Scan Docker Images for Vulnerabilities

2019-12-11

可以扫描哪些方面，哪些方面检查不出来
有哪些工具，各自特点
工具开源/收费
是否方便与pipeline集成
报告形式
是否需要单独的服务端、数据库

Tool 1: trivy

output:

➜   trivy python:alpine
2019-12-12T09:40:48.656+0800	INFO	Detecting Alpine vulnerabilities...

python:alpine (alpine 3.10.2)
=============================
Total: 9 (UNKNOWN: 0, LOW: 2, MEDIUM: 7, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+--------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |      TITLE    |
+-----------+------------------+----------+-------------------+---------   +-------------------+
| e2fsprogs | CVE-2019-5094    | MEDIUM   | 1.45.2-r0| 1.45.2-r1 | e2fsprogs: crafted             |
|           |                  |          |                   |               | ext4 partition leads to        |
|           |                  |          |                   |               | out-of-bounds write            |
+-----------+------------------+          +-------------------+---------------+--------------------------------+
| expat     | CVE-2019-15903   |          | 2.2.7-r0| 2.2.7-r1  | expat: heap-based buffer       |
|           |                  |          |                   |               | over-read via crafted XML      |
|           |                  |          |                   |               | input                          |
+-----------+------------------+          +-------------------+---------------+--------------------------------+
| libgcrypt | CVE-2019-13627   |          | 1.8.4-r2| 1.8.5-r0  | libgcrypt: ECDSA timing        |
|           |                  |          |                   |               | attack in the libgcrypt20      |
|           |                  |          |                   |               | cryptographic library          |
+-----------+------------------+          +-------------------+--------------
省略100行

Tool 2: Anchore

Anchore consists of a commercial edition (Anchore Enterprise) and an open-source edition (Anchor Engine).

Tool 3: open-scap

Tool 4: Dagda

Tool 5: Clair

ref:

Donate

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.