Docker从入门到精通——Docker 本地镜像的漏洞扫描
Docker 本地镜像的漏洞扫描
希望加快您的开发周期?快速检测并了解如何通过运行来修复图像中的 CVE docker scan IMAGE_NAME。查看如何扫描图像了解详细信息。
Docker 本地镜像的漏洞扫描允许开发人员和开发团队查看容器镜像的安全状态,并采取措施修复扫描期间发现的问题,从而实现更安全的部署。Docker Scan 在 Snyk 引擎上运行,为用户提供对其本地 Dockerfile 和本地映像的安全状况的可见性。
用户通过 CLI 触发漏洞扫描,并使用 CLI 查看扫描结果。扫描结果包含常见漏洞和暴露 (CVE) 列表、源(例如操作系统包和库)、引入它们的版本以及用于修复发现的 CVE 的推荐修复版本(如果可用)。
Log4j 2 CVE-2021-44228
docker Scan早于的版本v0.11.0无法检测Log4j 2 CVE-2021-44228。您必须将 Docker Desktop 安装更新到 4.3.1 或更高版本才能解决此问题。有关更多信息,请参阅为 Log4j 2 CVE 扫描图像。
有关运行漏洞扫描的系统要求的信息,请参阅先决条件。
此页面包含有关docker scanCLI 命令的信息。有关通过 Docker Hub 自动扫描 Docker 映像的信息,请参阅 Hub Vulnerability Scanning。
一、扫描 Log4j 2 CVE 的图像
1.1)安装 docker-scan-plugin
早于 Docker Scan 的版本在扫描映像中的漏洞时 v0.11.0 不会检测到 Log4j 2 CVE-2021-44228 。您必须将 Docker 安装更新到最新版本才能解决此问题。
如果您使用的是docker scanDocker Desktop 附带的插件,请将 Docker Desktop 更新到 4.3.1 或更高版本。有关下载信息,请参阅 Mac 和 Windows的发行说明。
如果您使用的是 Linux,请运行以下命令手动安装最新版本docker scan:
基于.deb发行版,例如 Ubuntu 和 Debian:
apt-get update && apt-get install docker-scan-plugin
在基于 rpm 的发行版上,例如 CentOS 或 Fedora:
yum install docker-scan-plugin
或者,您可以从Docker Scan GitHub 存储库 手动下载docker scan二进制文件并安装 在插件目录中。
1.2)验证docker scan版本
升级后docker scan,通过运行以下命令验证您正在运行最新版本:
docker scan --accept-license --version
Version: v0.12.0
Git commit: 1074dd0
Provider: Snyk (1.790.0 (standalone))
如果您的代码输出包含ORGAPACHELOGGINGLOG4J,则您的代码很可能受到 Log4j 2 CVE-2021-44228 漏洞的影响。当您运行 的更新版本时docker scan,您还应该在输出日志中看到类似于以下内容的消息:
Upgrade org.apache.logging.log4j:log4j-core@2.14.0 to org.apache.logging.log4j:log4j-core@2.15.0 to fix
✗ Arbitrary Code Execution (new) [Critical Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.14.0
introduced by org.apache.logging.log4j:log4j-core@2.14.0
有关更多信息,请阅读我们的博文 Apache Log4j 2 CVE-2021-44228。
二、如何扫描图像
该 docker scan 命令允许您使用映像名称或 ID 扫描现有的 Docker 映像。例如,运行以下命令扫描 hello-world 映像:
docker scan hello-world Testing hello-world... Organization: docker-desktop-test Package manager: linux Project name: docker-image|hello-world Docker image: hello-world Licenses: enabled ✓ Tested 0 dependencies for known issues, no vulnerable paths found. Note that we do not currently have vulnerability data for your image.
2.1)获取详细的扫描报告
您可以通过提供用于创建映像的 Dockerfile 来获取有关 Docker 映像的详细扫描报告。语法是docker scan --file PATH_TO_DOCKERFILE DOCKER_IMAGE.
例如,如果您将选项应用于docker-scan测试图像,则会显示以下结果:
docker scan --file Dockerfile docker-scan:e2e Testing docker-scan:e2e ... ✗ High severity vulnerability found in perl Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802 Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6 From: git@1:2.20.1-2+deb10u3 > liberror-perl@0.17027-2 > perl@5.28.1-6 From: git@1:2.20.1-2+deb10u3 > perl@5.28.1-6 > perl/perl-modules-5.28@5.28.1-6 and 3 more... Introduced by your base image (golang:1.14.6) Organization: docker-desktop-test Package manager: deb Target file: Dockerfile Project name: docker-image|99138c65ebc7 Docker image: 99138c65ebc7 Base image: golang:1.14.6 Licenses: enabled Tested 200 dependencies for known issues, found 157 issues. According to our scan, you are currently using the most secure version of the selected base image
2.2)不包括基础镜像
使用带有--file标志的 docker scan 时,还可以添加--exclude-base标签。这会从您的报告中排除基本映像(使用指令在 Dockerfile 中指定FROM)漏洞。例如:
docker scan --file Dockerfile --exclude-base docker-scan:e2e Testing docker-scan:e2e ... ✗ Medium severity vulnerability found in libidn2/libidn2-0 Description: Improper Input Validation Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100 Introduced through: iputils/iputils-ping@3:20180629-2+deb10u1, wget@1.20.1-1.1, curl@7.64.0-4+deb10u1, git@1:2.20.1-2+deb10u3 From: iputils/iputils-ping@3:20180629-2+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1 From: wget@1.20.1-1.1 > libidn2/libidn2-0@2.0.5-1+deb10u1 From: curl@7.64.0-4+deb10u1 > curl/libcurl4@7.64.0-4+deb10u1 > libidn2/libidn2-0@2.0.5-1+deb10u1 and 3 more... Introduced in your Dockerfile by 'RUN apk add -U --no-cache wget tar' Organization: docker-desktop-test Package manager: deb Target file: Dockerfile Project name: docker-image|99138c65ebc7 Docker image: 99138c65ebc7 Base image: golang:1.14.6 Licenses: enabled Tested 200 dependencies for known issues, found 16 issues.
2.3) 查看 JSON 输出
您还可以通过向--json命令添加标志将扫描结果显示为 JSON 输出。例如:
$ docker scan --json hello-world { "vulnerabilities": [], "ok": true, "dependencyCount": 0, "org": "docker-desktop-test", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.19.0\nignore: {}\npatch: {}\n", "isPrivate": true, "licensesPolicy": { "severities": {}, "orgLicenseRules": { "AGPL-1.0": { "licenseType": "AGPL-1.0", "severity": "high", "instructions": "" }, ... "SimPL-2.0": { "licenseType": "SimPL-2.0", "severity": "high", "instructions": "" } } }, "packageManager": "linux", "ignoreSettings": null, "docker": { "baseImageRemediation": { "code": "SCRATCH_BASE_IMAGE", "advice": [ { "message": "Note that we do not currently have vulnerability data for your image.", "bold": true, "color": "yellow" } ] }, "binariesVulns": { "issuesData": {}, "affectedPkgs": {} } }, "summary": "No known vulnerabilities", "filesystemPolicy": false, "uniqueCount": 0, "projectName": "docker-image|hello-world", "path": "hello-world" }
除了--json标志之外,您还可以使用该--group-issues标志在扫描报告中仅显示一次漏洞:
docker scan --json --group-issues docker-scan:e2e { { "title": "Improper Check for Dropped Privileges", ... "packageName": "bash", "language": "linux", "packageManager": "debian:10", "description": "## Overview\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\n\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2019-18276" ], "CWE": [ "CWE-273" ] }, "severity": "low", "severityWithCritical": "low", "cvssScore": 7.8, "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F", ... "from": [ "docker-image|docker-scan@e2e", "bash@5.0-4" ], "upgradePath": [], "isUpgradable": false, "isPatchable": false, "name": "bash", "version": "5.0-4" }, ... "summary": "880 vulnerable dependency paths", "filesystemPolicy": false, "filtered": { "ignore": [], "patch": [] }, "uniqueCount": 158, "projectName": "docker-image|docker-scan", "platform": "linux/amd64", "path": "docker-scan:e2e" }
from您可以在该部分中找到漏洞的所有来源。
2.4) 检查依赖树
要查看映像的依赖关系树,请使用 --dependency-tree 标志。这将显示扫描结果之前的所有依赖项。例如:
docker scan --dependency-tree debian:buster docker-image|99138c65ebc7 @ latest ├─ ca-certificates @ 20200601~deb10u1 │ └─ openssl @ 1.1.1d-0+deb10u3 │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3 ├─ curl @ 7.64.0-4+deb10u1 │ └─ curl/libcurl4 @ 7.64.0-4+deb10u1 │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3 │ ├─ krb5/libgssapi-krb5-2 @ 1.17-3 │ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3 │ │ ├─ krb5/libk5crypto3 @ 1.17-3 │ │ │ └─ krb5/libkrb5support0 @ 1.17-3 │ │ ├─ krb5/libkrb5-3 @ 1.17-3 │ │ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3 │ │ │ ├─ krb5/libk5crypto3 @ 1.17-3 │ │ │ ├─ krb5/libkrb5support0 @ 1.17-3 │ │ │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3 │ │ └─ krb5/libkrb5support0 @ 1.17-3 │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1 │ │ └─ libunistring/libunistring2 @ 0.9.10-1 │ ├─ krb5/libk5crypto3 @ 1.17-3 │ ├─ krb5/libkrb5-3 @ 1.17-3 │ ├─ openldap/libldap-2.4-2 @ 2.4.47+dfsg-3+deb10u2 │ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4 │ │ │ ├─ nettle/libhogweed4 @ 3.4.1-1 │ │ │ │ └─ nettle/libnettle6 @ 3.4.1-1 │ │ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1 │ │ │ ├─ nettle/libnettle6 @ 3.4.1-1 │ │ │ ├─ p11-kit/libp11-kit0 @ 0.23.15-2 │ │ │ │ └─ libffi/libffi6 @ 3.2.1-9 │ │ │ ├─ libtasn1-6 @ 4.13-3 │ │ │ └─ libunistring/libunistring2 @ 0.9.10-1 │ │ ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-1+deb10u1 │ │ │ └─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-1+deb10u1 │ │ │ └─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.5 │ │ └─ openldap/libldap-common @ 2.4.47+dfsg-3+deb10u2 │ ├─ nghttp2/libnghttp2-14 @ 1.36.0-2+deb10u1 │ ├─ libpsl/libpsl5 @ 0.20.2-2 │ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1 │ │ └─ libunistring/libunistring2 @ 0.9.10-1 │ ├─ rtmpdump/librtmp1 @ 2.4+20151223.gitfa8646d.1-2 │ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4 │ │ ├─ nettle/libhogweed4 @ 3.4.1-1 │ │ └─ nettle/libnettle6 @ 3.4.1-1 │ ├─ libssh2/libssh2-1 @ 1.8.0-2.1 │ │ └─ libgcrypt20 @ 1.8.4-5 │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3 ├─ gnupg2/dirmngr @ 2.2.12-1+deb10u1 ... Organization: docker-desktop-test Package manager: deb Project name: docker-image|99138c65ebc7 Docker image: 99138c65ebc7 Licenses: enabled Tested 200 dependencies for known issues, found 157 issues. For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp.
有关漏洞数据的更多信息,请参阅Docker Vulnerability Scanning CLI Cheat Sheet。
2.5) 限制显示的漏洞级别
Docker 扫描允许您使用--severity标志选择扫描报告中显示的漏洞级别。您可以将严重性标志设置为low、medium或 high取决于您希望在报告中看到的漏洞级别。
例如,如果您将严重级别设置为medium,则扫描报告会显示所有分类为中和高的漏洞。
docker scan --severity=medium docker-scan:e2e ./bin/docker-scan_darwin_amd64 scan --severity=medium docker-scan:e2e Testing docker-scan:e2e... ✗ Medium severity vulnerability found in sqlite3/libsqlite3-0 Description: Divide By Zero Info: https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337 Introduced through: gnupg2/gnupg@2.2.12-1+deb10u1, subversion@1.10.4-1+deb10u1, mercurial@4.8.2-1+deb10u1 From: gnupg2/gnupg@2.2.12-1+deb10u1 > gnupg2/gpg@2.2.12-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3 From: subversion@1.10.4-1+deb10u1 > subversion/libsvn1@1.10.4-1+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3 From: mercurial@4.8.2-1+deb10u1 > python-defaults/python@2.7.16-1 > python2.7@2.7.16-2+deb10u1 > python2.7/libpython2.7-stdlib@2.7.16-2+deb10u1 > sqlite3/libsqlite3-0@3.27.2-3 ✗ Medium severity vulnerability found in sqlite3/libsqlite3-0 Description: Uncontrolled Recursion ... ✗ High severity vulnerability found in binutils/binutils-common Description: Missing Release of Resource after Effective Lifetime Info: https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318 Introduced through: gcc-defaults/g++@4:8.3.0-1 From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-common@2.31.1-16 From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/libbinutils@2.31.1-16 > binutils/binutils-common@2.31.1-16 From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > gcc-8@8.3.0-6 > binutils@2.31.1-16 > binutils/binutils-x86-64-linux-gnu@2.31.1-16 > binutils/binutils-common@2.31.1-16 and 4 more... Organization: docker-desktop-test Package manager: deb Project name: docker-image|docker-scan Docker image: docker-scan:e2e Platform: linux/amd64 Licenses: enabled Tested 200 dependencies for known issues, found 37 issues.
2.6) 提供者身份验证
如果您已有 Snyk 帐户,则可以直接使用您的 Snyk API 令牌:
docker scan --login --token SNYK_AUTH_TOKEN Your account has been authenticated. Snyk is now ready to be used.
如果您在--login没有任何令牌的情况下使用该标志,您将被重定向到 Snyk 网站进行登录。
三、先决条件
要对 Docker 映像运行漏洞扫描,您必须满足以下要求:
-
下载并安装最新版本的 Docker Desktop。
-
登录 Docker 中心。
-
从 Docker 桌面菜单中,选择登录/创建 Docker ID。或者,打开终端并运行命令
docker login。 -
(可选)您可以为扫描创建一个Snyk 帐户,或者将 Snyk 提供的额外每月免费扫描与您的 Docker Hub 帐户一起使用。
通过运行检查您的安装docker scan --version,它应该打印当前版本的 docker scan 和 Snyk 引擎版本。例如:
$ docker scan --version Version: v0.5.0 Git commit: 5a09266 Provider: Snyk (1.432.0)
笔记:
Docker Scan 默认使用安装在您的环境中的 Snyk 二进制文件。如果这不可用,它会使用 Docker Desktop 中嵌入的 Snyk 二进制文件。Snyk 所需的最低版本是
1.385.0.
四、支持的选项
高级 docker scan 命令使用图像名称或图像 ID 扫描本地图像。它支持以下选项:
| 选项 | 描述 |
|---|---|
--accept-license |
接受第三方扫描提供商的许可协议 |
--dependency-tree |
显示图像的依赖关系树以及扫描结果 |
--exclude-base |
在扫描期间排除基本图像。此选项需要设置 --file 选项 |
-f,--file string |
指定与映像关联的 Dockerfile 的位置。此选项显示详细的扫描结果 |
--json |
以 JSON 格式显示扫描结果 |
--login |
使用可选令牌(使用标志 --token)或使用基于 Web 的令牌登录 Snyk |
--reject-license |
拒绝第三方扫描提供商的许可协议 |
--severity string |
仅报告提供级别或更高级别(低、中、高)的漏洞 |
--token string |
使用身份验证令牌登录第三方扫描提供商 |
--version |
显示 Docker Scan 插件版本 |
五、已知问题
WSL 2
- 漏洞扫描功能不适用于 Alpine 发行版。
- 如果您使用的是 Debian 和 OpenSUSE 发行版,登录过程仅适用于该
--token标志,您不会被重定向到 Snyk 网站进行身份验证。
