Docker scan[1]本地扫描镜像漏洞
2020年年底,Docker hub同时推出镜像自动扫描功能Docker还支持本地通过Docker目前,命令选项支持镜像漏洞扫描。Docker Desktop for Mac以及window上的Docker都可以通过Docker scan子命令扫描本地镜像是否有漏洞软件。
Docker Desktop For Mac
使用docker scan登录时需要登录Docker Hub账号,同时docker scan支持一些不同的选项
Options:-f,指定Dockerfile
$dockerscan-fDockerfiledocker-scan:e2eTestingdocker-scan:e2e...✗HighseverityvulnerabilityfoundinperlDescription:IntegerOverfloworWraparoundInfo:https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802Introducedthrough:git@1:2.20.1-2 deb10u3,meta-common-packages@metaFrom:git@1:2.20.1-2 deb10u3>perl@5.28.1-6From:git@1:2.20.1-2 deb10u3>liberror-perl@0.17027-2>perl@5.28.1-6From:git@1:2.20.1-2 deb10u3>perl@5.28.1-6>perl/perl-modules-5.28@5.28.1-6and3more...Introducedbyyourbaseimage(golang:1.14.6)Organization:docker-desktop-testPackagemanager:debTargetfile:DockerfileProjectname:docker-image|99138c65ebc7Dockerimage:99138c65ebc7Baseimage:golang:1.14.6Licenses:enabledTested200dependenciesforknownissues,found157issues.Accordingtoourscan,youarecurrentlyusingthemostsecureversionoftheselectedbaseimage不扫描镜像的基本镜像
$dockerscan-fDockerfileTestingdocker-scan:e2e...✗Mediumseverityvulnerabilityfoundinlibidn2/libidn2-0Description:ImproperInputValidationInfo:https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100Introducedthrough:iputils/iputils-ping@3:20180629-2 deb10u1,wget@1.20.1-1.1,curl@7.64.0-4 deb10u1,git@1:2.20.1-2 deb10u3From:iputils/iputils-ping@3:20180629-2 deb10u1>libidn2/libidn2-0@2.0.5-1 deb10u1From:wget@1.20.1-1.1>libidn2/libidn2-0@2.0.5-1 deb10u1From:curl@7.64.0-4 deb10u1>curl/libcurl4@7.64.0-4 deb10u1>libidn2/libidn2-0@2.0.5-1 deb10u1and3more...IntroducedinyourDockerfileby'RUNapkadd-U--no-cachewgettar'Organization:docker-desktop-testPackagemanager:debTargetfile:DockerfileProjectname:docker-image|99138c65ebc7Dockerimage:99138c65ebc7Baseimage:golang:1.14.6Licenses:enabledTested200dependenciesforknownissues,found16issues.以json格式输出扫描结果
JSON格式显示镜扫描结果
聚合分组显示扫描信息
$dockerscan{{"title":"ImproperCheckforDroppedPrivileges",..."packageName":"bash","language":"linux","packageManager":"debian:10","description":"##Overview\nAnissuewasdiscoveredindisable_priv_modeinshell.cinGNUBashthrough5.0patch11.Bydefault,ifBashisrunwithitseffectiveUIDnotequaltoitsrealUID,itwilldropprivilegesbysettingitseffectiveUIDtoitsrealUID.However,itdoessoincorrectly.OnLinuxandothersystemsthatsupport\"savedUID\"functionality,thesavedUIDisnotdropped.Anattackerwithcommandexecutionintheshellcanuse\"enable-f\"forruntimeloadingofanewbuiltin,whichcanbeasharedobjectthatcallssetuid()andthereforeregainsprivileges.However,binariesrunningwithaneffectiveUIDof0areunaffected.\n\n##References\n-[CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n-[DebianSecurityTracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n-[GitHubCommit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n-[MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n-[MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n-[UbuntuCVETracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n","identifiers":{"ALTERNATIVE":[],"CVE":["CVE-2019-18276"],"CWE":["CWE-273"]},"severity":"low","severityWithCritical":"low","cvssScore":7.8,"CVSSv3":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",..."from":["docker-image|docker-scan@e2e","bash@5.0-4"],"upgradePath":[],"isUpgradable":false,"isPatchable":false,"name":"bash","version":"5.0-4"},..."summary":"880vulnerabledependencypaths","filesystemPolicy":false,"filtered":{"ignore":[],"patch":[]},"uniqueCount":158,"projectName":"docker-image|docker-scan","platform":"linux/amd64","path":"docker-scan:e2e"}显示指定级别的漏洞洞才能显示指定级别的漏洞
$dockerscan./bin/docker-scan_darwin_amd64scanTestingdocker-scan:e2e...✗Mediumseverityvulnerabilityfoundinsqlite3/libsqlite3-0Description:DivideByZeroInfo:https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337Introducedthrough:gnupg2/gnupg@2.2.12-1 deb10u1,subversion@1.10.4-1 deb10u1,mercurial@4.8.2-1 deb10u1From:gnupg2/gnupg@2.2.12-1 deb10u1>gnupg2/gpg@2.2.12-1 deb10u1>sqlite3/libsqlite3-0@3.27.2-3From:subversion@1.10.4-1 deb10u1>subversion/libsvn1@1.10.4-1 deb10u1>sqlite3/libsqlite3-0@3.27.2-3From:mercurial@4.8.2-1 deb10u1>python-defaults/python@2.7.16-1>python2.7@2.7.16-2 deb10u1>python2.7/libpython2.7-stdlib@2.7.16-2 deb10u1>sqlite3/libsqlite3-0@3.27.2-3✗Mediumseverityvulnerabilityfoundinsqlite3/libsqlite3-0Description:UncontrolledRecursion...✗Highseverityvulnerabilityfoundinbinutils/binutils-commonDescription:MissingReleaseofResourceafterEffectiveLifetimeInfo:https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318Introducedthrough:gcc-defaults/g @4:8.3.0-1From:gcc-defaults/g @4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/binutils-common@2.31.1-16From:gcc-defaults/g @4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/libbinutils@2.31.1-16>binutils/binutils-common@2.31.1-16From:gcc-defaults/g @4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/binutils-x86-64-linux-gnu@2.31.1-16>binutils/binutils-common@2.31.1-16and4more...Organization:docker-desktop-testPackagemanager:debProjectname:docker-image|docker-scanDockerimage:docker-scan:e2ePlatform:linux/amd64Licenses:enabledTested200dependenciesforknownissues,found37issues.Linux上安装scan-cli插件
目前Linux系统上的Docker Engine尚未支持scan命令可以以插件的形式使用,可以参考scan-cli-plugin[2]文档,我在这里Ubuntu上通过apt安装一下
>cat/etc/apt/sources.list.d/docker.listdeb[arch=amd64]https://mirrors.aliyun.com/docker-ce/linux/ubuntuxenialstable>apt-getupdate&&apt-getinstalldocker-scan-plugin安装完成后,登录Docker hub,然后同意访问Snyk即可。
参考资料
[1]docker scan:
https://docs.docker.com/engine/scan/
[2]scan-cli-plugin:
https://github.com/docker/scan-cli-plugin
本文转载自微信公众号「云原生态系统」,可以通过以下二维码关注。转载本文请联系云原生态系统公众号。
