mirror of https://github.com/genuinetools/reg.git synced 2024-05-09 16:28:32 -04:00

cli containers docker docker-registry linux opencontainers vulnerability-reports

Go to file

Jess Frazelle 83ba4b225a add versions and binaries Signed-off-by: Jess Frazelle <acidburn@google.com>		2017-06-05 17:46:12 -04:00
clair	Merge branch 'master' of https://github.com/jessfraz/reg into dynamic-frontend	2017-04-24 16:16:12 +02:00
config	inital testing	2017-04-10 14:20:23 +00:00
registry	add versions and binaries	2017-06-05 17:46:12 -04:00
server	update screenshot	2017-06-05 17:09:16 -04:00
testutils	inital testing	2017-04-10 14:20:23 +00:00
utils	Refactor NewClairLayer to a single place	2017-04-06 12:57:22 +02:00
vendor	remove unused deps	2017-04-24 13:54:13 -04:00
version	add versions and binaries	2017-06-05 17:46:12 -04:00
.gitignore	add versions and binaries	2017-06-05 17:46:12 -04:00
.travis.yml	add versions and binaries	2017-06-05 17:46:12 -04:00
Dockerfile	jfrazelle -> jessfraz	2016-09-30 11:09:10 -07:00
Dockerfile.dev	add versions and binaries	2017-06-05 17:46:12 -04:00
Dockerfile.dind	update readme and dockerfile	2017-04-10 14:37:33 +00:00
LICENSE	prepare reg for junk	2016-08-12 22:23:13 -07:00
main.go	add versions and binaries	2017-06-05 17:46:12 -04:00
main_test.go	inital testing	2017-04-10 14:20:23 +00:00
Makefile	add versions and binaries	2017-06-05 17:46:12 -04:00
README.md	add versions and binaries	2017-06-05 17:46:12 -04:00
VERSION	add versions and binaries	2017-06-05 17:46:12 -04:00

README.md

reg

Docker registry v2 command line client.

Installation
Usage
Auth
List Repositories and Tags
Get a Manifest
Download a Layer
Delete an Image
Vulnerability Reports
Testing

Installation

Binaries

darwin 386 / amd64
freebsd 386 / amd64
linux 386 / amd64 / arm / arm64
solaris amd64
windows 386 / amd64

Via Go

$ go get github.com/jessfraz/reg

Usage

$ reg
NAME:
   reg - Docker registry v2 client.

USAGE:
   reg [global options] command [command options] [arguments...]

VERSION:
   v0.2.0

AUTHOR(S):
   @jessfraz <no-reply@butts.com>

COMMANDS:
     delete, rm       delete a specific reference of a repository
     list, ls         list all repositories
     manifest         get the json manifest for the specific reference of a repository
     tags             get the tags for a repository
     download, layer  download a layer for the specific reference of a repository
     vulns            get a vulnerability report for the image from CoreOS Clair
     help, h          Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug, -d                 run in debug mode
   --insecure, -k              do not verify tls certificates
   --force-non-ssl, -f         force allow use of non-ssl
   --username value, -u value  username for the registry
   --password value, -p value  password for the registry
   --registry value, -r value  URL to the private registry (ex. r.j3ss.co)
   --help, -h                  show help
   --version, -v               print the version

Auth

reg will automatically try to parse your docker config credentials, but if not present, you can pass through flags directly.

List Repositories and Tags

Repositories

# this command might take a while if you have hundreds of images like I do
$ reg -r r.j3ss.co ls
Repositories for r.j3ss.co
REPO                  TAGS
awscli                latest
beeswithmachineguns   latest
camlistore            latest
chrome                beta, latest, stable
...

Tags

$ reg tags tor-browser
alpha
hardened
latest
stable

Get a Manifest

$ reg manifest htop
{
   "schemaVersion": 1,
   "name": "htop",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
     {
       "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
     },
     ....
   ],
   "history": [
     ....
   ]
 }

Download a Layer

$ reg layer -o chrome@sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
OR
$ reg layer chrome@sha256:a3ed95caeb0.. > layer.tar

Delete an Image

$ reg rm chrome@sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Deleted chrome@sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4

Vulnerability Reports

$ reg vulns --clair https://clair.j3ss.co chrome
Found 32 vulnerabilities
CVE-2015-5180: [Low]

https://security-tracker.debian.org/tracker/CVE-2015-5180
-----------------------------------------
CVE-2016-9401: [Low]
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.
https://security-tracker.debian.org/tracker/CVE-2016-9401
-----------------------------------------
CVE-2016-3189: [Low]
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
https://security-tracker.debian.org/tracker/CVE-2016-3189
-----------------------------------------
CVE-2011-3389: [Medium]
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
https://security-tracker.debian.org/tracker/CVE-2011-3389
-----------------------------------------
CVE-2016-5318: [Medium]
Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff.
https://security-tracker.debian.org/tracker/CVE-2016-5318
-----------------------------------------
CVE-2016-9318: [Medium]
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
https://security-tracker.debian.org/tracker/CVE-2016-9318
-----------------------------------------
CVE-2015-7554: [High]
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
https://security-tracker.debian.org/tracker/CVE-2015-7554
-----------------------------------------
Unknown: 2
Negligible: 23
Low: 3
Medium: 3
High: 1

Testing

If you plan on contributing you should be able to run the tests locally. The tests run for CI via docker-in-docker. But running locally with go test, you need to make one modification to your docker daemon config so that you can talk to the local registry for the tests.

Add the flag --insecure-registry localhost:5000 to your docker daemon, documented here for testing against an insecure registry.

OR run make dind dtest to avoid having to change your local docker config and to run the tests as docker-in-docker.