Rocky Linux8 に Trivy をインストールして Docker の検査を行う

Software Design 2021年12月号 で Docker 特集が組まれており、Trivy が紹介されていたので試してみました。 今回は Rocky Linux8 上で動作確認しています。 尚、Trivy の GitHub リポジトリはこちら です。

インストール

Trivy のインストール方法は Installation に記載されています。 インストール方法は幾つかあります。

リポジトリからインストールする

リポジトリからインストールする場合、まずリポジトリを定義します。

cat << 'EOF' > /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
EOF

あとはパッケージマネージャでインストールするだけです。

dnf -y check-update
dnf -y install trivy

インストールされました。

# trivy --version
Version: 0.21.1

シェルスクリプトでインストールする

シェルスクリプトでインストールする場合は以下を実行します。 以下では v0.21.1 を指定しており、このバージョンがインストールされます。

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.21.1

インストールされました。

# trivy --version
Version: 0.21.1

ローカル環境の Dockerfile に対して Trivy を実行する

Docker コンテナイメージはビルドせずに ローカル環境にある Dockerfile を検査してみます。 以下の内容で Dockerfile を新規作成します。

FROM ubuntu:20.04

RUN apt-get update
RUN apt-get install nginx

CMD ["nginx", "-g", "daemon off";]

trivy config に Dockerfile があるパスを指定すると検査することが可能です。 今回は以下のように表示されました。

# trivy config .
2021-11-28T12:11:19.621+0900    INFO    Detected config files: 1

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 20, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user                                |   HIGH   | Specify at least 1 USER                  |
|                           |            |                                          |          | command in Dockerfile with               |
|                           |            |                                          |          | non-root user as argument                |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds002       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS017    | 'RUN <package-manager> update'           |          | The instruction 'RUN <package-manager>   |
|                           |            | instruction alone                        |          | update' should always be followed        |
|                           |            |                                          |          | by '<package-manager> install'           |
|                           |            |                                          |          | in the same RUN statement.               |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds017       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS021    | 'apt-get' missing '-y' to avoid manual   |          | '-y' flag is missed:                     |
|                           |            | input                                    |          | 'apt-get install nginx'                  |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds021       |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+

修正した Dockerfile に対して Trivy を実行する

Trivy の検査結果を参考に、Dockerfile の内容を以下のように修正します。

FROM ubuntu:20.04

RUN apt-get update &&
    apt-get -y install nginx

CMD ["nginx", "-g", "daemon off";]

再度、Trivy を実行すると警告が表示されなくなりました。

# trivy config .
2021-11-28T12:59:03.502+0900    INFO    Detected config files: 0
#

コンテナイメージに対して検査を実行する

リポジトリ上に存在するコンテナイメージに対して Trivy を実行することも可能です。 以下では Docker Hub 上の nginx に対して Trivy を実行しています。

# trivy image nginx
2021-11-28T13:08:47.298+0900    INFO    Detected OS: debian
2021-11-28T13:08:47.298+0900    INFO    Detecting Debian vulnerabilities...
2021-11-28T13:08:47.317+0900    INFO    Number of language-specific files: 0

nginx (debian 11.1)
===================
Total: 99 (UNKNOWN: 0, LOW: 81, MEDIUM: 7, HIGH: 7, CRITICAL: 4)

+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt              | CVE-2011-3374    | LOW      | 2.2.4             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
    …snip…
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base        | CVE-2020-16156   | MEDIUM   | 5.32.1-4+deb11u2  |               | [Signature Verification Bypass]         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-16156   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2011-4116    | LOW      |                   |               | perl: File::Temp insecure               |
|                  |                  |          |                   |               | temporary file handling                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-4116    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| tar              | CVE-2005-2541    |          | 1.34+dfsg-1       |               | tar: does not properly warn the user    |
|                  |                  |          |                   |               | when extracting setuid or setgid...     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2005-2541    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+

参考

trivy のヘルプ

# trivy --help
NAME:
   trivy - A simple and comprehensive vulnerability scanner for containers

USAGE:
   trivy [global options] command [command options] target

VERSION:
   0.21.1

COMMANDS:
   image, i          scan an image
   filesystem, fs    scan local filesystem for language-specific dependencies and config files
   rootfs            scan rootfs
   repository, repo  scan remote repository
   client, c         client mode
   server, s         server mode
   config, conf      scan config files
   plugin, p         manage plugins
   help, h           Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
   --cache-dir value  cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
   --help, -h         show help (default: false)
   --version, -v      print the version (default: false)

インストールスクリプト

現時点の インストールスクリプト は以下の内容になっていました。

#!/bin/sh
set -e
# Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
#

usage() {
  this=$1
  cat <<EOF
$this: download go binaries for aquasecurity/trivy

Usage: $this [-b] bindir [-d] [tag]
  -b sets bindir or installation directory, Defaults to ./bin
  -d turns on debug logging
   [tag] is a tag from
   https://github.com/aquasecurity/trivy/releases
   If tag is missing, then the latest will be used.

 Generated by godownloader
  https://github.com/goreleaser/godownloader

EOF
  exit 2
}

parse_args() {
  #BINDIR is ./bin unless set be ENV
  # over-ridden by flag below

  BINDIR=${BINDIR:-./bin}
  while getopts "b:dh?x" arg; do
    case "$arg" in
      b) BINDIR="$OPTARG" ;;
      d) log_set_priority 10 ;;
      h | \?) usage "$0" ;;
      x) set -x ;;
    esac
  done
  shift $((OPTIND - 1))
  TAG=$1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute() {
  tmpdir=$(mktemp -d)
  log_debug "downloading files into ${tmpdir}"
  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
  http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
  srcdir="${tmpdir}"
  (cd "${tmpdir}" && untar "${TARBALL}")
  test ! -d "${BINDIR}" && install -d "${BINDIR}"
  for binexe in $BINARIES; do
    if [ "$OS" = "windows" ]; then
      binexe="${binexe}.exe"
    fi
    install "${srcdir}/${binexe}" "${BINDIR}/"
    log_info "installed ${BINDIR}/${binexe}"
  done
  rm -rf "${tmpdir}"
}
get_binaries() {
  case "$PLATFORM" in
    darwin/386) BINARIES="trivy" ;;
    darwin/amd64) BINARIES="trivy" ;;
    darwin/arm64) BINARIES="trivy" ;;
    darwin/armv7) BINARIES="trivy" ;;
    freebsd/386) BINARIES="trivy" ;;
    freebsd/amd64) BINARIES="trivy" ;;
    freebsd/arm64) BINARIES="trivy" ;;
    freebsd/armv7) BINARIES="trivy" ;;
    linux/386) BINARIES="trivy" ;;
    linux/amd64) BINARIES="trivy" ;;
    linux/ppc64le) BINARIES="trivy" ;;
    linux/arm64) BINARIES="trivy" ;;
    linux/armv7) BINARIES="trivy" ;;
    openbsd/386) BINARIES="trivy" ;;
    openbsd/amd64) BINARIES="trivy" ;;
    openbsd/arm64) BINARIES="trivy" ;;
    openbsd/armv7) BINARIES="trivy" ;;
    *)
      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
      exit 1
      ;;
  esac
}
tag_to_version() {
  if [ -z "${TAG}" ]; then
    log_info "checking GitHub for latest tag"
  else
    log_info "checking GitHub for tag '${TAG}'"
  fi
  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
  if test -z "$REALTAG"; then
    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
    exit 1
  fi
  # if version starts with 'v', remove it
  TAG="$REALTAG"
  VERSION=${TAG#v}
}
adjust_format() {
  # change format (tar.gz or zip) based on OS
  true
}
adjust_os() {
  # adjust archive name based on OS
  case ${OS} in
    386) OS=32bit ;;
    amd64) OS=64bit ;;
    arm) OS=ARM ;;
    arm64) OS=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) OS=macOS ;;
    dragonfly) OS=DragonFlyBSD ;;
    freebsd) OS=FreeBSD ;;
    linux) OS=Linux ;;
    netbsd) OS=NetBSD ;;
    openbsd) OS=OpenBSD ;;
  esac
  true
}
adjust_arch() {
  # adjust archive name based on ARCH
  case ${ARCH} in
    386) ARCH=32bit ;;
    amd64) ARCH=64bit ;;
    arm) ARCH=ARM ;;
    arm64) ARCH=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) ARCH=macOS ;;
    dragonfly) ARCH=DragonFlyBSD ;;
    freebsd) ARCH=FreeBSD ;;
    linux) ARCH=Linux ;;
    netbsd) ARCH=NetBSD ;;
    openbsd) ARCH=OpenBSD ;;
  esac
  true
}

cat /dev/null <<EOF
------------------------------------------------------------------------
GitHub - client9/shlib: portable functions for posix shell environments
portablefunctionsforposixshellenvironments.Contributetoclient9/shlibdevelopmentbycreatinganaccountonGitHub.
- portable posix shell functions Public domain - http://unlicense.org
shlib/LICENSE.md at master · client9/shlib
portablefunctionsforposixshellenvironments.Contributetoclient9/shlibdevelopmentbycreatinganaccountonGitHub.
but credit (and pull requests) appreciated. ------------------------------------------------------------------------ EOF is_command() { command -v "$1" >/dev/null } echoerr() { echo "$@" 1>&2 } log_prefix() { echo "$0" } _logp=6 log_set_priority() { _logp="$1" } log_priority() { if test -z "$1"; then echo "$_logp" return fi [ "$1" -le "$_logp" ] } log_tag() { case $1 in 0) echo "emerg" ;; 1) echo "alert" ;; 2) echo "crit" ;; 3) echo "err" ;; 4) echo "warning" ;; 5) echo "notice" ;; 6) echo "info" ;; 7) echo "debug" ;; *) echo "$1" ;; esac } log_debug() { log_priority 7 || return 0 echo "$(log_prefix)" "$(log_tag 7)" "$@" } log_info() { log_priority 6 || return 0 echo "$(log_prefix)" "$(log_tag 6)" "$@" } log_err() { log_priority 3 || return 0 echoerr "$(log_prefix)" "$(log_tag 3)" "$@" } log_crit() { log_priority 2 || return 0 echoerr "$(log_prefix)" "$(log_tag 2)" "$@" } uname_os() { os=$(uname -s | tr '[:upper:]' '[:lower:]') case "$os" in cygwin_nt*) os="windows" ;; mingw*) os="windows" ;; msys_nt*) os="windows" ;; esac echo "$os" } uname_arch() { arch=$(uname -m) case $arch in x86_64) arch="amd64" ;; x86) arch="386" ;; i686) arch="386" ;; i386) arch="386" ;; ppc64le) arch="ppc64le" ;; aarch64) arch="arm64" ;; armv5*) arch="armv5" ;; armv6*) arch="armv6" ;; armv7*) arch="armv7" ;; esac echo ${arch} } uname_os_check() { os=$(uname_os) case "$os" in darwin) return 0 ;; dragonfly) return 0 ;; freebsd) return 0 ;; linux) return 0 ;; android) return 0 ;; nacl) return 0 ;; netbsd) return 0 ;; openbsd) return 0 ;; plan9) return 0 ;; solaris) return 0 ;; windows) return 0 ;; esac log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib" return 1 } uname_arch_check() { arch=$(uname_arch) case "$arch" in 386) return 0 ;; amd64) return 0 ;; arm64) return 0 ;; armv5) return 0 ;; armv6) return 0 ;; armv7) return 0 ;; ppc64) return 0 ;; ppc64le) return 0 ;; mips) return 0 ;; mipsle) return 0 ;; mips64) return 0 ;; mips64le) return 0 ;; s390x) return 0 ;; amd64p32) return 0 ;; esac log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib" return 1 } untar() { tarball=$1 case "${tarball}" in *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;; *.tar) tar --no-same-owner -xf "${tarball}" ;; *.zip) unzip "${tarball}" ;; *) log_err "untar unknown archive format for ${tarball}" return 1 ;; esac } http_download_curl() { local_file=$1 source_url=$2 header=$3 if [ -z "$header" ]; then code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url") else code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url") fi if [ "$code" != "200" ]; then log_debug "http_download_curl received HTTP status $code" return 1 fi return 0 } http_download_wget() { local_file=$1 source_url=$2 header=$3 if [ -z "$header" ]; then wget -q -O "$local_file" "$source_url" else wget -q --header "$header" -O "$local_file" "$source_url" fi } http_download() { log_debug "http_download $2" if is_command curl; then http_download_curl "$@" return elif is_command wget; then http_download_wget "$@" return fi log_crit "http_download unable to find wget or curl" return 1 } http_copy() { tmp=$(mktemp) http_download "${tmp}" "$1" "$2" || return 1 body=$(cat "$tmp") rm -f "${tmp}" echo "$body" } github_release() { owner_repo=$1 version=$2 test -z "$version" && version="latest" giturl="https://github.com/${owner_repo}/releases/${version}" json=$(http_copy "$giturl" "Accept:application/json") test -z "$json" && return 1 version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//') test -z "$version" && return 1 echo "$version" } hash_sha256() { TARGET=${1:-/dev/stdin} if is_command gsha256sum; then hash=$(gsha256sum "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command sha256sum; then hash=$(sha256sum "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command shasum; then hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command openssl; then hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f a else log_crit "hash_sha256 unable to find command to compute sha-256 hash" return 1 fi } hash_sha256_verify() { TARGET=$1 checksums=$2 if [ -z "$checksums" ]; then log_err "hash_sha256_verify checksum file not specified in arg2" return 1 fi BASENAME=${TARGET##*/} want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) if [ -z "$want" ]; then log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" return 1 fi got=$(hash_sha256 "$TARGET") if [ "$want" != "$got" ]; then log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" return 1 fi } cat /dev/null <<EOF ------------------------------------------------------------------------ End of functions from https://github.com/client9/shlib ------------------------------------------------------------------------ EOF PROJECT_NAME="trivy" OWNER=aquasecurity REPO="trivy" BINARY=trivy FORMAT=tar.gz OS=$(uname_os) ARCH=$(uname_arch) PREFIX="$OWNER/$REPO" # use in logging routines log_prefix() { echo "$PREFIX" } PLATFORM="${OS}/${ARCH}" GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download uname_os_check "$OS" uname_arch_check "$ARCH" parse_args "$@" get_binaries tag_to_version adjust_format adjust_os adjust_arch log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}" NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH} TARBALL=${NAME}.${FORMAT} TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL} CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM} execute

コメント

タイトルとURLをコピーしました