《OpenShift 4.x HOL教程彙總》
紅帽 RHACS 支援自動對其管理的 OpenShift 或 Kubernetes 上的容器進行漏洞掃描、合規評估。在 RHACS 中使用了開源的 Clair 來掃描鏡像,而紅帽 Quay 使用的鏡像掃描也是 Clair。因為 RHACS 和 Quay 都是企業平台,是以對運作環境的要求較高。而 Trivy 是一個輕量級漏洞掃描工具,支援基于 CVE 對常用的 Linux 、鏡像和應用進行安全掃描。
以下是使用Trivy掃描鏡像的過程:
$ curl -OL https://github.com/aquasecurity/trivy/releases/download/v0.21.2/trivy_0.21.2_Linux-64bit.tar.gz
$ tar -xvf trivy_0.21.2_Linux-64bit.tar.gz
$ ./trivy image --ignore-unfixed --severity "HIGH,CRITICAL" --vuln-type library elastic/logstash:7.13.0
Java (jar)
==========
Total: 5 (HIGH: 3, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.14.0 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+----------+ +----------------+---------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | Improper Input Validation |
| | | | | | and Uncontrolled |
| | | | | | Recursion in Apache Log4j2 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+-------------------------------------+------------------+----------+ +----------------+---------------------------------------+
| org.apache.logging.log4j:log4j-core | CVE-2021-44228 | CRITICAL | | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+----------+ +----------------+---------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | Improper Input Validation |
| | | | | | and Uncontrolled |
| | | | | | Recursion in Apache Log4j2 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+-------------------------------------+------------------+ +-------------------+----------------+---------------------------------------+
| org.bouncycastle:bcprov-jdk15on | CVE-2020-28052 | | 1.65 | 1.67 | bouncycastle: password bypass |
| | | | | | in OpenBSDBCrypt.checkPassword |
| | | | | | utility possible |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28052 |
+-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
$ ./trivy image --ignore-unfixed --severity "HIGH,CRITICAL" --vuln-type library elastic/logstash:7.13.0
Java (jar)
==========
Total: 3 (HIGH: 1, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+-------------------------------------+------------------+----------+-------------------+---------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.14.0 | 2.15.0 |
+-------------------------------------+ + + + +
| org.apache.logging.log4j:log4j-core | | | | |
+-------------------------------------+------------------+----------+-------------------+---------------+
| org.bouncycastle:bcprov-jdk15on | CVE-2020-28052 | HIGH | 1.65 | 1.67 |
+-------------------------------------+------------------+----------+-------------------+---------------+
$ ./trivy image --ignore-unfixed --vuln-type library --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' elastic/logstash:7.13.0
Critical: 2, High: 3
參考
https://aquasecurity.github.io/trivy/v0.18.3/modes/client-server/
![全球案例 | 一家财富500強公司利用 Jira 和 Jira Align 将萬人級團隊的生産力提高了 30%[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)