harbor集成trivy漏洞扫描工具

安全是每个项目都必须重视的问题

对于docker 应用，最好的漏扫方式就是harbor 镜像仓库集成的扫描工具了

配置trivy漏洞扫描工具也踩了不少坑，下面记录下

搭建harbor+trivy 步骤可以根据官网步骤一步一步安装，这里就不一一赘述了

官网地址：https://goharbor.io/docs/2.9.0/install-config/

（后期版本号会不一样）

 

 里面比较关键的就是安装脚本步骤：https://goharbor.io/docs/2.9.0/install-config/run-installer-script/ 

前置条件都搭好后，执行命令，安装harbor+trivy

sudo ./install.sh --with-trivy

 

下面说说搭建 trivy漏洞扫描的关键要素

1.harbor主机上必须可以通过docker login登陆harbor

原因为trivy漏洞扫描工具扫描过程是要从harbor镜像仓库中拉取镜像，其实说是在trivy主机上更为贴切，只不过harbor安装集成了trivy

 

（1）通过ssl证书登陆的问题

ssl证书登陆常见报错：

x509: cannot validate certificate for IP地址 because it does not contain any IP SANs

原因：

如果服务器名称是 IP 地址，还会检查证书的Subject Alternative Name（SAN），因此需要创建一个包含此名称的证书。

参考文档：https://blog.csdn.net/qq_41042211/article/details/124680124

具体分析：

我们harbor是部署在内网，配置ssl证书的时候用的主机的 hostname，但是harbor.yml 里面的 hostname 配的是IP，登陆还是用IP登陆会报这个错

解决方法就是在制作harbor ssl证书时，yourdomain就用IP代替

 

Error response from daemon: Get "https://xxx.xx.xx.xxx/v2/": x509: certificate signed by unknown authority

原因：

如果ssl证书用的是harbor教程里的自签名证书，需要让登陆的docker信任这个证书，其实教程里有相关步骤

 参考文档：https://www.cnblogs.com/lichengmin/p/16587783.html

详情可以查看官网文档（https://goharbor.io/docs/2.9.0/install-config/configure-https/ ） Provide the Certificates to Harbor and Docker 部分

 

 

（2）不通过ssl证书登陆的配置：

由于原来harbor主机没有trivy，不用考虑登陆问题，所以当时通过 ./install with trivy安装后，查看扫描日志  /var/log/harbor/trivy-adapter.log和/var/log/harbor/core.log 报错：

unauthorized to access repository

本来以为是证书问题，但是证书配了半天还是报各种错，后来我在想之前其他主机连harbor要在/etc/docker/daemon.json 里配置 insecure-registries 参数

既然我这也是登陆问题，干脆也在harbor主机上配上这个吧

配置完后，可以扫描了~

 

总结：

1.不管配不配ssl证书，都要保证docker login可以在harbor主机上登陆harbor

2.制作ssl自签名证书时yourdomain要和harbor.yml 里的hostname保持一致，如果harbor.yml 里的hostname用的是IP地址，yourdomain就用IP代替

3.如果不想用ssl证书也可以，harbor.yml 里把https相关配置注释掉，harbor主机上/etc/docker/daemon.json 里配置 insecure-registries 参数

 

2.trivy db下载问题

trivy默认配置是扫描前会下载最新db，但是这个速度非常慢，还容易超时，扫描基本是不可用状态

在安装harbor之前，设置trivy 跳过更新和离线扫描都为true。

这个可以在harbor.yml里面设置，然后再 ./install with trivy 安装harbor

trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: true
  #
  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
  # It would work if all the dependencies are in local.
  # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
  offline_scan: true
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false

 

trivy db在服务器上默认存储路径为 /data/trivy-adapter/trivy

 从上面可以看出需要下载两个数据库一个为db，一个为java-db，下载完解压后为一个.db文件和一个.json文件

也就是说把下载下来的db离线文件分别上传到上面两个目录，解压即可

 

 下载离线包的方法可以参考：https://github.com/aquasecurity/trivy-db/

 db分为version 1 和version 2两个版本，我们这里需要version 2版本，从上面文档可以看出，有两种下载方式

version 2
Trivy DB v2 is hosted on GHCR. Although GitHub displays the docker pull command by default, please note that it cannot be downloaded using docker pull as it is not a container image.

You can download the actual compiled database via Trivy or Oras CLI.

方式一：

Trivy:

在Trivy容器里下载，通过docker exec -it trivy-adapter /bin/bash 进入容器后执行以下命令

 

TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR

从下图可以看出下载速度非常慢，需要两个小时。。

 

方式二：

oras >= v0.13.0:

通过oras工具下载，更推荐这种方式，因为harbor主机大多在内网，或者面临网速慢的情况，通过这种方式可以在 阿里云上下载，再移至harbor主机，阿里云的网络速度要好很多

oras工具安装可以参考：https://oras.land/docs/installation/

这里推荐docker方式安装：

Docker Image
A public Docker image containing the CLI is available on GitHub Container Registry:

docker run -it --rm -v $(pwd):/workspace ghcr.io/oras-project/oras:v1.1.0 help

NOTE
The default WORKDIR in the image is /workspace.

 

（1）下载docker镜像

docer pull oras:v1.1.0

(2)通过docker 命令下载

这里面的 --rm意为该容器用后即删

#下载trivy-db
docker run -it --rm -v $(pwd):/workspace ghcr.io/oras-project/oras:v1.1.0 pull ghcr.io/aquasecurity/trivy-db:2

#下载trivy-java-db
docker run -it --rm -v $(pwd):/workspace ghcr.io/oras-project/oras:v1.1.0 pull ghcr.io/aquasecurity/trivy-java-db:1

 

一切都处理完，查看扫描效果

 

后记：

一、

后来发现 扫描java项目还是会卡很久，正常扫描10秒内就能出结果，检查日志发现原因为下载 trivy-java-db 超时，所以 trivy-java-db 貌似不受离线扫描参数控制？

通过查看trivy参数，发现了github_token,不知配了这个是否可以加快db下载速度

目前感觉最佳方案还是替换db下载源为国内，但是暂时没找到方案

trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: true
  #
  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
  # It would work if all the dependencies are in local.
  # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
  offline_scan: true
  #
  # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
  security_check: vuln
  #
  # insecure The flag to skip verifying registry certificate
  insecure: true
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

二、

一开始查找harbor漏洞扫描资料发现 ./install.sh --with-clair  ，折腾了好一会才发现 clair 已经被harbor弃用了。。

 报错为：Clair is deprecated please remove it from installation arguments

 

参考文档：

https://www.jianshu.com/p/f13fffa0deb8

https://zhuanlan.zhihu.com/p/545453227

https://www.cnblogs.com/kevingrace/p/13970578.html

 

遇到的报错

 DB error: error in vulnerability DB initialize: failed to open db: open /home/scanner/.cache/trivy/db/trivy.db: permission denied

下载db包上传服务器解压后，报错没有权限，通过查看trivy的挂载目录，得知问题目录为 /data/trivy-adapter/trivy

 通过比对目录例外，发现上传导致了文件归属用户有变，重新赋权给相应用户解决问题

chown -R 10000:10000 *