用Trivy扫描容器镜像
詹高畅
红帽 RHACS 支持自动对其管理的 OpenShift 或 Kubernetes 上的容器进行漏洞扫描、合规评估。在 RHACS 中使用了开源的 Clair 来扫描镜像,而红帽 Quay 使用的镜像扫描也是 Clair。因为 RHACS 和 Quay 都是企业平台,因此对运行环境的要求较高。而 Trivy 是一个轻量级漏洞扫描工具,支持基于 CVE 对常用的 Linux 、镜像和应用进行安全扫描。
以下是使用Trivy扫描镜像的过程:
$ curl -OL https://github.com/aquasecurity/trivy/releases/download/v0.21.2/trivy_0.21.2_Linux-64bit.tar.gz
$ tar -xvf trivy_0.21.2_Linux-64bit.tar.gz
$ ./trivy image --ignore-unfixed --severity "HIGH,CRITICAL" --vuln-type library elastic/logstash:7.13.0
Java (jar)
==========
Total: 5 (HIGH: 3, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.14.0 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+----------+ +----------------+---------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | Improper Input Validation |
| | | | | | and Uncontrolled |
| | | | | | Recursion in Apache Log4j2 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+-------------------------------------+------------------+----------+ +----------------+---------------------------------------+
| org.apache.logging.log4j:log4j-core | CVE-2021-44228 | CRITICAL | | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+----------+ +----------------+---------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | Improper Input Validation |
| | | | | | and Uncontrolled |
| | | | | | Recursion in Apache Log4j2 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+-------------------------------------+------------------+ +-------------------+----------------+---------------------------------------+
| org.bouncycastle:bcprov-jdk15on | CVE-2020-28052 | | 1.65 | 1.67 | bouncycastle: password bypass |
| | | | | | in OpenBSDBCrypt.checkPassword |
| | | | | | utility possible |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28052 |
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
$ ./trivy image --ignore-unfixed --severity "HIGH,CRITICAL" --vuln-type library elastic/logstash:7.13.0
Java (jar)
==========
Total: 3 (HIGH: 1, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+-------------------------------------+------------------+----------+-------------------+---------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.14.0 | 2.15.0 |
+-------------------------------------+ + + + +
| org.apache.logging.log4j:log4j-core | | | | |
+-------------------------------------+------------------+----------+-------------------+---------------+
| org.bouncycastle:bcprov-jdk15on | CVE-2020-28052 | HIGH | 1.65 | 1.67 |
+-------------------------------------+------------------+----------+-------------------+---------------+
$ ./trivy image --ignore-unfixed --vuln-type library --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' elastic/logstash:7.13.0
Critical: 2, High: 3
参考
https://aquasecurity.github.io/trivy/v0.18.3/modes/client-server/
类似资料: