dockerscan[1]镜像漏洞本地扫描2020年底Dockerhub上线了镜像自动扫描的功能,Docker也支持通过Docker命令本地支持镜像漏洞选项扫描。目前,Mac上的DockerDesktop和Windows上的Docker都可以通过Dockerscan子命令扫描本地镜像中存在漏洞的软件。DockerDesktopForMac使用dockerscan时需要登录DockerHub账号,dockerscan支持一些不同的选项选项:--accept-license接受使用第三方扫描提供商--dependency-tree显示与scan的依赖关系resultstree--exclude-base从漏洞扫描中排除基础镜像(需要--file)-f,--filestring与镜像关联的Dockerfile,提供更详细的结果--group-issues聚合重复的漏洞并将它们分组为1个bug(需要--json)--json以json格式输出结果--login使用可选令牌(带有--token)向扫描提供程序进行身份验证,如果为空,则使用webbase令牌--reject-license拒绝使用第三方扫描提供程序--severitystring仅报告所提供级别或更高级别(低|中|高)的漏洞--tokenstring登录到第3方扫描提供程序身份验证令牌--version显示扫描插件版本指定Dockerfile$dockerscan-fDockerfiledocker-scan:e2eTestingdocker-scan:e2e...?HighseverityvulnerabilityfoundinperlDescription:IntegerOverfloworWraparoundInfo:https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802Introducedthrough:git@1-2+0deb10u3,meta-common-packages@metaFrom:git@1:2.20.1-2+deb10u3>perl@5.28.1-6From:git@1:2.20.1-2+deb10u3>liberror-perl@0.17027-2>perl@5.28.1-6From:git@1:2.20.1-2+deb10u3>perl@5.28.1-6>perl/perl-modules-5.28@5.28.1-6and3more...Introducedbyyourbaseimage(golang:1.14.6)Organization:docker-desktop-testPackagemanager:debTargetfile:DockerfileProjectname:docker-image|99138c65ebc7Dockerimage:99138c65ebc7Baseimage:golang:1.14.6Licenses:enabledTested200dependenciesforknownissues,found157issues.Accordingtoourscan,youarecurrentlyusingthemostsecureversionoftheselectedbaseimage不扫描该镜像的基础镜像$dockerscan-fDockerfile--exclude-baseddocker-scan:e2eTestingdocker-scan:e2e...?Mediumseverityvulnerabilityfoundinlibidn2/libidn2-0Description:ImproperInputValidationInfo:https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100Introducedthrough:iputils/iputils-ping@3:20180629-2+deb10u1,wget@1.20.1-1.1,curl@7.64.0-4+deb10u1,git@1:2.20.1-2+deb10u3From:iputils/iputils-ping@3:20180629-2+deb10u1>libidn2/libidn2-0@2.0.5-1+deb10u1From:wget@1.20.1-1.1>libidn2/libidn2-0@2.0.5-1+deb10u1From:curl@7.64.0-4+deb10u1>curl/libcurl4@7.64.0-4+deb10u1>libidn2/libidn2-0@2.0.5-1+deb10u1and3more...在你的Dockerfile中引入通过'RUNapkadd-U--no-cachewgettar'Organization:docker-desktop-testPackagemanager:debTargetfile:DockerfileProjectname:docker-image|99138c65ebc7Dockerimage:99138c65ebc7Baseimage:golang:1.14.6Licenses:enabledTested200dependenciesforknownissues1格式,扫描结果以JSON格式显示jsonsound6issues图像扫描结果的聚合和分组以显示扫描信息"linux","packageManager":"debian:10","description":"##Overview\nAnissuewasdiscoveredindisable_priv_modeinshell.cinGNUBashthrough5.0patch11.Bydefault,ifBashisrunwithitseffectiveUIDnotequaltoitsrealUID,itwilldropprivilegesbysettingitseffectiveUIDtoitsrealUID.However,itdoessoincorrectly.OnLinuxandothersystemsthatsupport\"savedUID\"functionality,thesavedUIDisnotdropped.Anattackerwithcommandexecutionintheshellcanuse\"启用-f\"fo运行时加载新内置,它可以是调用setuid()的共享对象,因此重新获得特权。但是,使用有效UID为0运行的二进制文件不受影响。\n\n##References\n-[CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n-[DebianSecurityTracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n-[GitHubCommit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n-[MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n-[MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n-[UbuntuCVETracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n","identifiers":{"ALTERNATIVE":[],"CVE":["CVE-2019-18276"],"CWE":["CWE-273"]},"severity":"low","severityWithCritical":"low","cvssScore":7.8,"CVSSv3":“CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",..."from":["docker-image|docker-scan@e2e","bash@5.0-4"],"upgradePath":[],"isUpgradable":false,"isPatchable":false,"name":"bash","version":"5.0-4"},..“summary”:“880vulnerabledependencypaths”,“filesystemPolicy”:false,“filtered”:{“ignore”:[],“patch”:[]},“uniqueCount”:158,“projectName”:“docker-image|docker-scan","platform":"linux/amd64","path":"docker-scan:e2e"}显示指定级别的漏洞,只有高于此级别的漏洞才会显示$dockerscan--severity=mediumdocker-scan:e2e./bin/docker-scan_darwin_amd64scan--severity=mediumdocker-scan:e2eTestingdocker-scan:e2e...?在sqlite3/libsqlite3-0中发现的中等严重性漏洞信息:https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337通过:gnupg2/gnupg@引入2.2.12-1+deb10u1,subversion@1.10.4-1+deb10u1,mercurial@4.8.2-1+deb10u1From:gnupg2/gnupg@2.2.12-1+deb10u1>gnupg2/gpg@2.2.12-1+deb10u1>sqlite3/libsqlite3-0@3.27.2-3From:subversion@1.10.4-1+deb10u1>subversion/libsvn1@1.10.4-1+deb10u1>sqlite3/libsqlite3-0@3.27.2-3From:mercurial@4.8.2-1+deb10u1>python-defaults/python@2.7.16-1>python2.7@2.7.16-2+deb10u1>python2.7/libpython2.7-stdlib@2.7.16-2+deb10u1>sqlite3/libsqlite3-0@3.27.2-3?在sqlite3/libsqlite3-0中发现的中等严重性漏洞描述:不受控制的递归...?在binutils/binutils-common中发现的高严重性漏洞描述:在有效生命周期信息之后缺少资源发布信息:https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILSthrough1:8-4033-defaults/g++@4:8.3.0-1From:gcc-defaults/g++@4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/binutils-common@2.31.1-16来自:gcc-defaults/g++@4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/libbinutils@2.31.1-16>binutils/binutils-common@2.31.1-16来自:gcc-defaults/g++@4:8.3.0-1>gcc-defaults/gcc@4:8.3.0-1>gcc-8@8.3.0-6>binutils@2.31.1-16>binutils/binutils-x86-64-linux-gnu@2.31.1-16>binutils/binutils-common@2.31.1-16and4more...组织:docker-desktop-testPackagemanager:debProjectname:docker-image|docker-scanDockerimage:docker-scan:e2ePlatform:linux/amd64许可证:已启用已针对已知问题测试200个依赖项,发现37个问题。在Linux上安装scan-cli插件目前Linux系统上的DockerEngine不支持scan命令,所以可以通过插件的形式使用。可以参考scan-cli-plugin[2]的文档。这里我是通过apt在Ubuntu上安装>cat/etc/apt/sources.list.d/docker.listdeb[arch=amd64]https://mirrors.aliyun.com/docker-ce/linux/ubuntuxenialstable>apt-getupdate&&apt-getinstalldocker-安装scan-plugin后,登录Dockerhub,同意访问Snyk参考文献[1]dockerscan:https://docs.docker.com/engine/scan/[2]scan-cli-plugin:https://github.com/docker/scan-cli-plugin本文转载自微信公众号“云原生生态”,可通过以下二维码关注。转载本文请联系云原生生态公众号。
