scan หาช่องโหว่ใน image ด้วยคำสั่ง docker scan

rdamrong

Damrongsak Reetanon

Posted on June 1, 2021

scan หาช่องโหว่ใน image ด้วยคำสั่ง docker scan

Alt Text

  • 19 พ.ค. 2563 Docker และ Snyk ประกาศความร่วมมือร่วมกันในมุมของการตรวจสอบช่องโหว่ใน Container Image ใน Docker
  • Snyx เป็นบริษัทที่มีผลิตภัณฑ์ที่มีเครื่องมือที่ช่วยหาช่องโหว่ และแนะนำเพื่อแก้ไข ทั้งในมุม Open Source Dependencies, Code Security, Container Security และ Infrastructure as Code Security
  • ในกรณีที่ต้องการ scan หาช่องโหว่ในของ Container Image ในเครื่องตัวเอง ต้องเป็น ​Docker ที่เป็น Docker Desktop version 2.3.6.0 ขึ้นไป

ใช้ได้เฉพาะ ​Docker Desktop for Mac and Docker Desktop for Windows เท่านั้น

❯ docker version
Client:
 Cloud integration: 1.0.14
 Version:           20.10.6
[...]
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
[...]
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

❯ docker scan --version
Version:    v0.8.0
Git commit: 35651ca
Provider:   Snyk (1.563.0)
Enter fullscreen mode Exit fullscreen mode

Alt Text

Scan เพื่อตรวจสอบช่องโหว่ของ Container Image

>>>>> ในกรณีที่ไม่พบช่องโหว่ใน Container Image. <<<<<

❯ docker scan  redhat/ubi8-micro

Testing redhat/ubi8-micro...

Organization:      damrongsak
Package manager:   rpm
Project name:      docker-image|redhat/ubi8-micro
Docker image:      redhat/ubi8-micro
Platform:          linux/amd64
Licenses:          enabled

✓ Tested 18 dependencies for known issues, no vulnerable paths found.

>>>>> ในกรณีที่พบช่องโหว่ใน Container Image <<<<<

❯ docker scan centos

Testing centos...

✗ Low severity vulnerability found in libdb-utils
  Description: RHSA-2021:1675
  Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDBUTILS-1294335
  Introduced through: libdb-utils@5.3.28-39.el8
  From: libdb-utils@5.3.28-39.el8
  Fixed in: 0:5.3.28-40.el8

✗ Low severity vulnerability found in libdb
  Description: RHSA-2021:1675
  Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDB-1294336
  Introduced through: libdb@5.3.28-39.el8
  From: libdb@5.3.28-39.el8
  Fixed in: 0:5.3.28-40.el8

[...]

Tested 172 dependencies for known vulnerabilities, found 28 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
Enter fullscreen mode Exit fullscreen mode

ใช้ option --json แสดงผลการ scan ในรูปแบบของ JSON

ผลการ scan ที่ได้จะมีรายละเอียดของข้อมูลที่มากกว่า การแสดงผลแบบที่ไม่ใช้ --json

❯ docker scan --json centos
"vulnerabilities": [
    {
      "title": "RHSA-2021:1679",
      "credit": [
        ""
      ],
      "packageName": "bash",
      "language": "linux",
      "packageManager": "centos:8",
      "description": "## NVD Description\n<i> **Note:** </i>\n<i> Versions mentioned in the description apply to the upstream `bash` package. </i>\n<i> See `Remediation` section below for `Centos:8` relevant versions. </i>\n\nThe bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * bash: when effective UID is not equal to its real UID the saved UID is not dropped (CVE-2019-18276) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.\n## Remediation\nUpgrade `Centos:8` `bash` to version 0:4.4.19-14.el8 or higher.\n## References\n- [ADVISORY](https://access.redhat.com/errata/RHSA-2021:1679)\n",
      "identifiers": {
        "ALTERNATIVE": [],
        "CVE": [
          "RHSA-2021:1679"
        ],
        "CWE": []
      },
      "severity": "low",
      "severityWithCritical": "low",
      "cvssScore": null,
      "CVSSv3": null,
      "patches": [],
      "references": [
        {
          "title": "ADVISORY",
          "url": "https://access.redhat.com/errata/RHSA-2021:1679"
        }
      ],
      "creationTime": "2021-05-19T08:11:21.843115Z",
      "modificationTime": "2021-05-19T08:11:21.853372Z",
      "publicationTime": "2021-05-19T08:11:21.860359Z",
      "disclosureTime": null,
      "id": "SNYK-CENTOS8-BASH-1294125",
      "nvdSeverity": "low",
      "relativeImportance": null,
      "semver": {
        "vulnerable": [
          "<0:4.4.19-14.el8"
        ]
      },
      "exploit": "No Data",
      "from": [
        "docker-image|centos@latest",
        "bash@4.4.19-12.el8"
      ],
      "upgradePath": [
        false,
        "bash@0:4.4.19-14.el8"
      ],
      "isUpgradable": true,
      "isPatchable": false,
      "name": "bash",
      "version": "4.4.19-12.el8",
      "nearestFixedInVersion": "0:4.4.19-14.el8"
    },
[...]
  "packageManager": "rpm",
  "ignoreSettings": null,
  "docker": {},
  "summary": "28 vulnerable dependency paths",
  "filesystemPolicy": false,
  "filtered": {
    "ignore": [],
    "patch": []
  },
  "uniqueCount": 28,
  "projectName": "docker-image|centos",
  "platform": "linux/amd64",
  "path": "centos"
}

Enter fullscreen mode Exit fullscreen mode

เพิ่ม option --dependency-tree แสดงความเกี่ยวข้องกันของแต่ละไฟล์ใน Container Image

❯ docker scan --dependency-tree redhat/ubi8-micro
docker-image|redhat/ubi8-micro @ latest
   ├─ basesystem @ 11-5.el8
   ├─ bash @ 4.4.20-1.el8_4
   ├─ coreutils-single @ 8.30-8.el8
   ├─ filesystem @ 3.8-3.el8
   ├─ glibc @ 2.28-151.el8
   ├─ glibc-common @ 2.28-151.el8
   ├─ glibc-minimal-langpack @ 2.28-151.el8
   ├─ libacl @ 2.2.53-1.el8
   ├─ libattr @ 2.4.48-3.el8
   ├─ libcap @ 2.26-4.el8
   ├─ libselinux @ 2.9-5.el8
   ├─ libsepol @ 2.9-2.el8
   ├─ ncurses-base @ 6.1-7.20180224.el8
   ├─ ncurses-libs @ 6.1-7.20180224.el8
   ├─ pcre2 @ 10.32-2.el8
   ├─ redhat-release @ 8.4-0.6.el8
   ├─ setup @ 2.12.2-6.el8
   └─ tzdata @ 2021a-1.el8

Testing redhat/ubi8-micro...

Organization:      damrongsak
Package manager:   rpm
Project name:      docker-image|redhat/ubi8-micro
Docker image:      redhat/ubi8-micro
Platform:          linux/amd64
Licenses:          enabled

✓ Tested 18 dependencies for known issues, no vulnerable paths found.
Enter fullscreen mode Exit fullscreen mode

เพิ่ม option --severity เพื่อกำหนดให้แสดงผลเฉพาะกลุ่มของ severity ที่ต้องการเท่านั้น ซึ่งสามารถกำหนดได้ 3 ระดับ low, medium และ high

❯ docker scan --severity=high centos

Testing centos...

✗ High severity vulnerability found in openssl-libs
  Description: RHSA-2020:5476
  Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1052541
  Introduced through: openssl-libs@1:1.1.1g-11.el8
  From: openssl-libs@1:1.1.1g-11.el8
  Fixed in: 1:1.1.1g-12.el8_3

✗ High severity vulnerability found in openssl-libs
  Description: RHSA-2021:1024
  Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1089748
  Introduced through: openssl-libs@1:1.1.1g-11.el8
  From: openssl-libs@1:1.1.1g-11.el8
  Fixed in: 1:1.1.1g-15.el8_3

✗ High severity vulnerability found in nettle
  Description: RHSA-2021:1206
  Info: https://snyk.io/vuln/SNYK-CENTOS8-NETTLE-1287634
  Introduced through: nettle@3.4.1-2.el8
  From: nettle@3.4.1-2.el8
  Fixed in: 0:3.4.1-4.el8_3

✗ High severity vulnerability found in gnutls
  Description: RHSA-2021:1206
  Info: https://snyk.io/vuln/SNYK-CENTOS8-GNUTLS-1287630
  Introduced through: gnutls@3.6.14-6.el8
  From: gnutls@3.6.14-6.el8
  Fixed in: 0:3.6.14-8.el8_3

✗ High severity vulnerability found in bind-export-libs
  Description: RHSA-2021:0670
  Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1081045
  Introduced through: bind-export-libs@32:9.11.20-5.el8
  From: bind-export-libs@32:9.11.20-5.el8
  Fixed in: 32:9.11.20-5.el8_3.1

✗ High severity vulnerability found in bind-export-libs
  Description: RHSA-2021:1989
  Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1294046
  Introduced through: bind-export-libs@32:9.11.20-5.el8
  From: bind-export-libs@32:9.11.20-5.el8
  Fixed in: 32:9.11.26-4.el8_4



Organization:      damrongsak
Package manager:   rpm
Project name:      docker-image|centos
Docker image:      centos
Platform:          linux/amd64
Licenses:          enabled

Tested 172 dependencies for known issues, found 6 issues.
Enter fullscreen mode Exit fullscreen mode

ข้อจำกัดที่ต้องรู้

ถ้า scan โดยไม่ได้ login กับ Snyk จะ scan ได้เพียง 10 ครั้งต่อเดือนเท่านั้น หากต้องการใช้ต้อง login กับ Snyk ด้วยคำสั่ง docker scan --login

❯  docker scan IMAGE
You have reached the scan limit of 10 monthly scans without authentication.
For additional monthly scans, sign into or sign up for Snyk for free with the following command:
`docker scan --login`
Enter fullscreen mode Exit fullscreen mode

Login ที่ snyk.io ด้วย Docker ID พอ login สำเร็จ Snyk จะอนุญาตให้เรา scan ได้ 200 ครั้งต่อเดืือน

❯ docker scan --login

Now redirecting you to our auth page, go ahead and log in,
and once the auth is complete, return to this prompt and you'll
be ready to start using snyk.

If you can't wait use this url:
https://snyk.io/login?token= [...]


Your account has been authenticated. Snyk is now ready to be used.

Enter fullscreen mode Exit fullscreen mode

มูลค่าความสุข

อ่านต่อตอนที่ 2

💖 💪 🙅 🚩
rdamrong
Damrongsak Reetanon

Posted on June 1, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related