Closed5
Trivyを試してみる
nag0yan
コンテナの脆弱性スキャンツール
OS PackagesとApplication Dependenciesについて脆弱性検査ができる。
実行はバイナリやコンテナを使って対象のイメージを指定するだけで実行できる。
nag0yanインストール
nix home-managerを使ってインストールした。
$ trivy -v
Version: 0.56.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-11-02 06:16:39.060291205 +0000 UTC
NextUpdate: 2024-11-03 06:16:39.060290835 +0000 UTC
DownloadedAt: 2024-11-02 07:23:36.118269573 +0000 UTC
対象となるイメージを作成
Typesciprt + DenoでサンプルWeb Server Imageを作成。
main.ts
const handler = (): Response => {
return new Response("Hello World!", {
headers: { 'content-type': 'text/plain' },
});
}
Deno.serve({ port: 3000 }, handler);
Dockerfile
FROM denoland/deno:alpine-2.0.2
COPY main.ts /app/
CMD ["deno", "run", "--allow-net", "/app/main.ts"]
ビルドする
docker build . -t mydeno
実行
trivyを作成したimageに対して実行すると、opensslの脆弱性が見つかった。
$ trivy image mydeno
2024-11-02T16:37:37+09:00 INFO [vuln] Vulnerability scanning is enabled
2024-11-02T16:37:37+09:00 INFO [secret] Secret scanning is enabled
2024-11-02T16:37:37+09:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-02T16:37:37+09:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-02T16:37:37+09:00 INFO Detected OS family="alpine" version="3.20.3"
2024-11-02T16:37:37+09:00 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2024-11-02T16:37:37+09:00 INFO Number of language-specific files num=0
2024-11-02T16:37:37+09:00 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.
mydeno (alpine 3.20.3)
Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-9143 │ LOW │ fixed │ 3.3.2-r0 │ 3.3.2-r1 │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│ │ │ │ │ │ │ memory access │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-9143 │
├────────────┤ │ │ │ │ │ │
│ libssl3 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
対応
Dockerfile
FROM denoland/deno:alpine-2.0.2
+ RUN apk upgrade --no-cache
COPY main.ts /app/
CMD ["deno", "run", "--allow-net", "/app/main.ts"]
再ビルドしてtrivyを実行すると脆弱性がなくなった。めでたしめでたし。
$ trivy image mydeno
2024-11-02T16:49:31+09:00 INFO [vuln] Vulnerability scanning is enabled
2024-11-02T16:49:31+09:00 INFO [secret] Secret scanning is enabled
2024-11-02T16:49:31+09:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-02T16:49:31+09:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-02T16:49:31+09:00 INFO Detected OS family="alpine" version="3.20.3"
2024-11-02T16:49:31+09:00 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2024-11-02T16:49:31+09:00 INFO Number of language-specific files num=0
mydeno (alpine 3.20.3)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
このスクラップは25日前にクローズされました