关于linux:镜像漏洞扫描Trivy

63次阅读

共计 11995 个字符,预计需要花费 30 分钟才能阅读完成。

Trivy 概述

Trivy(tri 发音为 trigger,vy 发音为 envy)是一个简略而全面的破绽 / 谬误配置扫描器,用于容器和其余工件。软件破绽是软件或操作系统中存在的故障、缺点或弱点。Trivy 检测操作系统包(Alpine、RHEL、CentOS 等)和特定语言包(Bundler、Composer、npm、yarn 等)的破绽。此外,Trivy 会扫描基础设施即代码 (IaC) 文件,例如 Terraform 和 Kubernetes,以检测使您的部署面临攻打危险的潜在配置问题。Trivy 易于应用。只需装置二进制文件,您就能够开始扫描了。扫描所须要做的就是指定一个指标,例如容器的图像名称。

Trivy 检测两种类型的平安问题:

  • 破绽
  • 配置谬误

Trivy 能够扫描三种不同的工件:

  • 容器镜像
  • 文件系统
  • Git 存储库

Trivy 能够在两种不同的模式下运行:

  • 独立
  • 客户端服务器

    它旨在用于 CI。在推送到容器注册表或部署应用程序之前,您能够轻松扫描本地容器映像和其余工件。

Trivy 特色

  • 全面的破绽检测

    • 操作系统包(Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distroless)
    • 特定于语言的包(Bundler、Composer、Pipenv、Poetry、npm、yarn、Cargo、NuGet、Maven 和 Go)
  • 检测 IaC 谬误配置

    • 各种各样的内置策略提供了开箱:

      • Kubernetes
      • 码头工人
      • 地形
      • 更多行将推出
    • 反对自定义策略
  • 简略的

    • 仅指定图像名称、蕴含 IaC 配置的目录或工件名称
  • 疾速地

    • 第一次扫描将在 10 秒内实现(取决于您的网络)。随后的扫描将在几秒钟内实现。
    • 与在第一次运行时须要很长时间能力获取破绽信息(约 10 分钟)并激励您保护长久破绽数据库的其余扫描程序不同,Trivy 是无状态的,不须要保护或筹备。
  • 繁难装置

    • apt-get install,yum install并且 brew install 是可能的
    • 没有先决条件,如装置 DB 的,图书馆等
  • 高精确度

    • 特地是 Alpine Linux 和 RHEL/CentOS
    • 其余操作系统也高
  • 开发平安经营

    • 实用于Travis CI、CircleCI、Jenkins、GitLab CI 等 CI。
  • 反对多种格局

    • 容器镜像

      • 作为守护过程运行的 Docker Engine 中的本地映像
      • Podman 中裸露套接字的本地图像
      • Docker Registry 中的近程镜像,例如 Docker Hub、ECR、GCR 和 ACR
      • 存储在 docker save/podman save 格式文件中的 tar 存档
      • 合乎 OCI 图像格式的图像目录
    • 本地文件系统
    • 近程 git 仓库

Trivy 装置

Yum 源形式装置

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

rpm 形式装置

rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-64bit.rpm

二进制形式装置

mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch v0.19.2 https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install

容器镜像破绽扫描

只需指定镜像仓库(和 tag)

# trivy image nginx:1.16 
2021-08-16T19:15:48.528+0800    INFO    Detected OS: debian
2021-08-16T19:15:48.528+0800    INFO    Detecting Debian vulnerabilities...
2021-08-16T19:15:48.541+0800    INFO    Number of language-specific files: 1

nginx:1.16 (debian 10.3)
========================
Total: 207 (UNKNOWN: 0, LOW: 105, MEDIUM: 33, HIGH: 49, CRITICAL: 20)

+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+
|     LIBRARY     |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION     |       FIXED VERSION       |                           TITLE                            |
+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+
| apt             | CVE-2020-27350      | MEDIUM   | 1.8.2                     | 1.8.2.2                   | apt: integer overflows and underflows                      |
|                 |                     |          |                           |                           | while parsing .deb packages                                |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2020-27350                      |
+                 +---------------------+          +                           +---------------------------+------------------------------------------------------------+
|                 | CVE-2020-3810       |          |                           | 1.8.2.1                   | Missing input validation in                                |
|                 |                     |          |                           |                           | the ar/tar implementations of                              |
|                 |                     |          |                           |                           | APT before version 2.1.2...                                |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2020-3810                       |
+                 +---------------------+----------+                           +---------------------------+------------------------------------------------------------+
|                 | CVE-2011-3374       | LOW      |                           |                           | It was found that apt-key in apt,                          |
|                 |                     |          |                           |                           | all versions, do not correctly...                          |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2011-3374                       |
+-----------------+---------------------+          +---------------------------+---------------------------+------------------------------------------------------------+
| bash            | CVE-2019-18276      |          | 5.0-4                     |                           | bash: when effective UID is not                            |
|                 |                     |          |                           |                           | equal to its real UID the...                               |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2019-18276                      |
+                 +---------------------+          +                           +---------------------------+------------------------------------------------------------+
|                 | TEMP-0841856-B18BAF |          |                           |                           | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF |
+-----------------+---------------------+          +---------------------------+---------------------------+------------------------------------------------------------+
| bsdutils        | CVE-2021-37600      |          | 2.33.1-0.1                |                           | util-linux: integer overflow                               |
|                 |                     |          |                           |                           | can lead to buffer overflow                                |
|                 |                     |          |                           |                           | in get_sem_elements() in                                   |
|                 |                     |          |                           |                           | sys-utils/ipcutils.c...                                    |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2021-37600                      |
+-----------------+---------------------+          +---------------------------+---------------------------+------------------------------------------------------------+
| coreutils       | CVE-2016-2781       |          | 8.30-3                    |                           | coreutils: Non-privileged                                  |
|                 |                     |          |                           |                           | session can escape to the                                  |
|                 |                     |          |                           |                           | parent session in chroot                                   |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2016-2781                       |
+                 +---------------------+          +                           +---------------------------+------------------------------------------------------------+
|                 | CVE-2017-18018      |          |                           |                           | coreutils: race condition                                  |
|                 |                     |          |                           |                           | vulnerability in chown and chgrp                           |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2017-18018                      |
+-----------------+---------------------+          +---------------------------+---------------------------+------------------------------------------------------------+
| fdisk           | CVE-2021-37600      |          | 2.33.1-0.1                |                           | util-linux: integer overflow                               |
|                 |                     |          |                           |                           | can lead to buffer overflow                                |
|                 |                     |          |                           |                           | in get_sem_elements() in                                   |
|                 |                     |          |                           |                           | sys-utils/ipcutils.c...                                    |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2021-37600                      |
+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+
| gcc-8-base      | CVE-2018-12886      | HIGH     | 8.3.0-6                   |                           | gcc: spilling of stack                                     |
|                 |                     |          |                           |                           | protection address in cfgexpand.c                          |
|                 |                     |          |                           |                           | and function.c leads to...                                 |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2018-12886                      |
+                 +---------------------+          +                           +---------------------------+------------------------------------------------------------+
|                 | CVE-2019-15847      |          |                           |                           | gcc: POWER9 "DARN" RNG intrinsic                           |
|                 |                     |          |                           |                           | produces repeated output                                   |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2019-15847                      |
+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+
| gpgv            | CVE-2019-14855      | LOW      | 2.2.12-1+deb10u1          |                           | gnupg2: OpenPGP Key Certification                          |
|                 |                     |          |                           |                           | Forgeries with SHA-1                                       |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2019-14855                      |
+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+
| libapt-pkg5.0   | CVE-2020-27350      | MEDIUM   | 1.8.2                     | 1.8.2.2                   | apt: integer overflows and underflows                      |
|                 |                     |          |                           |                           | while parsing .deb packages                                |
|                 |                     |          |                           |                           | -->avd.aquasec.com/nvd/cve-2020-27350                      |
+                 +---------------------+          +                           +---------------------------+------------------------------------------------------------+
|                 | CVE-2020-3810       |          |                           | 1.8.2.1                   | Missing input validation in                                |
|                 |                     |          |                           |                           | the ar/tar implementations of                              |
|                 |                     |          |                           |                           | APT before version 2.1.2...                                |
--More--

trivy image [IMAGE_NAME]

破绽等级:

  • HIGH
  • MEDIUM
  • LOW
  • CRITICAL

文件系统破绽扫描

扫描文件系统(例如主机、虚拟机映像或解压缩的容器映像文件系统)

# trivy fs /application/zookeeper/
2021-08-16T19:23:19.322+0800    INFO    Number of language-specific files: 35
2021-08-16T19:23:19.322+0800    INFO    Detecting jar vulnerabilities...

lib/jetty-server-9.4.39.v20210325.jar (jar)
===========================================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |                 TITLE                 |
+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2019-10247   | MEDIUM   | 9.4.39.v20210325  |                        | jetty: error path                     |
|                                |                  |          |                   |                        | information disclosure                |
|                                |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-10247 |
+                                +------------------+----------+                   +------------------------+---------------------------------------+
|                                | CVE-2021-34428   | LOW      |                   | 11.0.3, 10.0.3, 9.4.41 | jetty: SessionListener can            |
|                                |                  |          |                   |                        | prevent a session from being          |
|                                |                  |          |                   |                        | invalidated breaking logout           |
|                                |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2021-34428 |
+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+

lib/log4j-1.2.17.jar (jar)
==========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| log4j:log4j | CVE-2019-17571   | CRITICAL | 1.2.17            |               | log4j: deserialization of             |
|             |                  |          |                   |               | untrusted data in SocketServer        |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-17571 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

Git 存储库破绽扫描

扫描您的近程 git 存储库

# trivy repo https://github.com/kubernetes/kubernetes.git
Enumerating objects: 370096, done.
Counting objects: 100% (370096/370096), done.
Compressing objects: 100% (153736/153736), done.
Total 370096 (delta 246795), reused 313878 (delta 202418), pack-reused 0
2021-08-16T19:27:54.433+0800    INFO    Number of language-specific files: 31
2021-08-16T19:27:54.434+0800    INFO    Detecting gomod vulnerabilities...

cluster/addons/fluentd-elasticsearch/es-image/go.sum (gomod)
============================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)

+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
|           LIBRARY           | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION         |           FIXED VERSION            |                 TITLE                 |
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160   | HIGH     | 3.2.0+incompatible                |                                    | jwt-go: access restriction            |
|                             |                  |          |                                   |                                    | bypass vulnerability                  |
|                             |                  |          |                                   |                                    | -->avd.aquasec.com/nvd/cve-2020-26160 |
+-----------------------------+------------------+          +-----------------------------------+------------------------------------+---------------------------------------+
| github.com/gogo/protobuf    | CVE-2021-3121    |          | 1.3.1                             | v1.3.2                             | gogo/protobuf:                        |
|                             |                  |          |                                   |                                    | plugin/unmarshal/unmarshal.go         |
|                             |                  |          |                                   |                                    | lacks certain index validation        |
|                             |                  |          |                                   |                                    | -->avd.aquasec.com/nvd/cve-2021-3121  |
+-----------------------------+------------------+          +-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto         | CVE-2020-29652   |          | 0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
|                             |                  |          |                                   |                                    | authentication request can            |
|                             |                  |          |                                   |                                    | lead to nil pointer dereference       |
|                             |                  |          |                                   |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| k8s.io/client-go            | CVE-2020-8565    | MEDIUM   | 0.19.2                            | v0.20.0-alpha.2                    | kubernetes: Incomplete fix            |
|                             |                  |          |                                   |                                    | for CVE-2019-11250 allows for         |
|                             |                  |          |                                   |                                    | token leak in logs when...            |
|                             |                  |          |                                   |                                    | -->avd.aquasec.com/nvd/cve-2020-8565  |
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+

go.sum (gomod)
==============
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

Trivy 过滤破绽

暗藏未修复得破绽

默认状况下,Trivy还会检测未修补 / 未修复的破绽。这意味着即便您更新所有软件包,您也无奈修复这些破绽。如果您想疏忽它们,请应用该 --ignore-unfixed 选项。

# trivy image --ignore-unfixed nginx:1.16 

按重大水平

应用 --severity 选项

# trivy image --severity HIGH,CRITICAL  nginx:1.16

按破绽 ID

应用.trivyignore.

# cat .trivyignore
# Accept the risk
CVE-2018-14618

# No impact in our settings
CVE-2019-1543

# trivy image  nginx:1.16 

按类型

应用 --vuln-type 选项。

# trivy image --vuln-type os  nginx:1.16

破绽数据库

跳过破绽数据库得更新

Trivy开始运行时每 12 小时下载一次破绽数据库。这通常很快,因为数据库的大小只有 10~30MB。然而,如果您甚至想跳过它,请应用该 --skip-db-update 选项。

# trivy image --skip-db-update nginx:1.16

只下载破绽数据库

# trivy image --download-db-only

轻量级数据库

轻量级数据库不蕴含破绽详细信息,例如形容和参考。因而,DB 的大小更小,下载速度更快。

当您不须要破绽详细信息并且实用于 CI/CD 时,此选项很有用。要查找其余信息,您能够在 NVD 网站上搜寻破绽详细信息。https://nvd.nist.gov/vuln/search

# trivy image --light nginx:1.16

--light 选项不会像上面的例子那样显示题目。

Trivy 缓存

革除缓存

--clear-cache 选项删除缓存。

不执行扫描。

# trivy image --clear-cache

缓存目录

用 指定缓存的存储地位--cache-dir

$ trivy --cache-dir /tmp/trivy/ image nginx:1.16

缓存后端

Trivy 反对本地文件系统和 Redis 作为缓存后端。此选项特地实用于客户端 / 服务器模式。

两个选项:– fs – 缓存门路能够通过--cache-dirredis://redis://[HOST]:[PORT]

# trivy server --cache-backend redis://localhost:6379

Trivy 破绽报告格局

表格(默认)

 # trivy image -f table nginx:1.16

JSON

trivy image -f json -o results.json nginx:1.16

参考文章

https://github.com/aquasecurity/trivy

点击 “ 浏览原文 ” 获取更好的浏览体验!

正文完
 0