},
20 | 		{
21 | 			Network: "tcp4",
22 | 			Addr:    "127.0.0.1:443",
23 | 			Err:     nil,
24 | 		},
25 | 		{
26 | 			Network: "tcp6",
27 | 			Addr:    "[fe80::]:443",
28 | 			Err:     nil,
29 | 		},
30 | 		{
31 | 			Network: "tcp4",
32 | 			Addr:    "8.8.8.8:443",
33 | 			Err: &net.AddrError{
34 | 				Addr: "tcp4!8.8.8.8:443",
35 | 				Err:  "disallowed by policy",
36 | 			},
37 | 		},
38 | 		{
39 | 			Network: "tcp6",
40 | 			Addr:    "[2000::]:443",
41 | 			Err: &net.AddrError{
42 | 				Addr: "tcp6![2000::]:443",
43 | 				Err:  "disallowed by policy",
44 | 			},
45 | 		},
46 | 	}
47 | 	for _, tc := range tt {
48 | 		t.Logf("%s!%s", tc.Network, tc.Addr)
49 | 		var nErr *net.AddrError
50 | 		got := ctlLocalOnly(tc.Network, tc.Addr, nil)
51 | 		if errors.As(got, &nErr) {
52 | 			if tc.Err.Err != nErr.Err || tc.Err.Addr != nErr.Addr {
53 | 				t.Errorf("got: %v, want: %v", got, tc.Err)
54 | 			}
55 | 		}
56 | 	}
57 | }
58 | 


--------------------------------------------------------------------------------
/internal/httputil/ratelimiter.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"sync"
 6 | 
 7 | 	"golang.org/x/time/rate"
 8 | )
 9 | 
10 | // RateLimiter wraps the provided RoundTripper with a limiter allowing 10
11 | // requests/second/host.
12 | //
13 | // It responds to HTTP 429 responses by automatically decreasing the rate.
14 | func RateLimiter(next http.RoundTripper) http.RoundTripper {
15 | 	return &ratelimiter{
16 | 		rt: next,
17 | 		lm: sync.Map{},
18 | 	}
19 | }
20 | 
21 | // Ratelimiter implements the limiting by using a concurrent map and Limiter
22 | // structs.
23 | type ratelimiter struct {
24 | 	lm sync.Map
25 | 	rt http.RoundTripper
26 | }
27 | 
28 | const rateCap = 10
29 | 
30 | // RoundTrip implements http.RoundTripper.
31 | func (r *ratelimiter) RoundTrip(req *http.Request) (*http.Response, error) {
32 | 	key := req.URL.Host
33 | 	li, ok := r.lm.Load(key)
34 | 	if !ok {
35 | 		// Limiter allows "rateCap" per sec, one at a time.
36 | 		l := rate.NewLimiter(rate.Limit(rateCap), 1)
37 | 		li, _ = r.lm.LoadOrStore(key, l)
38 | 	}
39 | 	l := li.(*rate.Limiter)
40 | 	if err := l.Wait(req.Context()); err != nil {
41 | 		return nil, err
42 | 	}
43 | 	res, err := r.rt.RoundTrip(req)
44 | 	// This seems to be the contract that http.Transport implements.
45 | 	if err != nil {
46 | 		return nil, err
47 | 	}
48 | 	switch res.StatusCode {
49 | 	case http.StatusOK:
50 | 		// Try increasing on OK.
51 | 		if lim := l.Limit(); lim < rateCap {
52 | 			l.SetLimit(lim + 1)
53 | 		}
54 | 	case http.StatusTooManyRequests:
55 | 		// Try to allow some requests, eventually.
56 | 		l.SetLimit(detune(l.Limit()))
57 | 	}
58 | 	return res, nil
59 | }
60 | 
61 | // Detune reduces the rate.
62 | func detune(in rate.Limit) rate.Limit {
63 | 	if in <= 1 {
64 | 		return in / 2
65 | 	}
66 | 	return in - 1
67 | }
68 | 


--------------------------------------------------------------------------------
/internal/httputil/ratelimiter_test.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"net/http/httptest"
 6 | 	"sync"
 7 | 	"testing"
 8 | 	"time"
 9 | )
10 | 
11 | func TestRate(t *testing.T) {
12 | 	const nReq = 20
13 | 
14 | 	var wg sync.WaitGroup
15 | 	wg.Add(nReq)
16 | 	begin := make(chan struct{})
17 | 	var last struct {
18 | 		sync.Mutex
19 | 		t time.Time
20 | 	}
21 | 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
22 | 		last.Lock()
23 | 		last.t = time.Now()
24 | 		last.Unlock()
25 | 		w.WriteHeader(http.StatusOK)
26 | 	}))
27 | 	defer srv.Close()
28 | 	cl := srv.Client()
29 | 	cl.Transport = RateLimiter(cl.Transport)
30 | 
31 | 	for i := 0; i < nReq; i++ {
32 | 		go func() {
33 | 			defer wg.Done()
34 | 			<-begin
35 | 			res, err := cl.Get(srv.URL)
36 | 			if err != nil {
37 | 				t.Error(err)
38 | 				return
39 | 			}
40 | 			res.Body.Close()
41 | 		}()
42 | 	}
43 | 
44 | 	first := time.Now()
45 | 	close(begin)
46 | 	wg.Wait()
47 | 
48 | 	t.Logf("begin: %v", first)
49 | 	t.Logf("end:   %v", last.t)
50 | 	rate := nReq / last.t.Sub(first).Seconds()
51 | 	t.Logf("rate:  %v", rate)
52 | 
53 | 	if rate < (rateCap-1) || rate > (rateCap+1) {
54 | 		t.Error("rate outside acceptable bounds")
55 | 	}
56 | }
57 | 


--------------------------------------------------------------------------------
/internal/httputil/responserecorder.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import "net/http"
 4 | 
 5 | // ResponseRecorder returns a ResponseWriter that records the HTTP status and
 6 | // body length into the provided pointers, and returns another response writer
 7 | // that understand the go 1.20 http `Unwrap` scheme.
 8 | func ResponseRecorder(status *int, length *int64, w http.ResponseWriter) http.ResponseWriter {
 9 | 	// Handle nils being passed, just to be nice.
10 | 	if length == nil {
11 | 		length = new(int64)
12 | 	}
13 | 	if status == nil {
14 | 		status = new(int)
15 | 	}
16 | 	return &responseRecord{
17 | 		ResponseWriter: w,
18 | 		status:         status,
19 | 		length:         length,
20 | 	}
21 | }
22 | 
23 | var _ http.ResponseWriter = (*responseRecord)(nil)
24 | 
25 | type responseRecord struct {
26 | 	http.ResponseWriter
27 | 	status    *int
28 | 	length    *int64
29 | 	writecall bool
30 | }
31 | 
32 | func (r *responseRecord) Unwrap() http.ResponseWriter {
33 | 	return r.ResponseWriter
34 | }
35 | 
36 | func (r *responseRecord) WriteHeader(c int) {
37 | 	if r.writecall {
38 | 		return
39 | 	}
40 | 	*r.status = c
41 | 	r.ResponseWriter.WriteHeader(c)
42 | 	r.writecall = true
43 | }
44 | 
45 | func (r *responseRecord) Write(b []byte) (int, error) {
46 | 	r.WriteHeader(http.StatusOK)
47 | 	n, err := r.ResponseWriter.Write(b)
48 | 	*r.length += int64(n)
49 | 	return n, err
50 | }
51 | 


--------------------------------------------------------------------------------
/internal/httputil/responserecorder_test.go:
--------------------------------------------------------------------------------
 1 | package httputil
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"net/http/httptest"
 6 | 	"testing"
 7 | )
 8 | 
 9 | func TestResponseRecorder(t *testing.T) {
10 | 	t.Run("OK", func(t *testing.T) {
11 | 		var status int
12 | 		var length int64
13 | 
14 | 		rec := httptest.NewRecorder()
15 | 		w := ResponseRecorder(&status, &length, rec)
16 | 
17 | 		sz := 512
18 | 		if n, err := w.Write(make([]byte, sz)); err != nil || n != sz {
19 | 			t.Errorf("unexpected Write return: (%v, %v)", n, err)
20 | 		}
21 | 		t.Logf("wrote %d bytes, status %q", length, http.StatusText(status))
22 | 		if got, want := status, http.StatusOK; got != want {
23 | 			t.Errorf("bad status; got: %d, want: %d", got, want)
24 | 		}
25 | 		if got, want := length, int64(sz); got != want {
26 | 			t.Errorf("bad length; got: %d, want: %d", got, want)
27 | 		}
28 | 	})
29 | 
30 | 	t.Run("Error", func(t *testing.T) {
31 | 		var status int
32 | 		var length int64
33 | 		sc := http.StatusInternalServerError
34 | 
35 | 		rec := httptest.NewRecorder()
36 | 		w := ResponseRecorder(&status, &length, rec)
37 | 
38 | 		sz := 512
39 | 		w.WriteHeader(sc)
40 | 		if n, err := w.Write(make([]byte, sz)); err != nil || n != sz {
41 | 			t.Errorf("unexpected Write return: (%v, %v)", n, err)
42 | 		}
43 | 		t.Logf("wrote %d bytes, status %q", length, http.StatusText(status))
44 | 		if got, want := status, sc; got != want {
45 | 			t.Errorf("bad status; got: %d, want: %d", got, want)
46 | 		}
47 | 		if got, want := length, int64(sz); got != want {
48 | 			t.Errorf("bad length; got: %d, want: %d", got, want)
49 | 		}
50 | 	})
51 | }
52 | 


--------------------------------------------------------------------------------
/local-dev/clair/.gitignore:
--------------------------------------------------------------------------------
1 | quay.yaml
2 | 


--------------------------------------------------------------------------------
/local-dev/clair/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | log_level: debug-color
 3 | introspection_addr: ":8089"
 4 | http_listen_addr: ":6060"
 5 | updaters:
 6 |   sets:
 7 |     - ubuntu
 8 |     - debian
 9 |     - rhel-vex
10 |     - alpine
11 |     - osv
12 | auth:
13 |   psk:
14 |     key: 'c2VjcmV0'
15 |     iss:
16 |       - quay
17 |       - clairctl
18 | indexer:
19 |   connstring: host=clair-database user=clair dbname=indexer sslmode=disable
20 |   scanlock_retry: 10
21 |   layer_scan_concurrency: 5
22 |   migrations: true
23 | matcher:
24 |   indexer_addr: http://clair-indexer:6060/
25 |   connstring: host=clair-database user=clair dbname=matcher sslmode=disable
26 |   max_conn_pool: 100
27 |   migrations: true
28 | matchers: {}
29 | notifier:
30 |   indexer_addr: http://clair-indexer:6060/
31 |   matcher_addr: http://clair-matcher:6060/
32 |   connstring: host=clair-database user=clair dbname=notifier sslmode=disable
33 |   migrations: true
34 |   delivery_interval: 1m
35 |   poll_interval: 1m
36 |   webhook:
37 |     target: "http://webhook-target/"
38 |     callback: "http://clair-notifier:6060/notifier/api/v1/notification/"
39 |   # amqp:
40 |   #   direct: true
41 |   #   exchange:
42 |   #     name: ""
43 |   #     type: "direct"
44 |   #     durable: true
45 |   #     auto_delete: false
46 |   #   uris: ["amqp://guest:guest@clair-rabbitmq:5672/"]
47 |   #   routing_key: "notifications"
48 |   #   callback: "http://clair-notifier/notifier/api/v1/notification"
49 | # tracing and metrics config
50 | trace:
51 |   name: "otlp"
52 | #  probability: 1
53 |   otlp:
54 |     http:
55 |       endpoint: "clair-jaeger:4318"
56 |       insecure: true
57 | metrics:
58 |   name: "prometheus"
59 | 


--------------------------------------------------------------------------------
/local-dev/clair/config.yaml.d/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/local-dev/clair/init.sql:
--------------------------------------------------------------------------------
 1 | CREATE USER clair WITH PASSWORD 'clair';
 2 | CREATE USER quay WITH PASSWORD 'quay';
 3 | CREATE DATABASE indexer WITH OWNER clair;
 4 | CREATE DATABASE matcher WITH OWNER clair;
 5 | CREATE DATABASE notifier WITH OWNER clair;
 6 | CREATE DATABASE quay WITH OWNER quay;
 7 | \connect matcher
 8 | CREATE EXTENSION "uuid-ossp";
 9 | \connect notifier
10 | CREATE EXTENSION "uuid-ossp";
11 | \connect quay
12 | CREATE EXTENSION "pg_trgm";
13 | 


--------------------------------------------------------------------------------
/local-dev/clair/quay.yaml.d/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/local-dev/grafana/provisioning/dashboards/dashboard.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: 1
 2 | 
 3 | providers:
 4 | - name: 'Prometheus'
 5 |   orgId: 1
 6 |   folder: ''
 7 |   type: file
 8 |   disableDeletion: false
 9 |   editable: true
10 |   options:
11 |     path: /etc/grafana/provisioning/dashboards


--------------------------------------------------------------------------------
/local-dev/grafana/provisioning/datasources/datasource.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # config file version
 3 | apiVersion: 1
 4 | 
 5 | # list of datasources that should be deleted from the database
 6 | deleteDatasources:
 7 |   - name: Prometheus
 8 |     orgId: 1
 9 | 
10 | # list of datasources to insert/update depending
11 | # whats available in the database
12 | datasources:
13 |   # <string, required> name of the datasource. Required
14 | - name: Prometheus
15 |   # <string, required> datasource type. Required
16 |   type: prometheus
17 |   # <string, required> access mode. direct or proxy. Required
18 |   access: proxy
19 |   # <int> org id. will default to orgId 1 if not specified
20 |   orgId: 1
21 |   # <string> url
22 |   url: http://clair-prometheus:9090/prom/
23 |   # <bool> mark as default datasource. Max one per org
24 |   isDefault: true
25 |   version: 1
26 |   editable: false
27 | - name: Pyroscope
28 |   type: pyroscope-datasource
29 |   access: proxy
30 |   orgId: 1
31 |   url: http://clair-pyroscope:4040/
32 |   jsonData:
33 |     path: http://clair-pyroscope:4040/
34 |   editable: false
35 | - name: Jaeger
36 |   type: jaeger
37 |   access: proxy
38 |   orgId: 1
39 |   url: http://clair-jaeger:16686/jaeger/
40 |   editable: false
41 | 


--------------------------------------------------------------------------------
/local-dev/pgadmin/passfile.txt:
--------------------------------------------------------------------------------
1 | # hostname:port:database:username:password
2 | clair-database:5432:notifier:clair:clair
3 | clair-database:5432:matcher:clair:clair
4 | clair-database:5432:indexer:clair:clair
5 | 


--------------------------------------------------------------------------------
/local-dev/pgadmin/servers.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Servers": {
 3 |         "1": {
 4 |             "Name": "clair",
 5 |             "Group": "Servers",
 6 |             "Port": 5432,
 7 |             "Username": "postgres",
 8 |             "Host": "clair-database",
 9 |             "SSLMode": "disable",
10 |             "MaintenanceDB": "postgres",
11 |             "PassFile": "/pgadmin4/config/passfile.txt"
12 |         }
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/local-dev/prometheus/prometheus.yml:
--------------------------------------------------------------------------------
 1 | # global config
 2 | ---
 3 | global:
 4 |   scrape_interval: 4s
 5 |   evaluation_interval: 30s
 6 |   # scrape_timeout is set to the global default (10s).
 7 | scrape_configs:
 8 |   - job_name: indexer
 9 |     metrics_path: "/metrics"
10 |     static_configs:
11 |       - targets: ['clair-indexer:8089']
12 | 
13 |   - job_name: matcher
14 |     metrics_path: "/metrics"
15 |     static_configs:
16 |       - targets: ['clair-matcher:8089']
17 | 
18 |   - job_name: clair-notifier
19 |     metrics_path: "/metrics"
20 |     static_configs:
21 |       - targets: ['clair-notifier:8089']
22 | 
23 |   - job_name: notifier
24 |     metrics_path: "/metrics"
25 |     static_configs:
26 |       - targets: ['notifier:8089']
27 | 
28 |   - job_name: indexer-quay
29 |     metrics_path: "/metrics"
30 |     static_configs:
31 |       - targets: ['indexer-quay:8089']
32 | 
33 | 


--------------------------------------------------------------------------------
/local-dev/pyroscope/server.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | analytics-opt-out: 'true'
 3 | base-url: /pyroscope
 4 | disable-pprof-endpoint: 'true'
 5 | scrape-configs:
 6 | - job-name: pyroscope
 7 |   scrape-interval: 10s
 8 |   scrape-timeout: 15s
 9 |   enabled-profiles: [cpu, mem, goroutines, mutex, block]
10 |   use-delta-profiles: true
11 |   static-configs:
12 |   - application: clair-indexer
13 |     spy-name: gospy
14 |     targets:
15 |       - clair-indexer:8089
16 |   - application: clair-matcher
17 |     spy-name: gospy
18 |     targets:
19 |       - clair-matcher:8089
20 | 


--------------------------------------------------------------------------------
/local-dev/quay/config.yaml:
--------------------------------------------------------------------------------
 1 | SUPER_USERS:
 2 | - admin
 3 | AUTHENTICATION_TYPE: Database
 4 | BUILDLOGS_REDIS:
 5 |   host: clair-redis
 6 |   port: 6379
 7 | DATABASE_SECRET_KEY: '30060361640793187613697366923211113205676925445650250274752125083971638376224'
 8 | DB_URI: postgresql://quay@clair-database/quay
 9 | DEFAULT_TAG_EXPIRATION: 2w
10 | DISTRIBUTED_STORAGE_CONFIG:
11 |   default:
12 |   - LocalStorage
13 |   - storage_path: /datastorage/registry
14 | DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
15 | DISTRIBUTED_STORAGE_PREFERENCE:
16 | - default
17 | ENTERPRISE_LOGO_URL: /static/img/quay-horizontal-color.svg
18 | EXTERNAL_TLS_TERMINATION: true
19 | FEATURE_ACI_CONVERSION: false
20 | FEATURE_ANONYMOUS_ACCESS: true
21 | FEATURE_APP_REGISTRY: false
22 | FEATURE_APP_SPECIFIC_TOKENS: true
23 | FEATURE_BUILD_SUPPORT: false
24 | FEATURE_CHANGE_TAG_EXPIRATION: true
25 | FEATURE_DIRECT_LOGIN: true
26 | FEATURE_MAILING: false
27 | FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
28 | FEATURE_REPO_MIRROR: false
29 | FEATURE_REQUIRE_TEAM_INVITE: true
30 | FEATURE_RESTRICTED_V1_PUSH: false
31 | FEATURE_SECURITY_NOTIFICATIONS: true
32 | FEATURE_SECURITY_SCANNER: true
33 | FEATURE_USERNAME_CONFIRMATION: true
34 | FEATURE_USER_CREATION: true
35 | FEATURE_USER_LOG_ACCESS: true
36 | GITHUB_LOGIN_CONFIG: {}
37 | GITHUB_TRIGGER_CONFIG: {}
38 | GITLAB_TRIGGER_KIND: {}
39 | GPG2_PRIVATE_KEY_FILENAME: signing-private.gpg
40 | GPG2_PUBLIC_KEY_FILENAME: signing-public.gpg
41 | LOG_ARCHIVE_LOCATION: default
42 | MAIL_DEFAULT_SENDER: support@quay.io
43 | MAIL_PORT: 587
44 | MAIL_USE_TLS: true
45 | PREFERRED_URL_SCHEME: http
46 | REGISTRY_TITLE: Local Testing Quay
47 | REGISTRY_TITLE_SHORT: Test Quay
48 | REPO_MIRROR_SERVER_HOSTNAME: null
49 | REPO_MIRROR_TLS_VERIFY: true
50 | SECURITY_SCANNER_V4_ENDPOINT: http://clair-traefik:6060
51 | SECURITY_SCANNER_ISSUER_NAME: quay
52 | SECURITY_SCANNER_V4_PSK: 'c2VjcmV0'
53 | SERVER_HOSTNAME: clair-quay:8080
54 | SETUP_COMPLETE: true
55 | SIGNING_ENGINE: gpg2
56 | TAG_EXPIRATION_OPTIONS:
57 | - 0s
58 | - 1d
59 | - 1w
60 | - 2w
61 | - 4w
62 | TEAM_RESYNC_STALE_TIME: 60m
63 | TESTING: false
64 | USERFILES_LOCATION: default
65 | USERFILES_PATH: userfiles/
66 | USER_EVENTS_REDIS:
67 |   host: quay-redis
68 |   port: 6379
69 | USE_CDN: false
70 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/clair.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     indexer:
 5 |       entryPoints: [clair]
 6 |       rule: 'PathPrefix(`/indexer`)'
 7 |       service: indexer
 8 |     matcher:
 9 |       entryPoints: [clair]
10 |       rule: 'PathPrefix(`/matcher`)'
11 |       service: matcher
12 |     notifier:
13 |       entryPoints: [clair]
14 |       rule: 'PathPrefix(`/notifier`)'
15 |       service: notifier
16 |   services:
17 |     indexer:
18 |       loadBalancer:
19 |         servers:
20 |         - url: "http://clair-indexer:6060/"
21 |         healthCheck:
22 |           path: /healthz
23 |           port: 8089
24 |     matcher:
25 |       loadBalancer:
26 |         servers:
27 |         - url: "http://clair-matcher:6060/"
28 |         healthCheck:
29 |           path: /healthz
30 |           port: 8089
31 |     notifier:
32 |       loadBalancer:
33 |         servers:
34 |         - url: "http://clair-notifier:6060/"
35 |         healthCheck:
36 |           path: /healthz
37 |           port: 8089
38 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/dashboard.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     api:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/api`) || PathPrefix(`/dashboard`)'
 7 |       service: 'api@internal'
 8 |     dashboard-redirect:
 9 |       entryPoints: [traefik]
10 |       rule: 'Path(`/`)'
11 |       middlewares: [dashboard-redirect]
12 |       service: 'api@internal'
13 |   middlewares:
14 |     dashboard-redirect:
15 |       redirectRegex:
16 |         regex: '.*'
17 |         replacement: '${1}/dashboard/'
18 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/grafana.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     grafana:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/grafana`)'
 7 |       service: grafana
 8 |   services:
 9 |     grafana:
10 |       loadBalancer:
11 |         servers:
12 |         - url: "http://clair-grafana:3000/"
13 |         healthCheck:
14 |           path: /grafana/api/health
15 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/jaeger.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     jaeger:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/jaeger`)'
 7 |       service: jaeger
 8 |   services:
 9 |     jaeger:
10 |       loadBalancer:
11 |         servers:
12 |         - url: "http://clair-jaeger:16686/"
13 |         healthCheck:
14 |           path: /
15 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/pgadmin.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     pgadmin:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/pgadmin`)'
 7 |       service: pgadmin
 8 |   services:
 9 |     pgadmin:
10 |       loadBalancer:
11 |         servers:
12 |         - url: "http://clair-pgadmin/"
13 |         healthCheck:
14 |           path: /pgadmin
15 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/postgresql.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | tcp:
 3 |   routers:
 4 |     postgresql:
 5 |       entryPoints: [postgresql]
 6 |       service: postgresql
 7 |       # Traefik docs say this hack is needed if not using TLS.
 8 |       rule: 'HostSNI(`*`)'
 9 |   services:
10 |     postgresql:
11 |       loadBalancer:
12 |         servers:
13 |           - address: 'clair-database:5432'
14 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/prom.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     prom:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/prom`)'
 7 |       service: prom
 8 |   services:
 9 |     prom:
10 |       loadBalancer:
11 |         servers:
12 |         - url: "http://clair-prometheus:9090/"
13 |         healthCheck:
14 |           path: /prom/-/healthy
15 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/pyroscope.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     pyroscope:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/pyroscope`)'
 7 |       service: pyroscope
 8 |       middlewares:
 9 |       - pyroscope-stripprefix
10 |   middlewares:
11 |     pyroscope-stripprefix:
12 |       stripPrefix:
13 |         prefixes:
14 |         - /pyroscope
15 |   services:
16 |     pyroscope:
17 |       loadBalancer:
18 |         servers:
19 |         - url: "http://clair-pyroscope:4040/"
20 |         healthCheck:
21 |           path: /
22 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/quay.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     quay:
 5 |       entryPoints: [quay]
 6 |       rule: 'PathPrefix(`/`)'
 7 |       service: quay
 8 |     quay-api:
 9 |       entryPoints: [traefik]
10 |       rule: 'PathPrefix(`/v2`)'
11 |       service: quay
12 |   services:
13 |     quay:
14 |       loadBalancer:
15 |         passHostHeader: false
16 |         servers:
17 |         - url: "http://clair-quay:8080/"
18 |         healthCheck:
19 |           path: /health
20 |           port: 8080
21 | 


--------------------------------------------------------------------------------
/local-dev/traefik/config/rabbitmq.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | http:
 3 |   routers:
 4 |     rabbitmq:
 5 |       entryPoints: [traefik]
 6 |       rule: 'PathPrefix(`/rabbitmq`)'
 7 |       middlewares:
 8 |       - rewrite-api
 9 |       - rewrite
10 |       service: rabbitmq
11 |   services:
12 |     rabbitmq:
13 |       loadBalancer:
14 |         servers:
15 |         - url: "http://clair-rabbitmq:15672/"
16 |         healthCheck:
17 |           path: /
18 |   middlewares:
19 |     rewrite-api:
20 |       replacePathRegex:
21 |         regex: '^/rabbitmq/api/(.*?)/(.*)'
22 |         replacement: '/api/%2F/$2'
23 |     rewrite:
24 |       replacePathRegex:
25 |         regex: '^/rabbitmq/(.*)$'
26 |         replacement: '/$1'
27 | 


--------------------------------------------------------------------------------
/local-dev/traefik/traefik.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | global:
 3 |   sendAnonymousUsage: false
 4 | api:
 5 |   insecure: false
 6 |   dashboard: true
 7 | entryPoints:
 8 |   traefik:
 9 |     address: ':8080'
10 |   quay:
11 |     address: ':8443'
12 |   clair:
13 |     address: ':6060'
14 |   postgresql:
15 |     address: ':5432'
16 | providers:
17 |   file:
18 |     directory: /etc/traefik/config
19 | metrics:
20 |   prometheus:
21 |     addServicesLabels: true
22 | tracing:
23 |   otlp:
24 |     http:
25 |       endpoint: http://clair-jaeger:4318/v1/traces
26 | accessLog: {}
27 | 


--------------------------------------------------------------------------------
/matcher/service.go:
--------------------------------------------------------------------------------
 1 | package matcher
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/google/uuid"
 7 | 	"github.com/quay/claircore"
 8 | 	"github.com/quay/claircore/libvuln/driver"
 9 | )
10 | 
11 | // Service is an aggregate interface wrapping claircore.Libvuln functionality.
12 | //
13 | // Implementation may use a local instance of claircore.Libindex or a remote
14 | // instance via http or grpc client.
15 | type Service interface {
16 | 	Scanner
17 | 	Differ
18 | }
19 | 
20 | // Scanner is an interface providing a claircore.VulnerabilityReport given a claircore.IndexReport
21 | type Scanner interface {
22 | 	Initialized(context.Context) (bool, error)
23 | 	Scan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error)
24 | }
25 | 
26 | // Differ is an interface providing information on update operations.
27 | type Differ interface {
28 | 	// DeleteUpdateOperations marks the provided refs as seen and processed.
29 | 	DeleteUpdateOperations(context.Context, ...uuid.UUID) (int64, error)
30 | 	// UpdateDiff reports the differences between the provided refs.
31 | 	//
32 | 	// "Prev" can be `uuid.Nil` to indicate "earliest known ref."
33 | 	UpdateDiff(_ context.Context, prev, cur uuid.UUID) (*driver.UpdateDiff, error)
34 | 	// UpdateOperations returns all the known UpdateOperations per updater.
35 | 	UpdateOperations(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error)
36 | 	// LatestUpdateOperations returns the most recent UpdateOperation per updater.
37 | 	LatestUpdateOperations(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error)
38 | 	// LatestUpdateOperation returns a ref for the most recent update operation
39 | 	// across all updaters.
40 | 	LatestUpdateOperation(context.Context, driver.UpdateKind) (uuid.UUID, error)
41 | }
42 | 


--------------------------------------------------------------------------------
/middleware/auth/handler.go:
--------------------------------------------------------------------------------
 1 | package auth
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net/http"
 6 | 	"strings"
 7 | )
 8 | 
 9 | // Checker is an interface that reports whether the passed request should be
10 | // allowed to continue.
11 | type Checker interface {
12 | 	Check(context.Context, *http.Request) bool
13 | }
14 | 
15 | type handler struct {
16 | 	auth Checker
17 | 	next http.Handler
18 | }
19 | 
20 | func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
21 | 	if !h.auth.Check(r.Context(), r) {
22 | 		w.WriteHeader(http.StatusUnauthorized)
23 | 		return
24 | 	}
25 | 	h.next.ServeHTTP(w, r)
26 | }
27 | 
28 | // Handler returns a http.Handler that gates access to the passed Handler behind
29 | // the passed Checker.
30 | func Handler(h http.Handler, f ...Checker) http.Handler {
31 | 	r := &handler{
32 | 		auth: fail{},
33 | 		next: h,
34 | 	}
35 | 	if len(f) == 1 {
36 | 		r.auth = f[0]
37 | 	} else {
38 | 		r.auth = any(f)
39 | 	}
40 | 	return r
41 | }
42 | 
43 | // Any attempts all Checkers in order and reports true if any succeeds.
44 | type any []Checker
45 | 
46 | // Check implements Checker.
47 | func (a any) Check(ctx context.Context, r *http.Request) bool {
48 | 	for _, c := range a {
49 | 		if ok := c.Check(ctx, r); ok {
50 | 			return true
51 | 		}
52 | 	}
53 | 	return false
54 | }
55 | 
56 | // Fail is a Checker that always fails.
57 | type fail struct{}
58 | 
59 | // Check implements Checker.
60 | func (fail) Check(_ context.Context, _ *http.Request) bool { return false }
61 | 
62 | func fromHeader(r *http.Request) (string, bool) {
63 | 	hs, ok := r.Header["Authorization"]
64 | 	if !ok {
65 | 		return "", false
66 | 	}
67 | 	for _, h := range hs {
68 | 		if strings.HasPrefix(h, "Bearer ") {
69 | 			return strings.TrimPrefix(h, "Bearer "), true
70 | 		}
71 | 	}
72 | 	return "", false
73 | }
74 | 


--------------------------------------------------------------------------------
/middleware/auth/httpauth_psk.go:
--------------------------------------------------------------------------------
 1 | package auth
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"net/http"
 6 | 	"time"
 7 | 
 8 | 	"github.com/go-jose/go-jose/v3/jwt"
 9 | 	"github.com/quay/zlog"
10 | )
11 | 
12 | // PSK implements the AuthCheck interface.
13 | //
14 | // When Check is called the JWT on the incoming http request
15 | // will be validated against a pre-shared-key.
16 | type PSK struct {
17 | 	key []byte
18 | 	iss []string
19 | }
20 | 
21 | // NewPSK returns an instance of a PSK
22 | func NewPSK(key []byte, issuer []string) (*PSK, error) {
23 | 	return &PSK{
24 | 		key: key,
25 | 		iss: issuer,
26 | 	}, nil
27 | }
28 | 
29 | // Check implements AuthCheck
30 | func (p *PSK) Check(_ context.Context, r *http.Request) bool {
31 | 	ctx := zlog.ContextWithValues(r.Context(), "component", "middleware/auth/PSK.Check")
32 | 
33 | 	wt, ok := fromHeader(r)
34 | 	if !ok {
35 | 		zlog.Debug(ctx).Msg("failed to retrieve jwt from header")
36 | 		return false
37 | 	}
38 | 	tok, err := jwt.ParseSigned(wt)
39 | 	if err != nil {
40 | 		zlog.Debug(ctx).Err(err).Msg("failed to parse jwt")
41 | 		return false
42 | 	}
43 | 	cl := jwt.Claims{}
44 | 	if err := tok.Claims(p.key, &cl); err != nil {
45 | 		zlog.Debug(ctx).Err(err).Msg("failed to parse jwt")
46 | 		return false
47 | 	}
48 | 
49 | 	ctx = zlog.ContextWithValues(ctx, "iss", cl.Issuer)
50 | 	if err := cl.ValidateWithLeeway(jwt.Expected{
51 | 		Time: time.Now(),
52 | 	}, 15*time.Second); err != nil {
53 | 		zlog.Debug(ctx).Err(err).Msg("could not validate claims")
54 | 		return false
55 | 	}
56 | 
57 | 	for i, iss := range p.iss {
58 | 		if iss == cl.Issuer {
59 | 			break
60 | 		}
61 | 		if i == len(p.iss)-1 {
62 | 			zlog.Debug(ctx).Err(err).Msg("could not verify issuer")
63 | 			return false
64 | 		}
65 | 	}
66 | 
67 | 	return true
68 | }
69 | 


--------------------------------------------------------------------------------
/notifier/amqp/deliverer.go:
--------------------------------------------------------------------------------
  1 | package amqp
  2 | 
  3 | import (
  4 | 	"context"
  5 | 	"encoding/json"
  6 | 	"fmt"
  7 | 	"net/url"
  8 | 	"path"
  9 | 
 10 | 	"github.com/google/uuid"
 11 | 	"github.com/quay/clair/config"
 12 | 	amqp "github.com/rabbitmq/amqp091-go"
 13 | 
 14 | 	clairerror "github.com/quay/clair/v4/clair-error"
 15 | 	"github.com/quay/clair/v4/notifier"
 16 | )
 17 | 
 18 | // Deliverer is an AMQP deliverer which publishes a notifier.Callback to the
 19 | // the broker.
 20 | //
 21 | // It's an error to configure this deliverer with an Exchange that does not exist.
 22 | // Administrators should configure the Exchange, Queue, and Bindings before starting
 23 | // this deliverer.
 24 | type Deliverer struct {
 25 | 	callback   *url.URL
 26 | 	fo         failOver
 27 | 	routingKey string
 28 | 	exchange   config.Exchange
 29 | 	rollup     int
 30 | 	direct     bool
 31 | }
 32 | 
 33 | func New(conf *config.AMQP) (*Deliverer, error) {
 34 | 	var d Deliverer
 35 | 	if err := d.load(conf); err != nil {
 36 | 		return nil, err
 37 | 	}
 38 | 	return &d, nil
 39 | }
 40 | 
 41 | func (d *Deliverer) load(conf *config.AMQP) error {
 42 | 	var err error
 43 | 	if !conf.Direct {
 44 | 		d.callback, err = url.Parse(conf.Callback)
 45 | 		if err != nil {
 46 | 			return err
 47 | 		}
 48 | 	}
 49 | 	if conf.TLS != nil {
 50 | 		d.fo.tls, err = conf.TLS.Config()
 51 | 		if err != nil {
 52 | 			return err
 53 | 		}
 54 | 	}
 55 | 
 56 | 	// Copy everything else out of the config:
 57 | 	d.direct = conf.Direct
 58 | 	d.rollup = conf.Rollup
 59 | 	d.exchange = conf.Exchange
 60 | 	d.routingKey = conf.RoutingKey
 61 | 	d.fo.uris = make([]*url.URL, len(conf.URIs))
 62 | 	for i, u := range conf.URIs {
 63 | 		d.fo.uris[i], err = url.Parse(u)
 64 | 		if err != nil {
 65 | 			return err
 66 | 		}
 67 | 	}
 68 | 	d.fo.exchange = &d.exchange
 69 | 	return nil
 70 | }
 71 | 
 72 | func (d *Deliverer) Name() string {
 73 | 	return fmt.Sprintf("amqp-%s", d.exchange.Name)
 74 | }
 75 | 
 76 | func (d *Deliverer) Deliver(ctx context.Context, nID uuid.UUID) error {
 77 | 	conn, err := d.fo.Connection(ctx)
 78 | 	if err != nil {
 79 | 		return &clairerror.ErrDeliveryFailed{err}
 80 | 	}
 81 | 	defer conn.Close()
 82 | 
 83 | 	ch, err := conn.Channel()
 84 | 	if err != nil {
 85 | 		return &clairerror.ErrDeliveryFailed{err}
 86 | 	}
 87 | 	defer ch.Close()
 88 | 
 89 | 	callback := *d.callback
 90 | 	callback.Path = path.Join(callback.Path, nID.String())
 91 | 
 92 | 	cb := notifier.Callback{
 93 | 		NotificationID: nID,
 94 | 		Callback:       callback,
 95 | 	}
 96 | 	b, err := json.Marshal(&cb)
 97 | 	if err != nil {
 98 | 		return &clairerror.ErrDeliveryFailed{err}
 99 | 	}
100 | 	msg := amqp.Publishing{
101 | 		ContentType: "application/json",
102 | 		AppId:       "clairV4-notifier",
103 | 		Body:        b,
104 | 	}
105 | 	err = ch.Publish(
106 | 		d.exchange.Name,
107 | 		d.routingKey,
108 | 		false,
109 | 		false,
110 | 		msg,
111 | 	)
112 | 	if err != nil {
113 | 		return &clairerror.ErrDeliveryFailed{err}
114 | 	}
115 | 	return nil
116 | }
117 | 


--------------------------------------------------------------------------------
/notifier/amqp/doc.go:
--------------------------------------------------------------------------------
1 | // Package amqp implements a [Deliverer] over the AMQP protocol.
2 | //
3 | // Deprecated: This package will be removed in a future version. Users should
4 | // write a webhook to AMQP transducer.
5 | package amqp
6 | 


--------------------------------------------------------------------------------
/notifier/callback.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"encoding/json"
 5 | 	"fmt"
 6 | 	"net/url"
 7 | 
 8 | 	"github.com/google/uuid"
 9 | )
10 | 
11 | // Callback holds the details for clients to call back the Notifier
12 | // and receive notifications.
13 | type Callback struct {
14 | 	NotificationID uuid.UUID `json:"notification_id"`
15 | 	Callback       url.URL   `json:"callback"`
16 | }
17 | 
18 | func (cb Callback) MarshalJSON() ([]byte, error) {
19 | 	var m = map[string]string{
20 | 		"notification_id": cb.NotificationID.String(),
21 | 		"callback":        cb.Callback.String(),
22 | 	}
23 | 	return json.Marshal(m)
24 | }
25 | 
26 | func (cb *Callback) UnmarshalJSON(b []byte) error {
27 | 	var m = make(map[string]string, 2)
28 | 	err := json.Unmarshal(b, &m)
29 | 	if err != nil {
30 | 		return err
31 | 	}
32 | 	if _, ok := m["notification_id"]; !ok {
33 | 		return fmt.Errorf("json unmarshal failed. webhook requires a \"notification_id\" field")
34 | 	}
35 | 	if _, ok := m["callback"]; !ok {
36 | 		return fmt.Errorf("json unmarshal failed. webhook requires a \"callback\" field")
37 | 	}
38 | 
39 | 	uid, err := uuid.Parse(m["notification_id"])
40 | 	if err != nil {
41 | 		return fmt.Errorf("json unmarshal failed. malformed notification uuid: %v", err)
42 | 	}
43 | 	cbURL, err := url.Parse(m["callback"])
44 | 	if err != nil {
45 | 		return fmt.Errorf("json unmarshal failed. malformed callback url: %v", err)
46 | 	}
47 | 
48 | 	(*cb).NotificationID = uid
49 | 	(*cb).Callback = *cbURL
50 | 	return nil
51 | }
52 | 


--------------------------------------------------------------------------------
/notifier/callback_test.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"encoding/json"
 5 | 	"net/url"
 6 | 	"testing"
 7 | 
 8 | 	"github.com/google/go-cmp/cmp"
 9 | 	"github.com/google/uuid"
10 | )
11 | 
12 | func TestCallbackSerializtion(t *testing.T) {
13 | 	var want = []byte(`{"callback":"https://example.com","notification_id":"00000000-0000-0000-0000-000000000000"}`)
14 | 	cb := Callback{
15 | 		NotificationID: uuid.Nil,
16 | 	}
17 | 	u, err := url.Parse("https://example.com")
18 | 	if err != nil {
19 | 		t.Error(err)
20 | 	}
21 | 	cb.Callback = *u
22 | 	got, err := json.Marshal(&cb)
23 | 	if err != nil {
24 | 		t.Error(err)
25 | 	}
26 | 	if !cmp.Equal(got, want) {
27 | 		t.Error(cmp.Diff(got, want))
28 | 	}
29 | 
30 | 	var rt Callback
31 | 	if err := json.Unmarshal(want, &rt); err != nil {
32 | 		t.Error(err)
33 | 	}
34 | 	got, err = json.Marshal(&rt)
35 | 	if err != nil {
36 | 		t.Error(err)
37 | 	}
38 | 	if !cmp.Equal(got, want) {
39 | 		t.Error(cmp.Diff(got, want))
40 | 	}
41 | }
42 | 


--------------------------------------------------------------------------------
/notifier/deliverer.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/google/uuid"
 7 | )
 8 | 
 9 | // Deliverer provides the method set for delivering notifications
10 | type Deliverer interface {
11 | 	// A unique name for the deliverer implementation
12 | 	Name() string
13 | 	// Deliver will push the notification ID to subscribed clients.
14 | 	//
15 | 	// If delivery fails a clairerror.ErrDeliveryFailed error must be returned.
16 | 	Deliver(ctx context.Context, nID uuid.UUID) error
17 | }
18 | 
19 | // DirectDeliverer implementations are used in coordination with the Deliverer interface.
20 | //
21 | // DirectDeliverer(s) expect this method to be called prior to their Deliverer methods.
22 | // Implementations must still implement both Deliverer and DirectDeliverer methods for correct use.
23 | //
24 | // Implementations will be provided a list of notifications in which they can directly deliver to subscribed
25 | // clients.
26 | type DirectDeliverer interface {
27 | 	Notifications(ctx context.Context, n []Notification) error
28 | }
29 | 


--------------------------------------------------------------------------------
/notifier/locker.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import "context"
 4 | 
 5 | // Locker is any context-based locking API.
 6 | type Locker interface {
 7 | 	TryLock(context.Context, string) (context.Context, context.CancelFunc)
 8 | 	Lock(context.Context, string) (context.Context, context.CancelFunc)
 9 | 	Close(context.Context) error
10 | }
11 | 


--------------------------------------------------------------------------------
/notifier/migrations/01-init.sql:
--------------------------------------------------------------------------------
 1 | --- an identity table for notifications
 2 | CREATE TABLE IF NOT EXISTS notification (
 3 |     id uuid PRIMARY KEY
 4 | );
 5 | 
 6 | --- a relation expressing the latest update operation
 7 | --- processed for a given updater name
 8 | CREATE TABLE IF NOT EXISTS notifier_update_operation (
 9 |     uo_id uuid PRIMARY KEY,
10 |     updater text,
11 |     ts timestamptz
12 | );
13 | 
14 | --- a relation mapping notifications to their serialized json bodies
15 | CREATE TABLE IF NOT EXISTS notification_body (
16 |     id uuid PRIMARY KEY,
17 |     notification_id uuid REFERENCES notification,
18 |     body jsonb NOT NULL -- serialized json body of notification
19 | );
20 | 
21 | CREATE INDEX notification_body_idx ON notification_body (notification_id, id);
22 | 
23 | --- an enumeration identifying the possible status a receipt may be in
24 | CREATE TYPE receiptstatus AS ENUM (
25 |     'created',
26 |     'delivered',
27 |     'delivery_failed',
28 |     'deleted'
29 | );
30 | 
31 | --- a relation expressing the current status of a notification
32 | --- this acts as a trigger for application business logic
33 | CREATE TABLE IF NOT EXISTS receipt (
34 |     notification_id uuid PRIMARY KEY REFERENCES notification,
35 |     uo_id uuid REFERENCES notifier_update_operation (uo_id),
36 |     status receiptstatus NOT NULL,
37 |     ts timestamptz,
38 |     details jsonb -- any additional details specific to the delivery mechanism
39 | );
40 | 
41 | CREATE INDEX receipt_idx ON receipt (notification_id, uo_id);
42 | 
43 | --- a relation holding a pub_key in PKIX, ASN.1 DER form
44 | --- expiration is application defined and not associated with the public key
45 | CREATE TABLE IF NOT EXISTS key (
46 |     id uuid PRIMARY KEY,
47 |     expiration timestamptz,
48 |     pub_key bytea
49 | );
50 | 
51 | 


--------------------------------------------------------------------------------
/notifier/migrations/02-constraints.sql:
--------------------------------------------------------------------------------
1 | ALTER TABLE notification_body
2 |     DROP CONSTRAINT notification_body_notification_id_fkey,
3 |     ADD CONSTRAINT notification_body_notification_id_fkey FOREIGN KEY (notification_id) REFERENCES notification (id) ON DELETE CASCADE;
4 | 
5 | 


--------------------------------------------------------------------------------
/notifier/migrations/03-constraints.sql:
--------------------------------------------------------------------------------
1 | ALTER TABLE receipt
2 |     DROP CONSTRAINT receipt_notification_id_fkey,
3 |     DROP CONSTRAINT receipt_uo_id_fkey,
4 |     ADD CONSTRAINT receipt_notification_id_fkey FOREIGN KEY (notification_id) REFERENCES notification (id) ON DELETE CASCADE,
5 |     ADD CONSTRAINT receipt_uo_id_fkey FOREIGN KEY (uo_id) REFERENCES notifier_update_operation (uo_id) ON DELETE CASCADE;
6 | 
7 | 


--------------------------------------------------------------------------------
/notifier/migrations/04-drop-key.sql:
--------------------------------------------------------------------------------
1 | -- Drop the key table, as all of its users have been removed.
2 | DROP TABLE key;
3 | 
4 | 


--------------------------------------------------------------------------------
/notifier/migrations/migrations.go:
--------------------------------------------------------------------------------
 1 | package migrations
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"embed"
 6 | 
 7 | 	"github.com/remind101/migrate"
 8 | )
 9 | 
10 | //go:embed *.sql
11 | var fs embed.FS
12 | 
13 | func runFile(n string) func(*sql.Tx) error {
14 | 	b, err := fs.ReadFile(n)
15 | 	return func(tx *sql.Tx) error {
16 | 		if err != nil {
17 | 			return err
18 | 		}
19 | 		if _, err := tx.Exec(string(b)); err != nil {
20 | 			return err
21 | 		}
22 | 		return nil
23 | 	}
24 | }
25 | 
26 | const MigrationTable = "notifier_migrations"
27 | 
28 | var Migrations = []migrate.Migration{
29 | 	{
30 | 		ID: 1,
31 | 		Up: runFile("01-init.sql"),
32 | 	},
33 | 	{
34 | 		ID: 2,
35 | 		Up: runFile("02-constraints.sql"),
36 | 	},
37 | 	{
38 | 		ID: 3,
39 | 		Up: runFile("03-constraints.sql"),
40 | 	},
41 | 	// This can be uncommented once 4.4 is released and 4.1 is gone.
42 | 	/*
43 | 		{
44 | 			ID: 4,
45 | 			Up: runFile("04-drop-key.sql"),
46 | 		},
47 | 	*/
48 | }
49 | 


--------------------------------------------------------------------------------
/notifier/notification.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"github.com/google/uuid"
 5 | 	"github.com/quay/claircore"
 6 | )
 7 | 
 8 | // Reason indicates the catalyst for a notification.
 9 | type Reason string
10 | 
11 | const (
12 | 	Added   Reason = "added"
13 | 	Removed Reason = "removed"
14 | 	Changed Reason = "changed"
15 | )
16 | 
17 | // Notification summarizes a change in the vulnerabilities affecting a manifest.
18 | //
19 | // The mentioned Vulnerability will be the most severe vulnerability discovered
20 | // in an update operation.
21 | //
22 | // Receiving clients are expected to filter notifications by severity in such a
23 | // way that they receive all vulnerabilities at or above a particular
24 | // claircore.Severity level.
25 | type Notification struct {
26 | 	ID            uuid.UUID        `json:"id"`
27 | 	Manifest      claircore.Digest `json:"manifest"`
28 | 	Reason        Reason           `json:"reason"`
29 | 	Vulnerability VulnSummary      `json:"vulnerability"`
30 | }
31 | 


--------------------------------------------------------------------------------
/notifier/notificationhandle.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import "github.com/google/uuid"
 4 | 
 5 | // NotificationHandle is a handle a client may use to
 6 | // retrieve a list of associated notification models
 7 | type NotificationHandle struct {
 8 | 	ID uuid.UUID `json:"id"`
 9 | }
10 | 


--------------------------------------------------------------------------------
/notifier/pager.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"github.com/google/uuid"
 5 | )
 6 | 
 7 | // Page communicates a bare-minimum paging protocol with clients.
 8 | type Page struct {
 9 | 	// the next id to retrieve
10 | 	Next *uuid.UUID `json:"next,omitempty"`
11 | 	// the max number of elements returned in a page
12 | 	Size int `json:"size"`
13 | }
14 | 


--------------------------------------------------------------------------------
/notifier/postgres/notifications_test.go:
--------------------------------------------------------------------------------
 1 | package postgres
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"errors"
 6 | 	"math/rand"
 7 | 	"strconv"
 8 | 	"testing"
 9 | 
10 | 	"github.com/google/uuid"
11 | 	"github.com/jackc/pgx/v4"
12 | 	"github.com/quay/claircore/test"
13 | 	"github.com/quay/claircore/test/integration"
14 | 	"github.com/quay/zlog"
15 | 
16 | 	"github.com/quay/clair/v4/notifier"
17 | )
18 | 
19 | func TestNotificationCopy(t *testing.T) {
20 | 	integration.NeedDB(t)
21 | 	ctx := zlog.Test(context.Background(), t)
22 | 	for _, tc := range []notificationCopyTestcase{
23 | 		{Count: 1},
24 | 		{Count: 10},
25 | 		{Count: 100},
26 | 		{Count: 1000},
27 | 		{Count: 10000},
28 | 	} {
29 | 		tc.Setup(t)
30 | 		t.Run(strconv.Itoa(tc.Count), tc.Func(ctx))
31 | 	}
32 | }
33 | 
34 | type notificationCopyTestcase struct {
35 | 	Notifications []notifier.Notification
36 | 	Count         int
37 | }
38 | 
39 | func (n *notificationCopyTestcase) Setup(t testing.TB) {
40 | 	vs := test.GenUniqueVulnerabilities(n.Count, t.Name())
41 | 	ns := make([]notifier.Notification, len(vs))
42 | 	for i := range vs {
43 | 		n := &ns[i]
44 | 		n.Manifest = test.RandomSHA256Digest(t)
45 | 		switch rand.Intn(3) {
46 | 		case 0:
47 | 			n.Reason = notifier.Added
48 | 		case 1:
49 | 			n.Reason = notifier.Changed
50 | 		case 2:
51 | 			n.Reason = notifier.Removed
52 | 		}
53 | 		n.Vulnerability.FromVulnerability(vs[i])
54 | 	}
55 | 	n.Notifications = ns
56 | }
57 | 
58 | func (n notificationCopyTestcase) Func(ctx context.Context) func(*testing.T) {
59 | 	id := uuid.New()
60 | 	return func(t *testing.T) {
61 | 		ctx := zlog.Test(ctx, t)
62 | 		n.Setup(t)
63 | 		src := copyNotifications(&id, n.Notifications)
64 | 		s := TestingStore(ctx, t)
65 | 		tx, err := s.pool.Begin(ctx)
66 | 		if err != nil {
67 | 			t.Error(err)
68 | 		}
69 | 		defer func() {
70 | 			if err := tx.Rollback(ctx); err != nil && !errors.Is(err, pgx.ErrTxClosed) {
71 | 				t.Error(err)
72 | 			}
73 | 		}()
74 | 		tag, err := tx.Exec(ctx, `INSERT INTO notification (id) VALUES ($1);`, id)
75 | 		if err != nil {
76 | 			t.Error(err)
77 | 		}
78 | 		if got, want := int(tag.RowsAffected()), 1; got != want {
79 | 			t.Errorf("got: %d, want: %d", got, want)
80 | 		}
81 | 		ct, err := tx.CopyFrom(ctx, pgx.Identifier{"notification_body"}, src.Columns(), src)
82 | 		if err != nil {
83 | 			t.Error(err)
84 | 		}
85 | 		if got, want := int(ct), len(n.Notifications); got != want {
86 | 			t.Errorf("got: %d, want: %d", got, want)
87 | 		}
88 | 		if err := tx.Commit(ctx); err != nil {
89 | 			t.Error(err)
90 | 		}
91 | 	}
92 | }
93 | 


--------------------------------------------------------------------------------
/notifier/postgres/postgres_test.go:
--------------------------------------------------------------------------------
 1 | package postgres
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/quay/claircore/test/integration"
 8 | )
 9 | 
10 | func TestMain(m *testing.M) {
11 | 	var c int
12 | 	defer func() { os.Exit(c) }()
13 | 	defer integration.DBSetup()()
14 | 	c = m.Run()
15 | }
16 | 


--------------------------------------------------------------------------------
/notifier/postgres/store_test.go:
--------------------------------------------------------------------------------
 1 | package postgres
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/jackc/pgx/v4"
 8 | 	"github.com/jackc/pgx/v4/log/testingadapter"
 9 | 	"github.com/jackc/pgx/v4/pgxpool"
10 | 	"github.com/quay/claircore/test/integration"
11 | )
12 | 
13 | func TestingStore(ctx context.Context, t testing.TB) *Store {
14 | 	db, err := integration.NewDB(ctx, t)
15 | 	if err != nil {
16 | 		t.Fatalf("unable to create test database: %v", err)
17 | 	}
18 | 	t.Cleanup(func() { db.Close(ctx, t) })
19 | 
20 | 	cfg := db.Config()
21 | 	// This looks backwards, but means that failures get lots of output and
22 | 	// verbose output gets a moderate amount of output.
23 | 	cfg.ConnConfig.LogLevel = pgx.LogLevelInfo
24 | 	if testing.Verbose() {
25 | 		cfg.ConnConfig.LogLevel = pgx.LogLevelError
26 | 	}
27 | 	cfg.ConnConfig.Logger = testingadapter.NewLogger(t)
28 | 
29 | 	if err := Init(ctx, cfg.ConnConfig); err != nil {
30 | 		t.Fatalf("failed to init database: %v", err)
31 | 	}
32 | 
33 | 	pool, err := pgxpool.ConnectConfig(ctx, cfg)
34 | 	if err != nil {
35 | 		t.Fatalf("failed to create connpool: %v", err)
36 | 	}
37 | 	t.Cleanup(pool.Close)
38 | 	return NewStore(pool)
39 | }
40 | 


--------------------------------------------------------------------------------
/notifier/postgres/testdata/.gitignore:
--------------------------------------------------------------------------------
1 | pg*
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/notifier/receipt.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"time"
 5 | 
 6 | 	"github.com/google/uuid"
 7 | )
 8 | 
 9 | // Status defines the possible states of a notification.
10 | type Status string
11 | 
12 | const (
13 | 	// A notification is created and ready to be delivered to a client
14 | 	Created Status = "created"
15 | 	// A notification has been successfully delivered to a client
16 | 	Delivered Status = "delivered"
17 | 	// A notification failed to be delivered
18 | 	DeliveryFailed Status = "delivery_failed"
19 | 	// The client has read the notification and issued a delete
20 | 	Deleted Status = "deleted"
21 | )
22 | 
23 | // Receipt represents the current status of a notification
24 | type Receipt struct {
25 | 	// The update operation associated with this receipt
26 | 	UOID uuid.UUID
27 | 	// the id a client may use to retrieve a set of notifications
28 | 	NotificationID uuid.UUID
29 | 	// the current status  of the notification
30 | 	Status Status
31 | 	// the timestamp of the last status update
32 | 	TS time.Time
33 | }
34 | 


--------------------------------------------------------------------------------
/notifier/service.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/google/uuid"
 7 | )
 8 | 
 9 | // Service is an interface wrapping ClairV4's notifier functionality.
10 | //
11 | // This remains an interface so remote clients may implement as well.
12 | type Service interface {
13 | 	// Retrieves an optional paginated set of notifications given an notification id
14 | 	Notifications(ctx context.Context, id uuid.UUID, page *Page) ([]Notification, Page, error)
15 | 	// Deletes the provided notification id
16 | 	DeleteNotifications(ctx context.Context, id uuid.UUID) error
17 | }
18 | 


--------------------------------------------------------------------------------
/notifier/service/mock.go:
--------------------------------------------------------------------------------
 1 | package service
 2 | 
 3 | import (
 4 | 	"context"
 5 | 
 6 | 	"github.com/google/uuid"
 7 | 
 8 | 	"github.com/quay/clair/v4/notifier"
 9 | )
10 | 
11 | var _ notifier.Service = (*Mock)(nil)
12 | 
13 | // Mock implements a mock notifier service
14 | type Mock struct {
15 | 	Notifications_       func(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error)
16 | 	DeleteNotifications_ func(ctx context.Context, id uuid.UUID) error
17 | }
18 | 
19 | func (m *Mock) Notifications(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {
20 | 	return m.Notifications_(ctx, id, page)
21 | }
22 | 
23 | func (m *Mock) DeleteNotifications(ctx context.Context, id uuid.UUID) error {
24 | 	return m.DeleteNotifications_(ctx, id)
25 | }
26 | 


--------------------------------------------------------------------------------
/notifier/stomp/deliverer.go:
--------------------------------------------------------------------------------
 1 | package stomp
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"encoding/json"
 6 | 	"fmt"
 7 | 	"net/url"
 8 | 	"time"
 9 | 
10 | 	gostomp "github.com/go-stomp/stomp/v3"
11 | 	"github.com/google/uuid"
12 | 	"github.com/quay/clair/config"
13 | 
14 | 	clairerror "github.com/quay/clair/v4/clair-error"
15 | 	"github.com/quay/clair/v4/notifier"
16 | )
17 | 
18 | // Deliverer is a STOMP deliverer which publishes a notifier.Callback to the
19 | // broker.
20 | type Deliverer struct {
21 | 	callback    *url.URL
22 | 	destination string
23 | 	fo          failOver
24 | 	rollup      int
25 | }
26 | 
27 | func New(conf *config.STOMP) (*Deliverer, error) {
28 | 	var d Deliverer
29 | 	if err := d.load(conf); err != nil {
30 | 		return nil, err
31 | 	}
32 | 	return &d, nil
33 | }
34 | 
35 | func (d *Deliverer) load(cfg *config.STOMP) error {
36 | 	d.fo.timeout = 30 * time.Second
37 | 	// TODO(hank) Wire up the "host" and "timeout" config somehow -- probably
38 | 	// just make the config URIs strings actual URIs and parse them out with
39 | 	// query parameters.
40 | 	var err error
41 | 	if cfg.TLS != nil {
42 | 		d.fo.tls, err = cfg.TLS.Config()
43 | 		if err != nil {
44 | 			return err
45 | 		}
46 | 	}
47 | 	if !cfg.Direct {
48 | 		d.callback, err = url.Parse(cfg.Callback)
49 | 		if err != nil {
50 | 			return err
51 | 		}
52 | 	}
53 | 
54 | 	d.fo.addrs = make([]string, len(cfg.URIs))
55 | 	copy(d.fo.addrs, cfg.URIs)
56 | 	d.destination = cfg.Destination
57 | 	d.rollup = cfg.Rollup
58 | 	return nil
59 | }
60 | 
61 | func (d *Deliverer) Name() string {
62 | 	return fmt.Sprintf("stomp-%s", d.destination)
63 | }
64 | 
65 | func (d *Deliverer) Deliver(ctx context.Context, nID uuid.UUID) error {
66 | 	conn, err := d.fo.Connection(ctx)
67 | 	if err != nil {
68 | 		return &clairerror.ErrDeliveryFailed{err}
69 | 	}
70 | 	defer conn.Disconnect()
71 | 
72 | 	u, err := d.callback.Parse(nID.String())
73 | 	if err != nil {
74 | 		return err
75 | 	}
76 | 
77 | 	cb := notifier.Callback{
78 | 		NotificationID: nID,
79 | 		Callback:       *u,
80 | 	}
81 | 	b, err := json.Marshal(&cb)
82 | 	if err != nil {
83 | 		return &clairerror.ErrDeliveryFailed{err}
84 | 	}
85 | 
86 | 	err = conn.Send(d.destination, "application/json", b, gostomp.SendOpt.Receipt)
87 | 	if err != nil {
88 | 		return &clairerror.ErrDeliveryFailed{err}
89 | 	}
90 | 	return nil
91 | }
92 | 


--------------------------------------------------------------------------------
/notifier/stomp/doc.go:
--------------------------------------------------------------------------------
1 | // Package stomp implements a [Deliverer] over the STOMP protocol.
2 | //
3 | // Deprecated: This package will be removed in a future version. Users should
4 | // write a webhook to STOMP transducer.
5 | package stomp
6 | 


--------------------------------------------------------------------------------
/notifier/stomp/failover.go:
--------------------------------------------------------------------------------
 1 | package stomp
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"crypto/tls"
 6 | 	"fmt"
 7 | 	"net"
 8 | 	"time"
 9 | 
10 | 	gostomp "github.com/go-stomp/stomp/v3"
11 | 	"github.com/quay/clair/config"
12 | 	"github.com/quay/zlog"
13 | )
14 | 
15 | // failOver will return the first successful connection made against the provided
16 | // brokers, or an existing connection if not closed.
17 | //
18 | // failOver is safe for concurrent usage.
19 | type failOver struct {
20 | 	tls     *tls.Config
21 | 	login   *config.Login
22 | 	addrs   []string
23 | 	timeout time.Duration
24 | }
25 | 
26 | // Dial will dial the provided address in accordance with the provided Config.
27 | //
28 | // Note: the STOMP protocol does not support multiplexing operations over a
29 | // single TCP connection. A TCP connection must be made for each STOMP
30 | // connection.
31 | func (f *failOver) Dial(ctx context.Context, addr string) (*gostomp.Conn, error) {
32 | 	var opts []func(*gostomp.Conn) error
33 | 	if f.login != nil {
34 | 		opts = append(opts, gostomp.ConnOpt.Login(f.login.Login, f.login.Passcode))
35 | 	}
36 | 	if host, _, err := net.SplitHostPort(addr); err == nil {
37 | 		opts = append(opts, gostomp.ConnOpt.Host(host))
38 | 	}
39 | 
40 | 	var d interface {
41 | 		DialContext(context.Context, string, string) (net.Conn, error)
42 | 	} = &net.Dialer{
43 | 		Timeout: f.timeout,
44 | 	}
45 | 	if f.tls != nil {
46 | 		d = &tls.Dialer{
47 | 			NetDialer: d.(*net.Dialer),
48 | 			Config:    f.tls,
49 | 		}
50 | 	}
51 | 	conn, err := d.DialContext(ctx, "tcp", addr)
52 | 	if err != nil {
53 | 		return nil, fmt.Errorf("failed to connect to broker @ %v: %w", addr, err)
54 | 	}
55 | 
56 | 	stompConn, err := gostomp.Connect(conn, opts...)
57 | 	if err != nil {
58 | 		if conn != nil {
59 | 			conn.Close()
60 | 		}
61 | 		return nil, fmt.Errorf("stomp connect handshake to broker @ %v failed: %w", addr, err)
62 | 	}
63 | 
64 | 	return stompConn, err
65 | }
66 | 
67 | // Connection returns a new connection to the first broker that successfully
68 | // handshakes.
69 | //
70 | // The caller MUST call conn.Disconnect() to close the underlying TCP connection
71 | // when finished.
72 | func (f *failOver) Connection(ctx context.Context) (*gostomp.Conn, error) {
73 | 	ctx = zlog.ContextWithValues(ctx, "component", "notifier/stomp/failOver.Connection")
74 | 
75 | 	for _, addr := range f.addrs {
76 | 		conn, err := f.Dial(ctx, addr)
77 | 		if err != nil {
78 | 			zlog.Debug(ctx).
79 | 				Str("broker", addr).
80 | 				Err(err).
81 | 				Msg("failed to dial broker, attempting next")
82 | 			continue
83 | 		}
84 | 		return conn, nil
85 | 	}
86 | 	return nil, fmt.Errorf("exhausted all brokers and unable to make connection")
87 | }
88 | 


--------------------------------------------------------------------------------
/notifier/vulnsummary.go:
--------------------------------------------------------------------------------
 1 | package notifier
 2 | 
 3 | import "github.com/quay/claircore"
 4 | 
 5 | // VulnSummary summarizes a vulnerability which triggered
 6 | // a notification
 7 | type VulnSummary struct {
 8 | 	Name           string                  `json:"name"`
 9 | 	Description    string                  `json:"description"`
10 | 	Package        *claircore.Package      `json:"package,omitempty"`
11 | 	Distribution   *claircore.Distribution `json:"distribution,omitempty"`
12 | 	Repo           *claircore.Repository   `json:"repo,omitempty"`
13 | 	Severity       string                  `json:"severity"`
14 | 	FixedInVersion string                  `json:"fixed_in_version"`
15 | 	Links          string                  `json:"links"`
16 | }
17 | 
18 | func (vs *VulnSummary) FromVulnerability(v *claircore.Vulnerability) {
19 | 	*vs = VulnSummary{
20 | 		Name:           v.Name,
21 | 		Description:    v.Description,
22 | 		Package:        v.Package,
23 | 		Distribution:   v.Dist,
24 | 		Repo:           v.Repo,
25 | 		Severity:       v.NormalizedSeverity.String(),
26 | 		FixedInVersion: v.FixedInVersion,
27 | 		Links:          v.Links,
28 | 	}
29 | }
30 | 


--------------------------------------------------------------------------------
/notifier/webhook/deliverer_test.go:
--------------------------------------------------------------------------------
 1 | package webhook
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"encoding/json"
 6 | 	"net/http"
 7 | 	"net/http/httptest"
 8 | 	"net/url"
 9 | 	"path"
10 | 	"sync"
11 | 	"testing"
12 | 
13 | 	"github.com/google/go-cmp/cmp"
14 | 	"github.com/google/uuid"
15 | 	"github.com/quay/clair/config"
16 | 	"github.com/quay/zlog"
17 | 
18 | 	"github.com/quay/clair/v4/notifier"
19 | )
20 | 
21 | var (
22 | 	callback = "http://clair-notifier/notifier/api/v1/notification/"
23 | 	noteID   = uuid.New()
24 | )
25 | 
26 | // TestDeliverer confirms the deliverer correctly sends the webhook
27 | // data structure to the configured target.
28 | func TestDeliverer(t *testing.T) {
29 | 	var whResult struct {
30 | 		sync.Mutex
31 | 		cb notifier.Callback
32 | 	}
33 | 	server := httptest.NewServer(http.HandlerFunc(
34 | 		func(w http.ResponseWriter, r *http.Request) {
35 | 			if r.Method != http.MethodPost {
36 | 				w.WriteHeader(http.StatusMethodNotAllowed)
37 | 				return
38 | 			}
39 | 			var cb notifier.Callback
40 | 			err := json.NewDecoder(r.Body).Decode(&cb)
41 | 			if err != nil {
42 | 				w.WriteHeader(http.StatusBadRequest)
43 | 				return
44 | 			}
45 | 			whResult.Lock()
46 | 			whResult.cb = cb
47 | 			whResult.Unlock()
48 | 		},
49 | 	))
50 | 	defer server.Close()
51 | 	ctx := zlog.Test(context.Background(), t)
52 | 	conf := config.Webhook{
53 | 		Callback: callback,
54 | 		Target:   server.URL,
55 | 	}
56 | 
57 | 	d, err := New(&conf, server.Client(), nil)
58 | 	if err != nil {
59 | 		t.Fatalf("failed to create new webhook deliverer: %v", err)
60 | 	}
61 | 	err = d.Deliver(ctx, noteID)
62 | 	if err != nil {
63 | 		t.Fatalf("got: %v, wanted: nil", err)
64 | 	}
65 | 
66 | 	whResult.Lock()
67 | 	wh := whResult.cb
68 | 	whResult.Unlock()
69 | 
70 | 	if !cmp.Equal(wh.NotificationID, noteID) {
71 | 		t.Fatalf("got: %v, wanted: %v", wh.NotificationID, noteID)
72 | 	}
73 | 
74 | 	cbURL, err := url.Parse(callback)
75 | 	if err != nil {
76 | 		t.Fatalf("failed to parse callback url: %v", err)
77 | 	}
78 | 	cbURL.Path = path.Join(cbURL.Path, noteID.String())
79 | 
80 | 	if got, want := wh.Callback.String(), cbURL.String(); got != want {
81 | 		t.Fatalf("got: %v, wanted: %v", got, want)
82 | 	}
83 | }
84 | 


--------------------------------------------------------------------------------