Trivy A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI というツールをtwitterで見たので、試してみました。
これはコンテナ脆弱性スキャナのデファクトになる / GitHub - knqyf263/trivy: A Simple and Comprehensive Vulnerability Scanner for Containers, Compatible with CI https://t.co/V5vyDwy5gM
— ちょんまげのおじさん (@kotakanbe) 2019年5月16日
MacOSに環境構築
$ brew tap knqyf263/trivy $ brew install knqyf263/trivy/trivy
環境確認
$ trivy -v trivy version 0.0.13 $ trivy -h NAME: trivy - A simple and comprehensive vulnerability scanner for containers USAGE: trivy [options] image_name VERSION: 0.0.13 OPTIONS: --format value, -f value format (table, json) (default: "table") --input value, -i value input file path instead of image name --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") --output value, -o value output file name --exit-code value Exit code when vulnerabilities were found (default: 0) --skip-update skip db update --reset remove all caches and database --clear-cache, -c clear image caches --quiet, -q suppress progress bar --ignore-unfixed display only fixed vulnerabilities --refresh refresh DB (usually used after version update of trivy) --debug, -d debug mode --help, -h show help --version, -v print the version
スキャン
スキャンを試させていただくのはjuice-shopのdocker image
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE bkimminich/juice-shop latest b90a57331f07 2 months ago 371MB
スキャン
$ trivy bkimminich/juice-shop 2019-05-17T11:43:56.074+0900 INFO Updating vulnerability database... 2019-05-17T11:47:08.193+0900 INFO Updating NVD data... 122337 / 122337 [===========================================================================================================================================================================] 100.00% 4m55s 2019-05-17T11:52:03.309+0900 INFO Updating Alpine data... 11101 / 11101 [===============================================================================================================================================================================] 100.00% 19s 2019-05-17T11:52:23.148+0900 INFO Updating RedHat data... 19422 / 19422 [===============================================================================================================================================================================] 100.00% 41s 2019-05-17T11:53:04.230+0900 INFO Updating Debian data... 27777 / 27777 [===============================================================================================================================================================================] 100.00% 44s 2019-05-17T11:53:48.365+0900 INFO Updating Debian OVAL data... 59592 / 59592 [=============================================================================================================================================================================] 100.00% 1m31s 2019-05-17T11:55:20.322+0900 INFO Updating Ubuntu data... 30180 / 30180 [===============================================================================================================================================================================] 100.00% 47s 2019-05-17T11:56:08.049+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed 2019-05-17T11:56:28.407+0900 INFO Detecting Alpine vulnerabilities... 2019-05-17T11:56:28.424+0900 INFO Updating npm Security DB... 2019-05-17T11:56:32.779+0900 INFO Detecting npm vulnerabilities... 2019-05-17T11:56:32.785+0900 INFO Updating npm Security DB... 2019-05-17T11:56:33.851+0900 INFO Detecting npm vulnerabilities... bkimminich/juice-shop (alpine 3.8.2) ==================================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) juice-shop/frontend/package-lock.json ===================================== Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) +--------------------+------------------+----------+-------------------+---------------+---------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------------+------------------+----------+-------------------+---------------+---------------------------+ | webpack-dev-server | CVE-2018-14732 | MEDIUM | 3.1.8 | >=3.1.11 | Improper Input Validation | +--------------------+------------------+----------+-------------------+---------------+---------------------------+ juice-shop/package-lock.json ============================ Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 7, CRITICAL: 0) +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | base64url | NSWG-ECO-428 | HIGH | 0.0.6 | >=3.0.0 | Out-of-bounds Read | +---------------+------------------+ +-------------------+---------------+--------------------------------+ | jsonwebtoken | NSWG-ECO-17 | | 0.1.0 | >=4.2.2 | Verification Bypass | +---------------+------------------+ +-------------------+---------------+--------------------------------+ | jws | CVE-2016-1000223 | | 0.2.6 | >=3.0.0 | Forgeable Public/Private | | | | | | | Tokens | +---------------+------------------+ +-------------------+---------------+--------------------------------+ | lodash | CVE-2018-16487 | | 2.4.2 | >=4.17.11 | lodash: Prototype pollution in | | | | | | | utilities function | + +------------------+----------+ +---------------+ + | | CVE-2018-3721 | MEDIUM | | >=4.17.5 | | | | | | | | | +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | moment | CVE-2016-4055 | HIGH | 2.0.0 | >=2.11.2 | moment.js: regular expression | | | | | | | denial of service | +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | sanitize-html | CVE-2016-1000237 | MEDIUM | 1.4.2 | >=1.4.3 | XSS - Sanitization not applied | | | | | | | recursively | + +------------------+ + +---------------+--------------------------------+ | | NSWG-ECO-154 | | | >=1.11.4 | Cross Site Scripting | +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | uglify-js | CVE-2015-8857 | HIGH | 2.2.5 | >= 2.4.24 | Incorrect Handling of | | | | | | | Non-Boolean Comparisons During | | | | | | | Minification | + +------------------+ + +---------------+--------------------------------+ | | CVE-2015-8858 | | | >=2.6.0 | Regular Expression Denial of | | | | | | | Service | +---------------+------------------+----------+-------------------+---------------+--------------------------------+ | unzipper | CVE-2018-1002203 | MEDIUM | 0.8.12 | >=0.8.13 | Arbitrary File Write Through | | | | | | | Archive Extraction | +---------------+------------------+----------+-------------------+---------------+--------------------------------+
画像でのイメージ
使うの簡単で結果も見やすいですね。