コンニチハレバレトシタアオゾラ

つれづれなるままに、日暮らし、ぶろぐにむかひて、心にうつりゆくよしなしごとを、そこはかとなく書きつくれば、

Trivyを試してみた

Trivy A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI というツールをtwitterで見たので、試してみました。

github.com

MacOSに環境構築

github.com

$ brew tap knqyf263/trivy

$ brew install knqyf263/trivy/trivy
環境確認
$ trivy -v
trivy version 0.0.13

$ trivy -h
NAME:
  trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
  trivy [options] image_name
VERSION:
  0.0.13
OPTIONS:
  --format value, -f value    format (table, json) (default: "table")
  --input value, -i value     input file path instead of image name
  --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  --output value, -o value    output file name
  --exit-code value           Exit code when vulnerabilities were found (default: 0)
  --skip-update               skip db update
  --reset                     remove all caches and database
  --clear-cache, -c           clear image caches
  --quiet, -q                 suppress progress bar
  --ignore-unfixed            display only fixed vulnerabilities
  --refresh                   refresh DB (usually used after version update of trivy)
  --debug, -d                 debug mode
  --help, -h                  show help
  --version, -v               print the version
スキャン

スキャンを試させていただくのはjuice-shopのdocker image

$ docker images
REPOSITORY                                      TAG                 IMAGE ID            CREATED             SIZE
bkimminich/juice-shop                           latest              b90a57331f07        2 months ago        371MB

スキャン

$ trivy bkimminich/juice-shop
2019-05-17T11:43:56.074+0900    INFO    Updating vulnerability database...
2019-05-17T11:47:08.193+0900    INFO    Updating NVD data...
 122337 / 122337 [===========================================================================================================================================================================] 100.00% 4m55s
2019-05-17T11:52:03.309+0900    INFO    Updating Alpine data...
 11101 / 11101 [===============================================================================================================================================================================] 100.00% 19s
2019-05-17T11:52:23.148+0900    INFO    Updating RedHat data...
 19422 / 19422 [===============================================================================================================================================================================] 100.00% 41s
2019-05-17T11:53:04.230+0900    INFO    Updating Debian data...
 27777 / 27777 [===============================================================================================================================================================================] 100.00% 44s
2019-05-17T11:53:48.365+0900    INFO    Updating Debian OVAL data...
 59592 / 59592 [=============================================================================================================================================================================] 100.00% 1m31s
2019-05-17T11:55:20.322+0900    INFO    Updating Ubuntu data...
 30180 / 30180 [===============================================================================================================================================================================] 100.00% 47s
2019-05-17T11:56:08.049+0900    WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-05-17T11:56:28.407+0900    INFO    Detecting Alpine vulnerabilities...
2019-05-17T11:56:28.424+0900    INFO    Updating npm Security DB...
2019-05-17T11:56:32.779+0900    INFO    Detecting npm vulnerabilities...
2019-05-17T11:56:32.785+0900    INFO    Updating npm Security DB...
2019-05-17T11:56:33.851+0900    INFO    Detecting npm vulnerabilities...

bkimminich/juice-shop (alpine 3.8.2)
====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


juice-shop/frontend/package-lock.json
=====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+--------------------+------------------+----------+-------------------+---------------+---------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |           TITLE           |
+--------------------+------------------+----------+-------------------+---------------+---------------------------+
| webpack-dev-server | CVE-2018-14732   | MEDIUM   | 3.1.8             | >=3.1.11      | Improper Input Validation |
+--------------------+------------------+----------+-------------------+---------------+---------------------------+

juice-shop/package-lock.json
============================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 7, CRITICAL: 0)

+---------------+------------------+----------+-------------------+---------------+--------------------------------+
|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+
| base64url     | NSWG-ECO-428     | HIGH     | 0.0.6             | >=3.0.0       | Out-of-bounds Read             |
+---------------+------------------+          +-------------------+---------------+--------------------------------+
| jsonwebtoken  | NSWG-ECO-17      |          | 0.1.0             | >=4.2.2       | Verification Bypass            |
+---------------+------------------+          +-------------------+---------------+--------------------------------+
| jws           | CVE-2016-1000223 |          | 0.2.6             | >=3.0.0       | Forgeable Public/Private       |
|               |                  |          |                   |               | Tokens                         |
+---------------+------------------+          +-------------------+---------------+--------------------------------+
| lodash        | CVE-2018-16487   |          | 2.4.2             | >=4.17.11     | lodash: Prototype pollution in |
|               |                  |          |                   |               | utilities function             |
+               +------------------+----------+                   +---------------+                                +
|               | CVE-2018-3721    | MEDIUM   |                   | >=4.17.5      |                                |
|               |                  |          |                   |               |                                |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+
| moment        | CVE-2016-4055    | HIGH     | 2.0.0             | >=2.11.2      | moment.js: regular expression  |
|               |                  |          |                   |               | denial of service              |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+
| sanitize-html | CVE-2016-1000237 | MEDIUM   | 1.4.2             | >=1.4.3       | XSS - Sanitization not applied |
|               |                  |          |                   |               | recursively                    |
+               +------------------+          +                   +---------------+--------------------------------+
|               | NSWG-ECO-154     |          |                   | >=1.11.4      | Cross Site Scripting           |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+
| uglify-js     | CVE-2015-8857    | HIGH     | 2.2.5             | >= 2.4.24     | Incorrect Handling of          |
|               |                  |          |                   |               | Non-Boolean Comparisons During |
|               |                  |          |                   |               | Minification                   |
+               +------------------+          +                   +---------------+--------------------------------+
|               | CVE-2015-8858    |          |                   | >=2.6.0       | Regular Expression Denial of   |
|               |                  |          |                   |               | Service                        |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+
| unzipper      | CVE-2018-1002203 | MEDIUM   | 0.8.12            | >=0.8.13      | Arbitrary File Write Through   |
|               |                  |          |                   |               | Archive Extraction             |
+---------------+------------------+----------+-------------------+---------------+--------------------------------+

画像でのイメージ f:id:oubonarumamay:20190517123517p:plainf:id:oubonarumamay:20190517123454p:plainf:id:oubonarumamay:20190517123503p:plain

使うの簡単で結果も見やすいですね。