Damrongsak Reetanon
Posted on June 1, 2021
- 19 พ.ค. 2563 Docker และ Snyk ประกาศความร่วมมือร่วมกันในมุมของการตรวจสอบช่องโหว่ใน Container Image ใน Docker
- Snyx เป็นบริษัทที่มีผลิตภัณฑ์ที่มีเครื่องมือที่ช่วยหาช่องโหว่ และแนะนำเพื่อแก้ไข ทั้งในมุม Open Source Dependencies, Code Security, Container Security และ Infrastructure as Code Security
- ในกรณีที่ต้องการ scan หาช่องโหว่ในของ Container Image ในเครื่องตัวเอง ต้องเป็น Docker ที่เป็น Docker Desktop version 2.3.6.0 ขึ้นไป
ใช้ได้เฉพาะ Docker Desktop for Mac and Docker Desktop for Windows เท่านั้น
❯ docker version
Client:
Cloud integration: 1.0.14
Version: 20.10.6
[...]
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
[...]
docker-init:
Version: 0.19.0
GitCommit: de40ad0
❯ docker scan --version
Version: v0.8.0
Git commit: 35651ca
Provider: Snyk (1.563.0)
Scan เพื่อตรวจสอบช่องโหว่ของ Container Image
>>>>> ในกรณีที่ไม่พบช่องโหว่ใน Container Image. <<<<<
❯ docker scan redhat/ubi8-micro
Testing redhat/ubi8-micro...
Organization: damrongsak
Package manager: rpm
Project name: docker-image|redhat/ubi8-micro
Docker image: redhat/ubi8-micro
Platform: linux/amd64
Licenses: enabled
✓ Tested 18 dependencies for known issues, no vulnerable paths found.
>>>>> ในกรณีที่พบช่องโหว่ใน Container Image <<<<<
❯ docker scan centos
Testing centos...
✗ Low severity vulnerability found in libdb-utils
Description: RHSA-2021:1675
Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDBUTILS-1294335
Introduced through: libdb-utils@5.3.28-39.el8
From: libdb-utils@5.3.28-39.el8
Fixed in: 0:5.3.28-40.el8
✗ Low severity vulnerability found in libdb
Description: RHSA-2021:1675
Info: https://snyk.io/vuln/SNYK-CENTOS8-LIBDB-1294336
Introduced through: libdb@5.3.28-39.el8
From: libdb@5.3.28-39.el8
Fixed in: 0:5.3.28-40.el8
[...]
Tested 172 dependencies for known vulnerabilities, found 28 vulnerabilities.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
ใช้ option --json แสดงผลการ scan ในรูปแบบของ JSON
ผลการ scan ที่ได้จะมีรายละเอียดของข้อมูลที่มากกว่า การแสดงผลแบบที่ไม่ใช้ --json
❯ docker scan --json centos
"vulnerabilities": [
{
"title": "RHSA-2021:1679",
"credit": [
""
],
"packageName": "bash",
"language": "linux",
"packageManager": "centos:8",
"description": "## NVD Description\n<i> **Note:** </i>\n<i> Versions mentioned in the description apply to the upstream `bash` package. </i>\n<i> See `Remediation` section below for `Centos:8` relevant versions. </i>\n\nThe bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * bash: when effective UID is not equal to its real UID the saved UID is not dropped (CVE-2019-18276) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.\n## Remediation\nUpgrade `Centos:8` `bash` to version 0:4.4.19-14.el8 or higher.\n## References\n- [ADVISORY](https://access.redhat.com/errata/RHSA-2021:1679)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"RHSA-2021:1679"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": null,
"CVSSv3": null,
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2021:1679"
}
],
"creationTime": "2021-05-19T08:11:21.843115Z",
"modificationTime": "2021-05-19T08:11:21.853372Z",
"publicationTime": "2021-05-19T08:11:21.860359Z",
"disclosureTime": null,
"id": "SNYK-CENTOS8-BASH-1294125",
"nvdSeverity": "low",
"relativeImportance": null,
"semver": {
"vulnerable": [
"<0:4.4.19-14.el8"
]
},
"exploit": "No Data",
"from": [
"docker-image|centos@latest",
"bash@4.4.19-12.el8"
],
"upgradePath": [
false,
"bash@0:4.4.19-14.el8"
],
"isUpgradable": true,
"isPatchable": false,
"name": "bash",
"version": "4.4.19-12.el8",
"nearestFixedInVersion": "0:4.4.19-14.el8"
},
[...]
"packageManager": "rpm",
"ignoreSettings": null,
"docker": {},
"summary": "28 vulnerable dependency paths",
"filesystemPolicy": false,
"filtered": {
"ignore": [],
"patch": []
},
"uniqueCount": 28,
"projectName": "docker-image|centos",
"platform": "linux/amd64",
"path": "centos"
}
เพิ่ม option --dependency-tree แสดงความเกี่ยวข้องกันของแต่ละไฟล์ใน Container Image
❯ docker scan --dependency-tree redhat/ubi8-micro
docker-image|redhat/ubi8-micro @ latest
├─ basesystem @ 11-5.el8
├─ bash @ 4.4.20-1.el8_4
├─ coreutils-single @ 8.30-8.el8
├─ filesystem @ 3.8-3.el8
├─ glibc @ 2.28-151.el8
├─ glibc-common @ 2.28-151.el8
├─ glibc-minimal-langpack @ 2.28-151.el8
├─ libacl @ 2.2.53-1.el8
├─ libattr @ 2.4.48-3.el8
├─ libcap @ 2.26-4.el8
├─ libselinux @ 2.9-5.el8
├─ libsepol @ 2.9-2.el8
├─ ncurses-base @ 6.1-7.20180224.el8
├─ ncurses-libs @ 6.1-7.20180224.el8
├─ pcre2 @ 10.32-2.el8
├─ redhat-release @ 8.4-0.6.el8
├─ setup @ 2.12.2-6.el8
└─ tzdata @ 2021a-1.el8
Testing redhat/ubi8-micro...
Organization: damrongsak
Package manager: rpm
Project name: docker-image|redhat/ubi8-micro
Docker image: redhat/ubi8-micro
Platform: linux/amd64
Licenses: enabled
✓ Tested 18 dependencies for known issues, no vulnerable paths found.
เพิ่ม option --severity เพื่อกำหนดให้แสดงผลเฉพาะกลุ่มของ severity ที่ต้องการเท่านั้น ซึ่งสามารถกำหนดได้ 3 ระดับ low, medium และ high
❯ docker scan --severity=high centos
Testing centos...
✗ High severity vulnerability found in openssl-libs
Description: RHSA-2020:5476
Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1052541
Introduced through: openssl-libs@1:1.1.1g-11.el8
From: openssl-libs@1:1.1.1g-11.el8
Fixed in: 1:1.1.1g-12.el8_3
✗ High severity vulnerability found in openssl-libs
Description: RHSA-2021:1024
Info: https://snyk.io/vuln/SNYK-CENTOS8-OPENSSLLIBS-1089748
Introduced through: openssl-libs@1:1.1.1g-11.el8
From: openssl-libs@1:1.1.1g-11.el8
Fixed in: 1:1.1.1g-15.el8_3
✗ High severity vulnerability found in nettle
Description: RHSA-2021:1206
Info: https://snyk.io/vuln/SNYK-CENTOS8-NETTLE-1287634
Introduced through: nettle@3.4.1-2.el8
From: nettle@3.4.1-2.el8
Fixed in: 0:3.4.1-4.el8_3
✗ High severity vulnerability found in gnutls
Description: RHSA-2021:1206
Info: https://snyk.io/vuln/SNYK-CENTOS8-GNUTLS-1287630
Introduced through: gnutls@3.6.14-6.el8
From: gnutls@3.6.14-6.el8
Fixed in: 0:3.6.14-8.el8_3
✗ High severity vulnerability found in bind-export-libs
Description: RHSA-2021:0670
Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1081045
Introduced through: bind-export-libs@32:9.11.20-5.el8
From: bind-export-libs@32:9.11.20-5.el8
Fixed in: 32:9.11.20-5.el8_3.1
✗ High severity vulnerability found in bind-export-libs
Description: RHSA-2021:1989
Info: https://snyk.io/vuln/SNYK-CENTOS8-BINDEXPORTLIBS-1294046
Introduced through: bind-export-libs@32:9.11.20-5.el8
From: bind-export-libs@32:9.11.20-5.el8
Fixed in: 32:9.11.26-4.el8_4
Organization: damrongsak
Package manager: rpm
Project name: docker-image|centos
Docker image: centos
Platform: linux/amd64
Licenses: enabled
Tested 172 dependencies for known issues, found 6 issues.
ข้อจำกัดที่ต้องรู้
ถ้า scan โดยไม่ได้ login กับ Snyk จะ scan ได้เพียง 10 ครั้งต่อเดือนเท่านั้น หากต้องการใช้ต้อง login กับ Snyk ด้วยคำสั่ง docker scan --login
❯ docker scan IMAGE
You have reached the scan limit of 10 monthly scans without authentication.
For additional monthly scans, sign into or sign up for Snyk for free with the following command:
`docker scan --login`
Login ที่ snyk.io ด้วย Docker ID พอ login สำเร็จ Snyk จะอนุญาตให้เรา scan ได้ 200 ครั้งต่อเดืือน
❯ docker scan --login
Now redirecting you to our auth page, go ahead and log in,
and once the auth is complete, return to this prompt and you'll
be ready to start using snyk.
If you can't wait use this url:
https://snyk.io/login?token= [...]
Your account has been authenticated. Snyk is now ready to be used.
มูลค่าความสุข
อ่านต่อตอนที่ 2
💖 💪 🙅 🚩
Damrongsak Reetanon
Posted on June 1, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.