Docker scan[1]本地扫描镜像漏洞
创新互联建站拥有10多年成都网站建设工作经验,为各大企业提供成都做网站、网站设计服务,对于网页设计、PC网站建设(电脑版网站建设)、成都App定制开发、wap网站建设(手机版网站建设)、程序开发、网站优化(SEO优化)、微网站、国际域名空间等,凭借多年来在互联网的打拼,我们在互联网网站建设行业积累了很多网站制作、网站设计、网络营销经验,集策划、开发、设计、营销、管理等网站化运作于一体,具备承接各种规模类型的网站建设项目的能力。
2020年年底,Docker hub推出镜像自动扫描的功能,同时Docker也支持了在本地通过Docker命令选项的方式支持镜像漏洞扫描,目前Docker Desktop for Mac以及window上的Docker都可以通过Docker scan子命令扫描本地镜像是否存在漏洞软件。
Docker Desktop For Mac
使用docker scan的时候需要登录Docker Hub的账号,同时docker scan支持一些不同的选项
- Options:
- --accept-license 接受使用第三方扫描提供商
- --dependency-tree 显示带有扫描结果的依赖树
- --exclude-base 从漏洞扫描中排除基础镜像 (requires --file)
- -f, --file string 与image关联的Dockerfile,提供更详细的结果
- --group-issues 聚合重复的漏洞并将其分组为1个漏洞 (requires --json)
- --json 以json格式输出结果
- --login 使用可选令牌(带有--token)向扫描提供程序进行身份验证,如果为空则使用web base令牌
- --reject-license 拒绝使用第三方扫描提供商
- --severity string 只报告提供级别或更高的漏洞(low|medium|high)
- --token string 登录到第三方扫描提供程序的认证令牌
- --version 显示扫描插件版本
指定Dockerfile
- $ docker scan -f Dockerfile docker-scan:e2e
- Testing docker-scan:e2e
- ...
- High severity vulnerability found in perl
- Description: Integer Overflow or Wraparound
- Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802
- Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta
- From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6
- From: git@1:2.20.1-2+deb10u3 > liberror-perl@0.17027-2 > perl@5.28.1-6
- From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6 > perl/perl-modules-5.28@5.28.1-6
- and 3 more...
- Introduced by your base image (golang:1.14.6)
- Organization: docker-desktop-test
- Package manager: deb
- Target file: Dockerfile
- Project name: docker-image|99138c65ebc7
- Docker image: 99138c65ebc7
- Base image: golang:1.14.6
- Licenses: enabled
- Tested 200 dependencies for known issues, found 157 issues.
- According to our scan, you are currently using the most secure version of the selected base image
不扫描该镜像的基础镜像
- $ docker scan -f Dockerfile --exclude-base docker-scan:e2e
- Testing docker-scan:e2e
- ...
- Medium severity vulnerability found in libidn2/libidn2-0
- Description: Improper Input Validation
- Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100
- Introduced through: iputils/iputils-ping@3:20180629-2+deb10u1, wget@1.20.1-1.1, curl@7.64.0-4+deb10u1, git@1:2.20.1-2+deb10u3
- From: iputils/iputils-ping@3:20180629-2+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1
- From: wget@1.20.1-1.1 > libidn2/libidn2-0@2.0.5-1+deb10u1
- From: curl@7.64.0-4+deb10u1 > curl/libcurl4@7.64.0-4+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1
- and 3 more...
- Introduced in your Dockerfile by 'RUN apk add -U --no-cache wget tar'
- Organization: docker-desktop-test
- Package manager: deb
- Target file: Dockerfile
- Project name: docker-image|99138c65ebc7
- Docker image: 99138c65ebc7
- Base image: golang:1.14.6
- Licenses: enabled
- Tested 200 dependencies for known issues, found 16 issues.
以json格式输出扫描结果
JSON格式显示镜像扫描结果
聚合分组显示扫描信息
- $ docker scan --json --group-issues docker-scan:e2e
- {
- {
- "title": "Improper Check for Dropped Privileges",
- ...
- "packageName": "bash",
- "language": "linux",
- "packageManager": "debian:10",
- "description": "## Overview\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\n\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n",
- "identifiers": {
- "ALTERNATIVE": [],
- "CVE": [
- "CVE-2019-18276"
- ],
- "CWE": [
- "CWE-273"
- ]
- },
- "severity": "low",
- "severityWithCritical": "low",
- "cvssScore": 7.8,
- "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
- ...
- "from": [
- "docker-image|docker-scan@e2e",
- "bash@5.0-4"
- ],
- "upgradePath": [],
- "isUpgradable": false,
- "isPatchable": false,
- "name": "bash",
- "version": "5.0-4"
- },
- ...
- "summary": "880 vulnerable dependency paths",
- "filesystemPolicy": false,
- "filtered": {
- "ignore": [],
- "patch": []
- },
- "uniqueCount": 158,
- "projectName": "docker-image|docker-scan",
- "platform": "linux/amd64",
- "path": "docker-scan:e2e"
- }
显示指定级别的漏洞,只有高于此级别的漏洞才会显示出来
- $ docker scan --severity=medium docker-scan:e2e
- ./bin/docker-scan_darwin_amd64 scan --severity=medium docker-scan:e2e
- Testing docker-scan:e2e...
- Medium severity vulnerability found in sqlite3/libsqlite3-0
- Description: Divide By Zero
- Info: https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337
- Introduced through: gnupg2/gnupg@2.2.12-1+deb10u1, subversion@1.10.4-1+deb10u1, mercurial@4.8.2-1+deb10u1
- From: gnupg2/gnupg@2.2.12-1+deb10u1 > gnupg2/gpg@2.2.12-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
- From: subversion@1.10.4-1+deb10u1 > subversion/libsvn1@1.10.4-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
- From: mercurial@4.8.2-1+deb10u1 > python-defaults/python@2.7.16-1 > python2.7@2.7.16-2+deb10u1 > python2.7/libpython2.7-stdlib@2.7.16-2+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3
- Medium severity vulnerability found in sqlite3/libsqlite3-0
- Description: Uncontrolled Recursion
- ...
- High severity vulnerability found in binutils/binutils-common
- Description: Missing Release of Resource after Effective Lifetime
- Info: https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318
- Introduced through: gcc-defaults/g++@4:8.3.0-1
- From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-common@2.31.1-16
- From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/libbinutils@2.31.1-16 > binutils/binutils-common@2.31.1-16
- From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-x86-64-linux-gnu@2.31.1-16 > binutils/binutils-common@2.31.1-16
- and 4 more...
- Organization: docker-desktop-test
- Package manager: deb
- Project name: docker-image|docker-scan
- Docker image: docker-scan:e2e
- Platform: linux/amd64
- Licenses: enabled
- Tested 200 dependencies for known issues, found 37 issues.
目前Linux系统上的Docker Engine尚未支持scan命令,因此可以通过插件形式使用,可以参考scan-cli-plugin[2]的文档,此处我在Ubuntu上通过apt安装一下
- > cat /etc/apt/sources.list.d/docker.list
- deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial stable
- > apt-get update && apt-get install docker-scan-plugin
安装完成之后,登录Docker hub,然后同意访问Snyk即可。
[1]docker scan:
https://docs.docker.com/engine/scan/
[2]scan-cli-plugin:
https://github.com/docker/scan-cli-plugin
本文转载自微信公众号「云原生生态圈」,可以通过以下二维码关注。转载本文请联系云原生生态圈公众号。
标题名称:"dockerscan"本地扫描镜像漏洞
分享地址:http://www.shufengxianlan.com/qtweb/news4/486104.html
网站建设、网络推广公司-创新互联,是专注品牌与效果的网站制作,网络营销seo公司;服务项目有等
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 创新互联