Transforming Clair: My Master Thesis in Retrospective Part 1

In my last blog posts, I sometimes alluded to the fact that I wrote my Master Thesis this year. The thesis was mainly centered on the open-source tool Clair, like the older blog posts. In this article, I will describe my tasks and the goals for the work in detail. The whole series will analyze every aspect of my biggest academic work to date.

First things first, for new readers, what is Clair? Clair is a widely used tool for the static vulnerability analysis of software containers (docker and appc). If you take the Stars on GitHub as success metric Clair takes the first place among its competitors.

Basically, the software scans containers for information about their installed packages, like ssh for example. Clair also has several data sources with information about vulnerabilities saved in its database. The next step is then to compare the found software packages with the list of vulnerabilities. If a package with vulnerability is found the software informs the user of the potential threat to the security of the system. A possible vulnerability could be if the package shh in version 1.0 would have a critical breach in which the communication is not encrypted as an example. The scan would deliver a critical warning and thus the safety and security of an information system can be greatly increased with the incorporation of Clair.

When using Clair one will soon discover that the scanner only searches for packages and programs installed in the operating system of the Container. For instance, when an application like a Java servlet is running inside the container, its possible vulnerabilities stay hidden and are not detected by Clair.

From the desire to also unveil these hidden dangers, the idea for the Master Thesis sprung: We also want to search for vulnerabilities in the application software which is running in the container. Thus the thesis got the epic title: "An approach to extend the static vulnerability analysis tool Clair by analyzing all libraries that are in use by containerized applications."

This feature is already present in several enterprise products and one other open-source product (Dagda), but not in the King of the field Clair (Possible reasons will be explained in later parts of the series). But because Clair is used at x-cellent and has a better standing in the open-source community the idea was born to develop the feature also for Clair.

To achieve the goal some requirements were defined that the new software shall include. First, the concept has to be preferably as close as possible to the philosophy and idea of the original software. This would simplify the work with other developers and the incorporation of the changed software into the original project. It also breathes the open-source spirit.

Furthermore, a working prototype shall be developed with the ideas given in the concept. The prototype implements the analyzation of a specific programming language and its resulting applications. The work still has to be as generic as the situation allows. The integration of other application types has to be no obstacle and specific requirements of a particular language have to be as minimal as possible.

Clair is an open-source project developed by a company and the surrounding community. To meet this standard the prototype will also be released to the internet to be used by the open-source community and the whole world. A longtime goal that could result from the thesis is the inclusion of the prototype into the original Clair project per merge request.

Now that we know the goals for the work, the next articles will explain how and if the goals were achieved and if the thesis was a success or failure.