Clair CRDA configuration

Question

Clair CRDA configuration

adnan-drina opened this issue 2 years ago · comments

Description of Problem / Feature Request

Not able to configure Clair CRDA following documentation https://access.redhat.com/documentation/en-us/red_hat_quay/3.7/html-single/manage_red_hat_quay/index#clair-crda-configuration

Expected Outcome

Java vulnerability scanning enabled

Actual Outcome

Clair throws errors

{"level":"info","component":"crda/MatcherFactory.Configure","key":"9e7da76708fe374d8c10fa7xxxxxxxxx","time":"2022-05-27T06:49:09Z","message":"configured API key"}
{"level":"info","component":"crda/MatcherFactory.Matcher","time":"2022-05-27T06:49:09Z","message":"using default ecosystems"}

{"level":"info","component":"libvuln/New","matchers":[{"name":"debian-matcher","docs":"https://pkg.go.dev/github.com/quay/claircore/debian"},{"name":"python","docs":"https://pkg.go.dev/github.com/quay/claircore/python"},{"name":"rhel","docs":"https://pkg.go.dev/github.com/quay/claircore/rhel"},{"name":"alpine-matcher","docs":"https://pkg.go.dev/github.com/quay/claircore/alpine"},{"name":"aws-matcher","docs":"https://pkg.go.dev/github.com/quay/claircore/aws"},{"name":"suse","docs":"https://pkg.go.dev/github.com/quay/claircore/suse"},{"name":"ubuntu-matcher","docs":"https://pkg.go.dev/github.com/quay/claircore/ubuntu"},{"name":"photon","docs":"https://pkg.go.dev/github.com/quay/claircore/photon"},{"name":"crda-pypi","docs":"https://pkg.go.dev/github.com/quay/claircore/crda"},{"name":"crda-maven","docs":"https://pkg.go.dev/github.com/quay/claircore/crda"},{"name":"oracle","docs":"https://pkg.go.dev/github.com/quay/claircore/oracle"}],"time":"2022-05-27T06:49:09Z","message":"matchers created"}

{"level":"error","component":"crda/Matcher.QueryRemoteMatcher","matcher":"crda-pypi","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","component":"crda/Matcher.QueryRemoteMatcher","matcher":"crda-maven","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character 'A' looking for beginning of value","time":"2022-05-27T06:49:33Z","message":"remote api call failure"}

Environment

OpenShift 4.10.14
Quay Operator 3.7.0
registry.redhat.io/quay/clair-rhel8@sha256:86d45aaf6f783f119d9ed9acf9fc962b037564b32ba2b68e9075282f7e1d6e5b

clair-config.yaml

...
matchers:
  config:
    crda:
      url: https://gw.api.openshift.io/api/v2/
      source: quay.io
      key: 10fcd9b01603d57e6887a4349xxxxxxx
...

Joseph Crosland · Answer 1 · Fri May 27 2022 22:29:03 GMT+0800 (China Standard Time)

I'm presuming the A is coming from the CRDA response body Authentication failed, this likely means that the key is incorrect, or for some reason there was a CRDA error when creating the key after filling out the form. Can you double check the key then we can discount that?

Adnan Drina · Answer 2 · Fri May 27 2022 23:52:54 GMT+0800 (China Standard Time)

I have double-checked my user_key, and with the curl command API returns a response. So, the user_key doesn't seem to be a problem. I think that the problem is rather the API request format coming from Clair.

curl --location --request POST 'https://gw.api.openshift.io:443/api/v2/vulnerability-analysis?user_key=10fcd9b01603d57e6887a4349xxxxxxx' \
--header 'Content-Type: application/json' \
--data-raw '{
    "ecosystem": "maven",
    "package_versions": [
        {"package": "com.netflix.ribbon:ribbon-eureka", "version": "2.3.0"},
        {"package": "io.undertow:undertow-core", "version": "2.2.2.Final"},
        {"package": "org.apache.xmlbeans:xmlbeans", "version": "3.0.1"},
        {"package": "com.google.code.gson:gson", "version": "2.8.6"},
        {"package": "commons-logging:commons-logging", "version": "1.1.1"},
        {"package": "org.jfree:jcommon", "version": "1.0.23"},
        {"package": "com.ongres.scram:client", "version": "2.1"},
        {"package": "org.springframework.cloud:spring-cloud-starter-netflix-archaius", "version": "2.2.2.RELEASE"},
        {"package": "org.ow2.asm:asm", "version": "5.0.4"},
        {"package": "javax.xml.bind:jaxb-api", "version": "2.3.1"}
    ]
}'
[
  {
    "name": "com.netflix.ribbon:ribbon-eureka",
    "version": "2.3.0",
    "vulnerabilities": []
  },
  {
    "name": "io.undertow:undertow-core",
    "version": "2.2.2.Final",
    "vulnerabilities": [
      {
        "fixed_in": [
          "2.2.8.Final"
        ],
        "id": "SNYK-JAVA-IOUNDERTOW-1304915",
        "severity": "medium",
        "title": "Denial of Service (DoS)",
        "url": "https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-1304915"
      },
      {
        "fixed_in": [
          "2.2.15.Final"
        ],
        "id": "SNYK-JAVA-IOUNDERTOW-2391283",
        "severity": "high",
        "title": "Denial of Service (DoS)",
        "url": "https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-2391283"
      }
    ]
  },
  {
    "name": "org.apache.xmlbeans:xmlbeans",
    "version": "3.0.1",
    "vulnerabilities": []
  },
  {
    "name": "com.google.code.gson:gson",
    "version": "2.8.6",
    "vulnerabilities": [
      {
        "fixed_in": [
          "2.8.9"
        ],
        "id": "SNYK-JAVA-COMGOOGLECODEGSON-1730327",
        "severity": "high",
        "title": "Deserialization of Untrusted Data",
        "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
      }
    ]
  },
  {
    "name": "commons-logging:commons-logging",
    "version": "1.1.1",
    "vulnerabilities": []
  },
  {
    "name": "org.jfree:jcommon",
    "version": "1.0.23",
    "vulnerabilities": []
  },
  {
    "name": "com.ongres.scram:client",
    "version": "2.1",
    "vulnerabilities": []
  },
  {
    "name": "org.springframework.cloud:spring-cloud-starter-netflix-archaius",
    "version": "2.2.2.RELEASE",
    "vulnerabilities": []
  },
  {
    "name": "org.ow2.asm:asm",
    "version": "5.0.4",
    "vulnerabilities": []
  },
  {
    "name": "javax.xml.bind:jaxb-api",
    "version": "2.3.1",
    "vulnerabilities": []
  }
]

Adnan Drina · Answer 3 · Fri May 27 2022 23:56:22 GMT+0800 (China Standard Time)

currently, my clair config is as follows:

auth:
    psk:
        iss:
            - quay
            - clairctl
        key: OVAyQmNYWmlEYUM1SURJa0RCYXoza0tTOTYyNUphc2s=
http_listen_addr: :8080
indexer:
    connstring: host=demo-registry-clair-postgres port=5432 dbname=postgres user=postgres password=postgres sslmode=disable
    layer_scan_concurrency: 5
    migrations: true
    scanlock_retry: 10
log_level: info
matcher:
    connstring: host=demo-registry-clair-postgres port=5432 dbname=postgres user=postgres password=postgres sslmode=disable
    max_conn_pool: 100
    migrations: true
matchers:
    config:
        crda:
            key: 10fcd9b01603d57e6887a4349xxxxxx
            source: quay.io
            url: https://gw.api.openshift.io/api/v2/
metrics:
    name: prometheus
notifier:
    connstring: host=demo-registry-clair-postgres port=5432 dbname=postgres user=postgres password=postgres sslmode=disable
    delivery_interval: 1m0s
    migrations: true
    poll_interval: 5m0s
    webhook:
        callback: http://demo-registry-clair-app/notifier/api/v1/notifications
        target: https://demo-registry-quay-quay.apps.cluster-wx7z7.wx7z7.sandbox1084.opentlc.com/secscan/notification

and the error message has changes slightly:

{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-pypi","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"invalid character '<' looking for beginning of value","time":"2022-05-27T14:08:40Z","message":"remote api call failure"}

Hank Donnay · Answer 4 · Thu Jun 02 2022 03:05:09 GMT+0800 (China Standard Time)

You can try rebuilding clair with claircore@main (i.e. including c854b78) to see why the CRDA API is complaining.

Hank Donnay · Answer 5 · Wed Jun 08 2022 03:23:51 GMT+0800 (China Standard Time)

Please run 4.4.3 and see what sort of errors are being reported.

Adnan Drina · Answer 6 · Wed Jun 08 2022 17:16:44 GMT+0800 (China Standard Time)

after changing Clair version to 4.4.3 I'm getting indeed a new error message

{"level":"error","component":"crda/Matcher.QueryRemoteMatcher","matcher":"crda-maven","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-pypi","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}
{"level":"error","matcher":"crda-maven","component":"crda/Matcher.QueryRemoteMatcher","error":"reported error: \"405 Method Not Allowed\" (body: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>405 Method Not Allowed</title>\\n<h1>Method Not Allowed</h1>\\n<p>The method is not allowed for the requested URL.</p>\\n\")","time":"2022-06-08T09:12:35Z","message":"remote api call failure"}

Hank Donnay · Answer 7 · Wed Jun 08 2022 22:42:37 GMT+0800 (China Standard Time)

I don't think there's much more we can do, here. I think you'll need to contact the CRDA team/operators for any additional troubleshooting.

We're using the correct method (see here) so I suspect the API is upset for some other reason and not reporting that correctly.

Adnan Drina · Answer 8 · Wed Jun 08 2022 23:32:13 GMT+0800 (China Standard Time)

Thanks a lot for pointing me to the correct method. After omitting URL and source values from my Clair config everything works as expected.
My final Clair config looks like this:

matchers:
  config:
    crda:
      key: 10fcd9b01603d57e6887a4349xxxxxxx