Docker-Security-Analysis

This repository is to contain my work for a Technical Report (ENGR 411) at Concordia University during the Fall 2018 Semester

Scan local image with Anchore

05 Nov 2018 - Christopher McArthur

Today’s mission: Scan a modified image.

In order to do this using anchore, I worst went on the adventure of modifying and commiting a new image… for my first test I opt’ed for installing ping. from my container i was able too ping -c 2 google.ca following which i made my docker commit

Next i tried scanning the image with anchore but it could not be found with the sha. so i commited the image again with a meaningful name ping-test. scanning was unable to pick up the image.

With a little bit of help from the --debug flag i noticed it was looking on the docker.io repository.

I then installed and now host my own private repository! I have pushed my ping test image as my-tests on the registry. deleting it locally i was able to pull it again.

currently trying to add the repository to anchore but im getting stuck with it not finding a manifest

running curl -X GET http://localhost:5000/v2/catalog as well as curl -X GET http://localhost:5000/v2/my-tests/tag/latest produces what looks like correct results.

cmcarthur@docker-engine-one:~/aevolume$ anchore-cli --debug --insecure image add localhost:5000/my-tests
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 400 593
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 400
Error: cannot fetch image digest/manifest from registry
HTTP Code: 400
Detail: {u'raw_exception_message': u'could not get manifest/digest for image (localhost:5000/my-tests:latest) from registry (https://localhost:5000) - error: Error encountered in skopeo operation. cmd=/bin/sh -c skopeo inspect --raw --tls-verify=false  docker://localhost:5000/my-tests:latest, rc=1, stdout=None, stderr=time="2018-11-06T04:54:47Z" level=fatal msg="pinging docker registry returned: Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: getsockopt: connection refused"'}

I think I found my problem anchore is trying to use HTTPS but thats not configured on my local repo…

freaking painful CLI

cmcarthur@docker-engine-one:~/aevolume$ anchore-cli --debug registry add --insecure --skip-validate localhost:5000 user pass
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/registries?validate=False
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/registries?validate=False HTTP/1.1" 200 253
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Registry: localhost:5000
User: user
Type: docker_v2
Verify TLS: False
Created: 2018-11-06T05:35:16Z
Updated: 2018-11-06T05:35:16Z

Finally got it to work…

trying to add image….

cmcarthur@docker-engine-one:~$ anchore-cli --debug --json image add localhost:5000/my-tests:latest
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 400 632
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 400
{
    "detail": {
        "raw_exception_message": "could not get manifest/digest for image (localhost:5000/my-tests:latest) from registry (https://localhost:5000) - error: Error encountered in skopeo operation. cmd=/bin/sh -c skopeo inspect --raw --tls-verify=false --creds \"${SKOPUSER}\":\"${SKOPPASS}\" docker://localhost:5000/my-tests:latest, rc=1, stdout=None, stderr=time=\"2018-11-06T05:48:53Z\" level=fatal msg=\"pinging docker registry returned: Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: getsockopt: connection refused\""
    },
    "httpcode": 400,
    "message": "cannot fetch image digest/manifest from registry"
}