Giters

quay / clair

Vulnerability Static Analysis for Containers

Home Page:https://quay.github.io/clair/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ports not correctly handled when configuring indexer.airgap

klr8 opened this issue · comments

commented

Description of Problem / Feature Request

If you set indexer.airgap to true in your Clair config.yaml file Clair will plug the ctlLocalOnly function into its HTTP client:

clair/internal/httputil/client.go

Line 29 in 577a55d

dialer.Control = ctlLocalOnly

The ctlLocalOnly function does not strip ports from the address before calling net.ParseIP, leading to errors like this:

{"code":"internal-error","message":"failed to start scan: failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:866c50b3abaa03e209df883a53810e63a99a003fe97d9f4432ecbb003db0d7dd: fetcher: request failed: Get \"[https://my.server.com/v2/foo/bar/blobs/sha256:866c50b3abaa03e209df883a53810e63a99a003fe97d9f4432ecbb003db0d7dd\":](https://my.server.com/v2/foo/bar/blobs/sha256:866c50b3abaa03e209df883a53810e63a99a003fe97d9f4432ecbb003db0d7dd/%22:) dial tcp 10.4.145.17:443: address tcp4!10.4.145.17:443: martian address"}

Expected Outcome

Airgapping works as expected.

Actual Outcome

Airgapping fails Clair scans.

Environment

  • Clair version/image: 4.6.0