Article

In the ecosystem of container security scanners, many commercial tools are built upon a foundation of powerful open-source projects. ClairCore is one such project—the next-generation scanning engine behind Quay, Red Hat's container registry. For Java teams seeking a flexible, programmatic, and open-source approach to container vulnerability scanning, ClairCore offers a robust solution that can be integrated directly into your applications and pipelines.

What is ClairCore?

ClairCore is an open-source container vulnerability static analysis tool, written in Go, but with a key advantage: it exposes a well-defined API. This API-first design means that any application, including those written in Java, can interact with ClairCore to scan container images for vulnerabilities.

Unlike all-in-one SaaS tools, ClairCore is a scanning engine. It focuses on:

• Indexing container image contents (OS packages, language-specific dependencies).
• Matching the indexed contents against vulnerability databases (like the OSV, VulnDB, and various Linux distribution trackers).
• Reporting the results via its API.

For Java applications, this means you can integrate enterprise-grade container scanning directly into your custom tools, CI/CD pipelines, or internal platforms without relying on a proprietary CLI or UI.

Why Would a Java Team Use ClairCore?

While user-friendly SaaS products exist, ClairCore offers unique advantages for specific use cases:

1. Build Custom Security Tools: Integrate vulnerability scanning directly into your internal developer portal, custom dashboards, or admin systems.
2. Air-Gapped Environments: Deploy and run ClairCore entirely within your own secured, offline infrastructure, giving you full control over data and network access.
3. Avoid Vendor Lock-in: As an open-source project under the CNCF umbrella, ClairCore avoids proprietary formats and allows for deep customization.
4. Programmatic Control: The API allows for fine-grained integration, enabling you to trigger scans, fetch results, and manage policies entirely through code.
5. Comprehensive Java Support: ClairCore can scan the OS layer of your image and has indexers for Java archives, meaning it can find vulnerabilities in the .jar files within your container.

How ClairCore Works with Java Container Images

ClairCore's process involves two main steps: Indexing and Scanning.

1. Indexing
During this phase, ClairCore fetches the container image and unpacks it, layer by layer. It then runs a series of "indexers" to catalog all the software packages it finds.

• OS Indexers: For packages managed by dpkg (Debian/Ubuntu), rpm (Red Hat, Fedora), and apk (Alpine).
• Language Indexers: This is crucial for Java. ClairCore includes a Java indexer that knows how to parse JAR, WAR, and EAR files to extract the bundled dependencies and their versions, typically by reading the MANIFEST.MF file or parsing pom.xml if present.

2. Scanning (Matching)
Once the image is indexed, the scan phase compares the list of discovered packages against ClairCore's vulnerability database. If a package name and version match a known vulnerability, it is reported.

Integrating ClairCore with a Java Application

You don't call the Go code directly from Java. Instead, you interact with the ClairCore API. The typical integration pattern involves:

1. Deploying the ClairCore Service: You need a running instance of ClairCore. This can be run as a Docker container in your Kubernetes cluster or on a standalone server. # Example: Running ClairCore via Docker (configuration is required) docker run -p 8080:8080 quay.io/claircore/claircore:latest
2. Java HTTP Client Integration: Your Java application acts as an API client to the ClairCore service, using a standard HTTP client like Spring RestTemplate, Apache HttpClient, or a WebClient.

Example Java Service Class for ClairCore Integration:

import org.springframework.http.*;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestTemplate;
import java.util.*;
@Service
public class ClairCoreService {
private final RestTemplate restTemplate;
private final String clairCoreBaseUrl = "http://claircore-service:8080";
public ClairCoreService(RestTemplate restTemplate) {
this.restTemplate = restTemplate;
}
public String scanImage(String imageName) {
// 1. Create an index of the image
String indexUrl = clairCoreBaseUrl + "/indexer/api/v1/index_report";
Map<String, String> requestBody = new HashMap<>();
requestBody.put("hash", UUID.randomUUID().toString()); // A unique ID for this scan
requestBody.put("layers", getImageLayersManifest(imageName)); // You would need a method to fetch the image manifest
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Map<String, String>> indexRequest = new HttpEntity<>(requestBody, headers);
ResponseEntity<Map> indexResponse = restTemplate.postForEntity(indexUrl, indexRequest, Map.class);
String indexId = (String) indexResponse.getBody().get("id");
// 2. Retrieve the vulnerability report using the index ID
String vulnUrl = clairCoreBaseUrl + "/matcher/api/v1/vulnerability_report/" + indexId;
ResponseEntity<String> vulnResponse = restTemplate.getForEntity(vulnUrl, String.class);
return vulnResponse.getBody(); // This JSON contains the full vulnerability report
}
// This is a simplified placeholder. A real implementation would use a Docker registry client.
private List<Map<String, String>> getImageLayersManifest(String imageName) {
// Logic to interact with a container registry (Docker Hub, Quay, etc.)
// to get the layer digests and URIs for the image.
// This is the most complex part of the integration.
return new ArrayList<>();
}
}

Sample ClairCore API Response for a Java Image

The response from the /vulnerability_report/ endpoint is a detailed JSON document.

Sample Snippet:

{
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"name": "log4j-core",
"description": "Apache Log4j2 2.0-beta9 through 2.15.0...",
"severity": "Critical",
"package": {
"name": "org.apache.logging.log4j:log4j-core",
"version": "2.14.1",
"package_db": "java",
"repository": "maven"
},
"fixed_in_version": "2.16.0"
},
{
"id": "CVE-2022-12345",
"name": "zlib",
"description": "A vulnerability was found in zlib...",
"severity": "High",
"package": {
"name": "zlib1g",
"version": "1.2.11.dfsg-2",
"package_db": "dpkg"
},
"fixed_in_version": "1.2.11.dfsg-2.1"
}
]
}

This report clearly shows vulnerabilities from both the Java ecosystem (log4j-core) and the underlying OS (zlib).

Best Practices and Considerations

• Manage the Database: ClairCore needs to be connected to an Updater service that periodically fetches the latest vulnerability data. You are responsible for maintaining this data feed.
• Handle Image Authentication: Your integration code must handle authentication to pull images from private container registries.
• Leverage the Java Community: Look for existing Java client libraries or SDKs for Clair, which can simplify the HTTP interaction.
• Performance is Key: Indexing large container images can be resource-intensive. Consider running ClairCore as a scalable service in Kubernetes to handle multiple concurrent scans.
• Use in Tandem with Other Tools: ClairCore excels at post-build scanning. For a complete "Shift-Left" strategy, combine it with source-level SCA tools (like Snyk, Mend) that run earlier in the development cycle.

Conclusion

ClairCore is not the simplest scanner to integrate, but it is one of the most powerful and flexible for teams with specific needs. For Java organizations that require deep integration, control over their data, and the ability to build custom security tooling, investing in a ClairCore integration pays significant dividends. It empowers platform and security engineering teams to bake container security directly into the fabric of their infrastructure, ensuring that every Java application deployed in a container is held to a high and consistent security standard.

Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)

https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.

https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.

https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.

https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.

https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.

https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.

https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.

https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.

https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.

https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.