Can't generate vulnerability reports unless invalid config is provided

[carlosonunez-redhat]

Summary

I'm running Clair in combo mode within a Compose stack. Oddly, I'm unable to generate a vulnerability report with clairctl unless I specify an invalid config file with --config.

Want

docker compose exec clair clairctl report ubuntu:focal

should produce something like this:

ubuntu:focal found libsystemd0        245.4-4ubuntu3.24        CVE-2023-7008 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libsystemd0        245.4-4ubuntu3.24        CVE-2023-26604 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libsystemd0        245.4-4ubuntu3.24        CVE-2020-13776 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libtasn1-6         4.16.0-2                 CVE-2024-12133 on Ubuntu 20.04 LTS (focal) - medium (fixed: 0:4.16.0-2ubuntu0.1)
ubuntu:focal found libtasn1-6         4.16.0-2                 CVE-2021-46848 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libtinfo6          6.2-0ubuntu2.1           CVE-2023-50495 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libtinfo6          6.2-0ubuntu2.1           CVE-2023-45918 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libudev1           245.4-4ubuntu3.24        CVE-2023-7008 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libudev1           245.4-4ubuntu3.24        CVE-2023-26604 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libudev1           245.4-4ubuntu3.24        CVE-2020-13776 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found login              1:4.8.1-1ubuntu5.20.04.5 CVE-2024-56433 on Ubuntu 20.04 LTS (focal) - medium
ubuntu:focal found login              1:4.8.1-1ubuntu5.20.04.5 CVE-2023-29383 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found login              1:4.8.1-1ubuntu5.20.04.5 CVE-2013-4235 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found coreutils          8.30-3ubuntu2            CVE-2016-2781 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found ncurses-base       6.2-0ubuntu2.1           CVE-2023-45918 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found ncurses-base       6.2-0ubuntu2.1           CVE-2023-50495 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found ncurses-bin        6.2-0ubuntu2.1           CVE-2023-45918 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found ncurses-bin        6.2-0ubuntu2.1           CVE-2023-50495 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found passwd             1:4.8.1-1ubuntu5.20.04.5 CVE-2024-56433 on Ubuntu 20.04 LTS (focal) - medium
ubuntu:focal found passwd             1:4.8.1-1ubuntu5.20.04.5 CVE-2023-29383 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found passwd             1:4.8.1-1ubuntu5.20.04.5 CVE-2013-4235 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found perl-base          5.30.0-9ubuntu0.5        CVE-2023-47039 on Ubuntu 20.04 LTS (focal) - negligible
ubuntu:focal found perl-base          5.30.0-9ubuntu0.5        CVE-2023-31486 on Ubuntu 20.04 LTS (focal) - medium
ubuntu:focal found gcc-10-base        10.5.0-1ubuntu1~20.04    CVE-2023-4039 on Ubuntu 20.04 LTS (focal) - medium
ubuntu:focal found gpgv               2.2.19-3ubuntu2.2        CVE-2022-3219 on Ubuntu 20.04 LTS (focal) - low                                        ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2025-0395 on Ubuntu 20.04 LTS (focal) - medium (fixed: 0:2.31-0ubuntu9.17)
ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2021-33574 on Ubuntu 20.04 LTS (focal) - low                                       ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2019-1010023 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2019-1010022 on Ubuntu 20.04 LTS (focal) - low                                     ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2019-1010024 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2018-20796 on Ubuntu 20.04 LTS (focal) - negligible                                ubuntu:focal found libc-bin           2.31-0ubuntu9.16         CVE-2016-20013 on Ubuntu 20.04 LTS (focal) - negligible
ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2025-0395 on Ubuntu 20.04 LTS (focal) - medium (fixed: 0:2.31-0ubuntu9.17)         ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2021-33574 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2019-1010023 on Ubuntu 20.04 LTS (focal) - low                                     ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2019-1010022 on Ubuntu 20.04 LTS (focal) - low
ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2019-1010024 on Ubuntu 20.04 LTS (focal) - low                                     ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2018-20796 on Ubuntu 20.04 LTS (focal) - negligible
ubuntu:focal found libc6              2.31-0ubuntu9.16         CVE-2016-20013 on Ubuntu 20.04 LTS (focal) - negligible                                ubuntu:focal found libgcc-s1          10.5.0-1ubuntu1~20.04    CVE-2023-4039 on Ubuntu 20.04 LTS (focal) - medium
ubuntu:focal found libgcrypt20        1.8.5-5ubuntu1.1         CVE-2024-2236 on Ubuntu 20.04 LTS (focal) - low                                        ubuntu:focal found libgnutls30        3.6.13-2ubuntu1.11       CVE-2024-12243 on Ubuntu 20.04 LTS (focal) - medium (fixed: 0:3.6.13-2ubuntu1.12)

Got

docker compose exec clair clairctl report ubuntu:focal

does nothing, unless I do this:

docker compose exec clair clairctl --config /config.foo report --host http://localhost:8080 docker.io/ubuntu:focal

Configuration

Clair version

4.8

Compose manifest

volumes:
  clair-db_data: {}
  clair-data: {}
services:
  clair-db:
    image: docker.io/postgres
    volumes:
      - clair-db_data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: clair
      POSTGRES_PASSWORD: clair
      POSTGRES_DB: clair
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U clair -d clair" ]
      interval: 1s
      timeout: 2s
      retries: 60
  clair:
    depends_on:
      clair-db:
        condition: service_healthy
    image: quay.io/projectquay/clair:4.8.0
    environment:
      CLAIR_MODE: combo
      CLAIR_CONF: /config.yaml
    volumes:
      - $PWD/config.yml:/config.yaml
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/.docker/config.json:/.docker/config.json
  clairctl:
    depends_on:
      clair-db:
        condition: service_healthy
    image: quay.io/projectquay/clair:4.8.0
    entrypoint: clairctl

[crozzy]

Is docker compose exec clair clairctl executing the clairctl binary from within the clair container, if so, why define the dedicated clairctl container?

When there is no --host specified the default http://localhost:6060/ will be used but it seems like the application is listening at 8080 (I suppose your config reflects that), I think the config flag is a red-herring in this example, specifying no config will use the default (./config.yaml) and specifying a config file that doesn't exist will just be ignored.

[carlosonunez-redhat]

You are correct; the clairctl service is not needed.

Regarding your second paragraph: it's not even getting that far. I would expect some trace-level logs from the http Go package upon setting the GODEBUG environment variable to http1debug=1 or http2debug=1, but nothing happens. I think this is because it's silently-failing right after the command for this subcommand executes.

Additionally, changing 8080 to 6060 in my config does not fix this, unfortunately.

[crozzy]

It's hard to know what's happening without logs, could you try running clairctl with debug enabled? Also, can you paste your config with sensitive info deleted? Thanks.