Skip to content

Add Echo Linux vulnerability scanning support#2427

Open
yuvalk wants to merge 6 commits intoquay:mainfrom
yuvalk:echo.ai
Open

Add Echo Linux vulnerability scanning support#2427
yuvalk wants to merge 6 commits intoquay:mainfrom
yuvalk:echo.ai

Conversation

@yuvalk
Copy link
Copy Markdown

@yuvalk yuvalk commented Apr 1, 2026
edited
Loading

Summary

  • Add a new echo package that implements the full Clair scanning pipeline for Echo Linux: distribution scanner, vulnerability updater, advisory parser, and
    version-aware matcher
  • Register the Echo updater and matcher as defaults so they're available out-of-the-box alongside existing ecosystems (Alpine, RHEL, Debian, etc.)
  • Extend the dpkg ecosystem with an Echo distribution scanner that identifies Echo layers via os-release (ID=echo)

Design

The implementation follows the same patterns as existing distro integrations (Debian, Ubuntu, Alpine):

  • DistributionScanner — detects Echo Linux layers by parsing os-release for ID=echo
  • Updater/Parser — fetches and parses the Echo advisory JSON feed (advisory.echohq.com/data.json), producing claircore.Vulnerability records keyed by
    source package
  • Matcher — filters on DID=echo and uses Debian version comparison (go-deb-version) to determine if an installed package is older than the fixed
    version
  • Ecosystem — extends the dpkg ecosystem to include the Echo distribution scanner alongside Debian and Ubuntu scanners

The Echo updater and matcher are registered via init() in echo/defaults.go and imported as side-effects in cmd/clair and cmd/clairctl.

initialize/services.go is updated to explicitly set libindex.Options.Ecosystems so the Echo dpkg ecosystem is included in indexing.

Files changed

File Change
echo/*.go (7 files) New package: scanner, updater, parser, matcher, ecosystem, releases, defaults
initialize/services.go Explicit ecosystem list including Echo's dpkg ecosystem
cmd/clair/main.go Import echo for side-effect registration
cmd/clairctl/main.go, export.go Import echo for side-effect registration
config/updaters.go, matchers.go Document echo and echo-matcher in config comments
config.yaml.sample, Documentation/reference/config.md Add Echo to docs and sample config
go.mod Promote go-deb-version to direct dependency

Test plan

  • go build ./cmd/... compiles successfully
  • Scan an Echo Linux container image and verify the distribution is detected
  • Verify vulnerability updater fetches and parses advisories from the Echo feed
  • Verify matcher correctly flags packages older than the fixed version
  • Verify non-Echo images (Alpine, Debian, etc.) are unaffected

🤖 Generated with Claude Code

yuvalk and others added 6 commits March 31, 2026 23:23
@yuvalk @claude
echo: add distribution scanner and release helpers
57fe7a5 
Add the foundation for Echo Linux support in Clair. The distribution
scanner reads /etc/os-release from container image layers and identifies
Echo images by checking for ID="echo". Release helpers manage cached
distribution objects used throughout the Echo package.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk @claude
echo: add vulnerability matcher
54002c3 
Add a matcher for Echo Linux that uses dpkg version comparison to
determine if a package is vulnerable. Echo uses apt/dpkg under the hood,
so the go-deb-version library (already a project dependency) provides
the correct version comparison semantics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk @claude
echo: add updater and advisory parser
8b1d388 
Add an updater that fetches Echo's advisory data from
advisory.echohq.com/data.json, and a parser that converts the JSON
into claircore vulnerability records. The advisory URL is configurable
via the updater config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk @claude
echo: register ecosystem, updater, and matcher defaults
6ccd876 
Register the Echo updater and matcher via init() so they are available
when Clair starts. Override the default indexer ecosystems to include
the Echo distribution scanner in the dpkg ecosystem, enabling Clair to
detect Echo images alongside Debian and Ubuntu.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk @claude
config: add Echo to default updater sets, matchers, and docs
99a1c79 
Update the configuration defaults documentation, sample config, and
reference docs to include the Echo updater set and echo-matcher.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk @claude
go.mod: promote go-deb-version to direct dependency
dcb503b 
The echo package directly imports go-deb-version for dpkg version
comparison in the matcher, so it should be listed as a direct
dependency rather than indirect.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yuvalk yuvalk requested a review from a team as a code owner April 1, 2026 18:02
@yuvalk yuvalk requested review from crozzy and removed request for a team April 1, 2026 18:02
@yuvalk
Copy link
Copy Markdown
Author

yuvalk commented Apr 1, 2026

depends on
quay/claircore#1808

@yuvalk
Copy link
Copy Markdown
Author

yuvalk commented Apr 1, 2026

evidence that echo.ai integration works:

$  go run ./cmd/clairctl -c local-dev/clair/config.yaml report --host http://localhost:6060/ ghcr.io/buildecho/scanner-test:dirty
scanner-test:dirty found bash               5.2.15-2+b9            TEMP-0841856-B18BAF
scanner-test:dirty found libpam-modules     1.5.2-6+deb12u1        CVE-2024-10041
scanner-test:dirty found libpam-modules     1.5.2-6+deb12u1        CVE-2025-6020 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam-modules     1.5.2-6+deb12u1        CVE-2025-8941
scanner-test:dirty found libpam-modules     1.5.2-6+deb12u1        CVE-2024-22365 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam-modules-bin 1.5.2-6+deb12u1        CVE-2024-10041
scanner-test:dirty found libpam-modules-bin 1.5.2-6+deb12u1        CVE-2025-6020 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam-modules-bin 1.5.2-6+deb12u1        CVE-2025-8941
scanner-test:dirty found libpam-modules-bin 1.5.2-6+deb12u1        CVE-2024-22365 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam-runtime     1.5.2-6+deb12u1        CVE-2024-10041
scanner-test:dirty found libpam-runtime     1.5.2-6+deb12u1        CVE-2025-6020 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam-runtime     1.5.2-6+deb12u1        CVE-2025-8941
scanner-test:dirty found libpam-runtime     1.5.2-6+deb12u1        CVE-2024-22365 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam0g           1.5.2-6+deb12u1        CVE-2024-10041
scanner-test:dirty found libpam0g           1.5.2-6+deb12u1        CVE-2025-6020 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found libpam0g           1.5.2-6+deb12u1        CVE-2025-8941
scanner-test:dirty found libpam0g           1.5.2-6+deb12u1        CVE-2024-22365 (fixed: 1.5.2-6+deb12u2)
scanner-test:dirty found bsdutils           1:2.38.1-5+deb12u3     CVE-2026-3184
scanner-test:dirty found bsdutils           1:2.38.1-5+deb12u3     CVE-2022-0563
scanner-test:dirty found bsdutils           1:2.38.1-5+deb12u3     CVE-2025-14104
scanner-test:dirty found libsmartcols1      2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found libsmartcols1      2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found libsmartcols1      2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found libstdc++6         12.2.0-14+deb12u1      CVE-2022-27943
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2023-31439
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2026-29111
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2013-4392
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2023-31438
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2023-31437
scanner-test:dirty found libsystemd0        252.39-1~deb12u1       CVE-2026-4105
scanner-test:dirty found libtasn1-6         4.19.0-2+deb12u1       CVE-2025-13151
scanner-test:dirty found libtinfo6          6.4-4                  CVE-2025-69720
scanner-test:dirty found libtinfo6          6.4-4                  CVE-2023-50495
scanner-test:dirty found libtinfo6          6.4-4                  CVE-2025-6141
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2023-31439
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2026-29111
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2013-4392
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2023-31438
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2023-31437
scanner-test:dirty found libudev1           252.39-1~deb12u1       CVE-2026-4105
scanner-test:dirty found coreutils          9.1-1                  CVE-2025-5278
scanner-test:dirty found coreutils          9.1-1                  CVE-2017-18018
scanner-test:dirty found coreutils          9.1-1                  CVE-2016-2781
scanner-test:dirty found libuuid1           2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found libuuid1           2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found libuuid1           2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found login              1:4.13+dfsg1-1+deb12u1 TEMP-0628843-DBAD28
scanner-test:dirty found login              1:4.13+dfsg1-1+deb12u1 CVE-2007-5686
scanner-test:dirty found login              1:4.13+dfsg1-1+deb12u1 CVE-2024-56433
scanner-test:dirty found mount              2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found mount              2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found mount              2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found ncurses-base       6.4-4                  CVE-2025-69720
scanner-test:dirty found ncurses-base       6.4-4                  CVE-2023-50495
scanner-test:dirty found ncurses-base       6.4-4                  CVE-2025-6141
scanner-test:dirty found ncurses-bin        6.4-4                  CVE-2025-69720
scanner-test:dirty found ncurses-bin        6.4-4                  CVE-2023-50495
scanner-test:dirty found ncurses-bin        6.4-4                  CVE-2025-6141
scanner-test:dirty found passwd             1:4.13+dfsg1-1+deb12u1 TEMP-0628843-DBAD28
scanner-test:dirty found passwd             1:4.13+dfsg1-1+deb12u1 CVE-2007-5686
scanner-test:dirty found passwd             1:4.13+dfsg1-1+deb12u1 CVE-2024-56433
scanner-test:dirty found perl-base          5.36.0-7+deb12u3       CVE-2011-4116
scanner-test:dirty found perl-base          5.36.0-7+deb12u3       CVE-2023-31486
scanner-test:dirty found sysvinit-utils     3.06-4                 TEMP-0517018-A83CE6
scanner-test:dirty found tar                1.34+dfsg-1.2+deb12u1  TEMP-0290435-0B57B5
scanner-test:dirty found tar                1.34+dfsg-1.2+deb12u1  CVE-2005-2541
scanner-test:dirty found util-linux         2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found util-linux         2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found util-linux         2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found util-linux-extra   2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found util-linux-extra   2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found util-linux-extra   2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found zlib1g             1:1.2.13.dfsg-1        CVE-2023-45853
scanner-test:dirty found zlib1g             1:1.2.13.dfsg-1        CVE-2026-27171
scanner-test:dirty found dpkg               1.21.22                CVE-2026-2219
scanner-test:dirty found dpkg               1.21.22                CVE-2025-6297
scanner-test:dirty found gcc-12-base        12.2.0-14+deb12u1      CVE-2022-27943
scanner-test:dirty found gpgv               2.2.40-1.1+deb12u1     CVE-2025-30258
scanner-test:dirty found gpgv               2.2.40-1.1+deb12u1     CVE-2022-3219
scanner-test:dirty found gpgv               2.2.40-1.1+deb12u1     CVE-2025-68973 (fixed: 2.2.40-1.1+deb12u2)
scanner-test:dirty found gpgv               2.2.40-1.1+deb12u1     CVE-2025-68972
scanner-test:dirty found apt                2.6.1                  CVE-2011-3374
scanner-test:dirty found libapt-pkg6.0      2.6.1                  CVE-2011-3374
scanner-test:dirty found libblkid1          2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found libblkid1          2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found libblkid1          2.38.1-5+deb12u3       CVE-2025-14104
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2019-1010025
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2019-1010023
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2026-0861
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2026-4437
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2026-0915
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2019-1010022
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2025-15281
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2010-4756
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2019-1010024
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2026-4046
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2018-20796
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2019-9192
scanner-test:dirty found libc-bin           2.36-9+deb12u13        CVE-2026-4438
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2019-1010025
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2019-1010023
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2026-0861
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2026-4437
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2026-0915
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2019-1010022
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2025-15281
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2010-4756
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2019-1010024
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2026-4046
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2018-20796
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2019-9192
scanner-test:dirty found libc6              2.36-9+deb12u13        CVE-2026-4438
scanner-test:dirty found libgcc-s1          12.2.0-14+deb12u1      CVE-2022-27943
scanner-test:dirty found libgcrypt20        1.10.1-3               CVE-2018-6829
scanner-test:dirty found libgcrypt20        1.10.1-3               CVE-2024-2236
scanner-test:dirty found libgnutls30        3.7.9-2+deb12u5        CVE-2025-9820  (fixed: 3.7.9-2+deb12u6)
scanner-test:dirty found libgnutls30        3.7.9-2+deb12u5        CVE-2025-14831 (fixed: 3.7.9-2+deb12u6)
scanner-test:dirty found libgnutls30        3.7.9-2+deb12u5        CVE-2011-3389
scanner-test:dirty found liblzma5           5.4.1-1                CVE-2026-34743
scanner-test:dirty found libmount1          2.38.1-5+deb12u3       CVE-2026-3184
scanner-test:dirty found libmount1          2.38.1-5+deb12u3       CVE-2022-0563
scanner-test:dirty found libmount1          2.38.1-5+deb12u3       CVE-2025-14104

and:

$ go run ./cmd/clairctl -c local-dev/clair/config.yaml report --host http://localhost:6060/ ghcr.io/buildecho/scanner-test:clean
scanner-test:clean ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crozzy crozzy Awaiting requested review from crozzy crozzy is a code owner automatically assigned from quay/clair

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yuvalk