# trivy image nginx
2021-11-28T13:08:47.298+0900 INFO Detected OS: debian
2021-11-28T13:08:47.298+0900 INFO Detecting Debian vulnerabilities...
2021-11-28T13:08:47.317+0900 INFO Number of language-specific files: 0
nginx (debian 11.1)
===================
Total: 99 (UNKNOWN: 0, LOW: 81, MEDIUM: 7, HIGH: 7, CRITICAL: 4)
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
…snip…
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base | CVE-2020-16156 | MEDIUM | 5.32.1-4+deb11u2 | | [Signature Verification Bypass] |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-16156 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2011-4116 | LOW | | | perl: File::Temp insecure |
| | | | | | temporary file handling |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-4116 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| tar | CVE-2005-2541 | | 1.34+dfsg-1 | | tar: does not properly warn the user |
| | | | | | when extracting setuid or setgid... |
| | | | | | -->avd.aquasec.com/nvd/cve-2005-2541 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
参考
trivy のヘルプ
# trivy --help
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
trivy [global options] command [command options] target
VERSION:
0.21.1
COMMANDS:
image, i scan an image
filesystem, fs scan local filesystem for language-specific dependencies and config files
rootfs scan rootfs
repository, repo scan remote repository
client, c client mode
server, s server mode
config, conf scan config files
plugin, p manage plugins
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET]
--debug, -d debug mode (default: false) [$TRIVY_DEBUG]
--cache-dir value cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
--help, -h show help (default: false)
--version, -v print the version (default: false)
#!/bin/sh
set -e
# Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
#
usage() {
this=$1
cat <<EOF
$this: download go binaries for aquasecurity/trivy
Usage: $this [-b] bindir [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
[tag] is a tag from
https://github.com/aquasecurity/trivy/releases
If tag is missing, then the latest will be used.
Generated by godownloader
https://github.com/goreleaser/godownloader
EOF
exit 2
}
parse_args() {
#BINDIR is ./bin unless set be ENV
# over-ridden by flag below
BINDIR=${BINDIR:-./bin}
while getopts "b:dh?x" arg; do
case "$arg" in
b) BINDIR="$OPTARG" ;;
d) log_set_priority 10 ;;
h | \?) usage "$0" ;;
x) set -x ;;
esac
done
shift $((OPTIND - 1))
TAG=$1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute() {
tmpdir=$(mktemp -d)
log_debug "downloading files into ${tmpdir}"
http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
srcdir="${tmpdir}"
(cd "${tmpdir}" && untar "${TARBALL}")
test ! -d "${BINDIR}" && install -d "${BINDIR}"
for binexe in $BINARIES; do
if [ "$OS" = "windows" ]; then
binexe="${binexe}.exe"
fi
install "${srcdir}/${binexe}" "${BINDIR}/"
log_info "installed ${BINDIR}/${binexe}"
done
rm -rf "${tmpdir}"
}
get_binaries() {
case "$PLATFORM" in
darwin/386) BINARIES="trivy" ;;
darwin/amd64) BINARIES="trivy" ;;
darwin/arm64) BINARIES="trivy" ;;
darwin/armv7) BINARIES="trivy" ;;
freebsd/386) BINARIES="trivy" ;;
freebsd/amd64) BINARIES="trivy" ;;
freebsd/arm64) BINARIES="trivy" ;;
freebsd/armv7) BINARIES="trivy" ;;
linux/386) BINARIES="trivy" ;;
linux/amd64) BINARIES="trivy" ;;
linux/ppc64le) BINARIES="trivy" ;;
linux/arm64) BINARIES="trivy" ;;
linux/armv7) BINARIES="trivy" ;;
openbsd/386) BINARIES="trivy" ;;
openbsd/amd64) BINARIES="trivy" ;;
openbsd/arm64) BINARIES="trivy" ;;
openbsd/armv7) BINARIES="trivy" ;;
*)
log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
exit 1
;;
esac
}
tag_to_version() {
if [ -z "${TAG}" ]; then
log_info "checking GitHub for latest tag"
else
log_info "checking GitHub for tag '${TAG}'"
fi
REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
if test -z "$REALTAG"; then
log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
exit 1
fi
# if version starts with 'v', remove it
TAG="$REALTAG"
VERSION=${TAG#v}
}
adjust_format() {
# change format (tar.gz or zip) based on OS
true
}
adjust_os() {
# adjust archive name based on OS
case ${OS} in
386) OS=32bit ;;
amd64) OS=64bit ;;
arm) OS=ARM ;;
arm64) OS=ARM64 ;;
ppc64le) OS=PPC64LE ;;
darwin) OS=macOS ;;
dragonfly) OS=DragonFlyBSD ;;
freebsd) OS=FreeBSD ;;
linux) OS=Linux ;;
netbsd) OS=NetBSD ;;
openbsd) OS=OpenBSD ;;
esac
true
}
adjust_arch() {
# adjust archive name based on ARCH
case ${ARCH} in
386) ARCH=32bit ;;
amd64) ARCH=64bit ;;
arm) ARCH=ARM ;;
arm64) ARCH=ARM64 ;;
ppc64le) OS=PPC64LE ;;
darwin) ARCH=macOS ;;
dragonfly) ARCH=DragonFlyBSD ;;
freebsd) ARCH=FreeBSD ;;
linux) ARCH=Linux ;;
netbsd) ARCH=NetBSD ;;
openbsd) ARCH=OpenBSD ;;
esac
true
}
cat /dev/null <<EOF
------------------------------------------------------------------------
コメント