强大、周全----容器马脚扫描器_年夜众_"大众

文章目录 [+]

概要

Trivy（tri发音像trigger，vy发音像envy）是一个大略而全面的容器漏洞扫描程序。
Trivy可检测操作系统软件包（Alpine，RHEL，CentOS等）和运用程序依赖项（Bundler，Composer，npm，yarn等）的漏洞。
此外，Trivy也非常易于利用。
只需安装二进制文件即可实行扫描，你只需指定扫描容器的镜像名称即可。

强大、周全----容器马脚扫描器_年夜众_"大众互联网

它被认为适用于CI。
在推送到容器注册表之前，你可以轻松扫描本地容器镜像。
详情请参阅此处。

特性

全面的漏洞检测

操作系统（Alpine，Red Hat Universal Base Image，Red Hat Enterprise Linux，CentOS，Debian和Ubuntu）

运用程序依赖（Bundler，Composer，Pipenv，Poetry，npm，yarn和Cargo）

利用大略

仅需指定镜像名称

请参阅快速入门和示例

安装简便

无需安装DB，库等先决条件。

apt-get install，yum install和brew install都可以。

高精确度

特殊是针对Alpine Linux和RHEL/CentOS；

其他操作系统的精确度也很高。

DevSecOps

适用于CI，如Travis CI，CircleCI，Jenkins等。

安装

RHEL/CentOS

将存储库设置添加到/etc/yum.repos.d。

$ sudo vim /etc/yum.repos.d/trivy.repo[trivy]name=Trivy repositorybaseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/gpgcheck=0enabled=1$ sudo yum -y update$ sudo yum -y install trivy

或

$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.15/trivy_0.0.15_Linux-64bit.rpm

Debian/Ubuntu

将[CODE_NAME]更换为你的代码名称

CODE_NAME：wheezy，jessie，stretch，buster，trusty，xenial，bionic

$ sudo apt-get install apt-transport-https gnupg$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list.d/trivy.list$ sudo apt-get update$ sudo apt-get install trivy

或

$ sudo apt-get install rpm$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.15/trivy_0.0.15_Linux-64bit.deb$ sudo dpkg -i trivy_0.0.15_Linux-64bit.deb

Mac OS X / Homebrew

你可以在Mac OS上利用homebrew。

$ brew install knqyf263/trivy/trivy

二进制（包括Windows）

从此页面获取最新版本，并下载适用于你操作系统/架构的存档文件。
解压缩该文件，并将二进制文件放在$PATH中（在UNIX-y系统上，位于/usr/local/bin）。
确保实行位已打开。

你须要安装rpm命令来扫描RHEL/CentOS。

从源码

$ mkdir -p $GOPATH/src/github.com/knqyf263$ cd $GOPATH/src/github.com/knqyf263$ git clone https://github.com/knqyf263/trivy$ cd trivy/cmd/trivy/$ export GO111MODULE=on$ go install

快速开始

只需指定镜像名称（和标签）即可。
缓存中涌现问题时应避免利用最新标签。
请参阅打消镜像缓存部分。

基本利用

$ trivy [YOUR_IMAGE_NAME]

示例

$ trivy python:3.4-alpine

结果

2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...python:3.4-alpine3.9 (alpine 3.9.2)===================================Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)+---------+------------------+----------+-------------------+---------------+--------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------+------------------+----------+-------------------+---------------+--------------------------------+| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 || | | | | | with long nonces |+---------+------------------+----------+-------------------+---------------+--------------------------------+

Docker

将[YOUR_CACHE_DIR]更换为打算机上的缓存目录。

$ docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ knqyf263/trivy [YOUR_IMAGE_NAME]

macOS示例：

$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine

如果要扫描主机上的镜像，则需安装docker.sock。

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine

如果发生缺点，请重新pull最新的knqyf263/trivy。

结果：

示例

扫描镜像

只需指定镜像名称（和标签）即可。

$ trivy knqyf263/test-image:1.2.3

扫描镜像文件

$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar

$ trivy --input ruby-2.3.0.tar

将结果保存为JSON

$ trivy -f json -o results.json golang:1.12-alpine

结果：

2019-05-16T01:46:31.777+0900 INFO Updating vulnerability database...2019-05-16T01:47:03.007+0900 INFO Detecting Alpine vulnerabilities...

JSON：

[ { \公众Target\"大众: \"大众php-app/composer.lock\公众, \"大众Vulnerabilities\"大众: null }, { \公众Target\"大众: \公众node-app/package-lock.json\"大众, \"大众Vulnerabilities\"大众: [ { \公众VulnerabilityID\"大众: \公众CVE-2018-16487\"大众, \"大众PkgName\公众: \公众lodash\"大众, \"大众InstalledVersion\"大众: \"大众4.17.4\公众, \公众FixedVersion\"大众: \"大众\u003e=4.17.11\"大众, \公众Title\"大众: \"大众lodash: Prototype pollution in utilities function\公众, \"大众Description\公众: \"大众A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.\"大众, \"大众Severity\公众: \"大众HIGH\公众, \"大众References\"大众: [ \公众https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487\"大众, ] } ] }, { \公众Target\"大众: \公众trivy-ci-test (alpine 3.7.1)\"大众, \"大众Vulnerabilities\"大众: [ { \"大众VulnerabilityID\"大众: \"大众CVE-2018-16840\"大众, \"大众PkgName\"大众: \"大众curl\公众, \"大众InstalledVersion\公众: \公众7.61.0-r0\"大众, \公众FixedVersion\"大众: \"大众7.61.1-r1\"大众, \公众Title\"大众: \公众curl: Use-after-free when closing \\"大众easy\\"大众 handle in Curl_close()\"大众, \"大众Description\公众: \"大众A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. \"大众, \"大众Severity\"大众: \公众HIGH\"大众, \公众References\"大众: [ \公众https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840\公众, ] }, { \公众VulnerabilityID\"大众: \"大众CVE-2019-3822\"大众, \公众PkgName\"大众: \公众curl\"大众, \公众InstalledVersion\公众: \"大众7.61.0-r0\公众, \公众FixedVersion\"大众: \公众7.61.1-r2\公众, \"大众Title\"大众: \"大众curl: NTLMv2 type-3 header stack buffer overflow\"大众, \"大众Description\"大众: \"大众libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. \"大众, \"大众Severity\公众: \公众HIGH\"大众, \公众References\"大众: [ \"大众https://curl.haxx.se/docs/CVE-2019-3822.html\"大众, \"大众https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E\"大众 ] }, { \"大众VulnerabilityID\公众: \"大众CVE-2018-16839\"大众, \"大众PkgName\"大众: \公众curl\公众, \"大众InstalledVersion\公众: \"大众7.61.0-r0\公众, \"大众FixedVersion\"大众: \公众7.61.1-r1\"大众, \"大众Title\公众: \"大众curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()\公众, \"大众Description\公众: \"大众Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.\公众, \"大众Severity\"大众: \"大众HIGH\"大众, \公众References\"大众: [ \公众https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5\"大众, ] }, { \公众VulnerabilityID\公众: \"大众CVE-2018-19486\"大众, \"大众PkgName\"大众: \"大众git\"大众, \"大众InstalledVersion\公众: \"大众2.15.2-r0\"大众, \"大众FixedVersion\"大众: \"大众2.15.3-r0\公众, \"大众Title\"大众: \"大众git: Improper handling of PATH allows for commands to be executed from the current directory\公众, \"大众Description\公众: \"大众Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.\公众, \"大众Severity\"大众: \"大众HIGH\"大众, \"大众References\"大众: [ \"大众https://usn.ubuntu.com/3829-1/\"大众, ] }, { \"大众VulnerabilityID\"大众: \"大众CVE-2018-17456\公众, \"大众PkgName\"大众: \"大众git\"大众, \"大众InstalledVersion\"大众: \"大众2.15.2-r0\"大众, \"大众FixedVersion\"大众: \"大众2.15.3-r0\公众, \公众Title\"大众: \"大众git: arbitrary code execution via .gitmodules\"大众, \"大众Description\公众: \"大众Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \\公众git clone\\"大众 of a superproject if a .gitmodules file has a URL field beginning with a '-' character.\"大众, \公众Severity\公众: \"大众HIGH\"大众, \"大众References\"大众: [ \"大众http://www.securitytracker.com/id/1041811\"大众, ] } ] }, { \公众Target\"大众: \公众python-app/Pipfile.lock\公众, \公众Vulnerabilities\公众: null }, { \"大众Target\"大众: \"大众ruby-app/Gemfile.lock\公众, \"大众Vulnerabilities\公众: null }, { \"大众Target\"大众: \"大众rust-app/Cargo.lock\公众, \"大众Vulnerabilities\"大众: null }]

按严重性过滤漏洞

$ trivy --severity HIGH,CRITICAL ruby:2.3.0

结果：

2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...ruby:2.3.0 (debian 8.4)=======================Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+| apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the || | | | | | 302 redirect field in HTTP || | | | | | transport method of... |+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+| bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in || | | | | | restricted bash shells |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted || | | | | | SHELLOPTS+PS4 variables allows || | | | | | command substitution |+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+| binutils | CVE-2017-8421 | | 2.25-5 | | binutils: Memory exhaustion in || | | | | | objdump via a crafted PE file |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2017-14930 | | | | binutils: Memory leak in || | | | | | decode_line_info |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2017-7614 | | | | binutils: NULL || | | | | | pointer dereference in || | | | | | bfd_elf_final_link function |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2014-9939 | | | | binutils: buffer overflow in || | | | | | ihex.c |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2017-13716 | | | | binutils: Memory leak with the || | | | | | C++ symbol demangler routine || | | | | | in libiberty |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2018-12699 | | | | binutils: heap-based buffer || | | | | | overflow in finish_stab in || | | | | | stabs.c |+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+| bsdutils | CVE-2015-5224 | | 2.25.2-6 | | util-linux: File name || | | | | | collision due to incorrect || | | | | | mkstemp use |+ +------------------+ + +----------------------------------+-------------------------------------------------+| | CVE-2016-2779 | | | | util-linux: runuser tty hijack || | | | | | via TIOCSTI ioctl |+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+

按类型过滤漏洞

$ trivy --vuln-type os ruby:2.3.0

可用值：

libraryos

结果：

2019-05-22T19:36:50.530+0200�[34mINFO�[0mUpdating vulnerability database...2019-05-22T19:36:51.681+0200�[34mINFO�[0mDetecting Alpine vulnerabilities...2019-05-22T19:36:51.685+0200�[34mINFO�[0mUpdating npm Security DB...2019-05-22T19:36:52.389+0200�[34mINFO�[0mDetecting npm vulnerabilities...2019-05-22T19:36:52.390+0200�[34mINFO�[0mUpdating pipenv Security DB...2019-05-22T19:36:53.406+0200�[34mINFO�[0mDetecting pipenv vulnerabilities...ruby:2.3.0 (debian 8.4)Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)+---------+------------------+----------+-------------------+---------------+----------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------+------------------+----------+-------------------+---------------+----------------------------------+| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow || | | | | | via integer overflow |+ +------------------+----------+ +---------------+----------------------------------+| | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading || | | | | | to heap-based buffer overflow in || | | | | | Curl_sasl_create_plain_message() |+ +------------------+ + +---------------+----------------------------------+| | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header || | | | | | stack buffer overflow |+ +------------------+ + +---------------+----------------------------------+| | CVE-2018-16840 | | | 7.61.1-r1 | curl: Use-after-free when || | | | | | closing \公众easy\"大众 handle in || | | | | | Curl_close() |+ +------------------+----------+ +---------------+----------------------------------+| | CVE-2019-3823 | MEDIUM | | 7.61.1-r2 | curl: SMTP end-of-response || | | | | | out-of-bounds read |+ +------------------+ + + +----------------------------------+| | CVE-2018-16890 | | | | curl: NTLM type-2 heap || | | | | | out-of-bounds buffer read |+ +------------------+ + +---------------+----------------------------------+| | CVE-2018-16842 | | | 7.61.1-r1 | curl: Heap-based buffer || | | | | | over-read in the curl tool || | | | | | warning formatting |+---------+------------------+----------+-------------------+---------------+----------------------------------+| git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution || | | | | | via .gitmodules |+ +------------------+ + + +----------------------------------+| | CVE-2018-19486 | | | | git: Improper handling of || | | | | | PATH allows for commands to be || | | | | | executed from... |+---------+------------------+----------+-------------------+---------------+----------------------------------+| libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in || | | | | | transport read resulting in || | | | | | out of bounds write... |+ +------------------+----------+ + +----------------------------------+| | CVE-2019-3861 | MEDIUM | | | libssh2: Out-of-bounds reads || | | | | | with specially crafted SSH || | | | | | packets |+ +------------------+ + + +----------------------------------+| | CVE-2019-3857 | | | | libssh2: Integer overflow in || | | | | | SSH packet processing channel || | | | | | resulting in out of... |+ +------------------+ + + +----------------------------------+| | CVE-2019-3856 | | | | libssh2: Integer overflow in || | | | | | keyboard interactive handling || | | | | | resulting in out of bounds... |+ +------------------+ + + +----------------------------------+| | CVE-2019-3863 | | | | libssh2: Integer overflow || | | | | | in user authenticate || | | | | | keyboard interactive allows || | | | | | out-of-bounds writes |+ +------------------+ + + +----------------------------------+| | CVE-2019-3862 | | | | libssh2: Out-of-bounds memory || | | | | | comparison with specially || | | | | | crafted message channel || | | | | | request |+ +------------------+ + + +----------------------------------+| | CVE-2019-3860 | | | | libssh2: Out-of-bounds reads || | | | | | with specially crafted SFTP || | | | | | packets |+ +------------------+ + + +----------------------------------+| | CVE-2019-3858 | | | | libssh2: Zero-byte allocation || | | | | | with a specially crafted SFTP || | | | | | packed leading to an... |+ +------------------+ + + +----------------------------------+| | CVE-2019-3859 | | | | libssh2: Unchecked use of || | | | | | _libssh2_packet_require and || | | | | | _libssh2_packet_requirev || | | | | | resulting in out-of-bounds || | | | | | read |+---------+------------------+ +-------------------+---------------+----------------------------------+| libxml2 | CVE-2018-14404 | | 2.9.7-r0 | 2.9.8-r1 | libxml2: NULL pointer || | | | | | dereference in || | | | | | xpath.c:xmlXPathCompOpEval() || | | | | | can allow attackers to cause || | | | | | a... |+ +------------------+ + + +----------------------------------+| | CVE-2018-14567 | | | | libxml2: Infinite loop when || | | | | | --with-lzma is used allows for || | | | | | denial of service... |+ +------------------+----------+ + +----------------------------------+| | CVE-2018-9251 | LOW | | | libxml2: infinite loop in || | | | | | xz_decomp function in xzlib.c |+---------+------------------+----------+-------------------+---------------+----------------------------------+| openssh | CVE-2019-6109 | MEDIUM | 7.5_p1-r9 | 7.5_p1-r10 | openssh: Missing character || | | | | | encoding in progress display || | | | | | allows for spoofing of scp... |+ +------------------+ + + +----------------------------------+| | CVE-2019-6111 | | | | openssh: Improper validation || | | | | | of object names allows || | | | | | malicious server to overwrite || | | | | | files... |+ +------------------+----------+ + +----------------------------------+| | CVE-2018-20685 | LOW | | | openssh: scp client improper || | | | | | directory name validation |+---------+------------------+----------+-------------------+---------------+----------------------------------+| sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 || | | | | | sqlite: Multiple flaws in || | | | | | sqlite which can be triggered || | | | | | via... |+---------+------------------+----------+-------------------+---------------+----------------------------------+| tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in || | | | | | sparse_dump_region function in || | | | | | sparse.c |+---------+------------------+----------+-------------------+---------------+----------------------------------+

跳过漏洞数据库的更新

Trivy在开始运行时会更新漏洞数据库。
这常日不会花费太多的韶光，由于它是一个差异的更新。
但是如果你想跳过这个过程，可以利用--skip-update选项。

$ trivy --skip-update python:3.4-alpine3.9

结果：

2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...python:3.4-alpine3.9 (alpine 3.9.2)===================================Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)+---------+------------------+----------+-------------------+---------------+--------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------+------------------+----------+-------------------+---------------+--------------------------------+| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 || | | | | | with long nonces |+---------+------------------+----------+-------------------+---------------+--------------------------------+

仅更新你指定分发的漏洞数据库

默认情形下，Trivy会更新所有分发的漏洞数据库。
你也可以利用--only-update选项，指定分发的漏洞数据库。

$ trivy --only-update alpine,debian python:3.4-alpine3.9$ trivy --only-update alpine python:3.4-alpine3.9

结果：

2019-05-21T19:37:06.301+0900 INFO Updating vulnerability database...2019-05-21T19:37:07.793+0900 INFO Updating alpine data...2019-05-21T19:37:08.127+0900 INFO Detecting Alpine vulnerabilities...python:3.4-alpine3.9 (alpine 3.9.2)===================================Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)+---------+------------------+----------+-------------------+---------------+--------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------+------------------+----------+-------------------+---------------+--------------------------------+| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 || | | | | | with long nonces |+---------+------------------+----------+-------------------+---------------+--------------------------------+

忽略未修复的漏洞

默认情形下，Trivy还会检测未修补/不可修复的漏洞。
这意味着纵然你更新了所有的软件包，也无法修复这些漏洞。
如果你想忽略它们，可以利用--ignore-unfixed选项。

$ trivy --ignore-unfixed ruby:2.3.0

结果：

2019-05-16T12:49:52.656+0900 INFO Updating vulnerability database...2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...ruby:2.3.0 (debian 8.4)=======================Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+| apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the || | | | | | 302 redirect field in HTTP || | | | | | transport method of... |+ +------------------+----------+ +----------------------------------+-----------------------------------------------------+| | CVE-2016-1252 | MEDIUM | | 1.0.9.8.4 | The apt package in Debian || | | | | | jessie before 1.0.9.8.4, in || | | | | | Debian unstable before... |+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+| bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in || | | | | | restricted bash shells |+ +------------------+ + +----------------------------------+-----------------------------------------------------+| | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted || | | | | | SHELLOPTS+PS4 variables allows || | | | | | command substitution |+ +------------------+----------+ + +-----------------------------------------------------+| | CVE-2016-0634 | MEDIUM | | | bash: Arbitrary code execution || | | | | | via malicious hostname |+ +------------------+----------+ +----------------------------------+-----------------------------------------------------+| | CVE-2016-9401 | LOW | | 4.3-11+deb8u2 | bash: popd controlled free |+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+...

指定退出代码

默认情形下，纵然检测到漏洞，Trivy也会以代码0退出。
如果要利用非0代码退出，可以利用--exit-code选项。

$ trivy --exit-code 1 python:3.4-alpine3.9

结果：

2019-05-16T12:51:43.500+0900 INFO Updating vulnerability database...2019-05-16T12:52:00.387+0900 INFO Detecting Alpine vulnerabilities...python:3.4-alpine3.9 (alpine 3.9.2)===================================Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)+---------+------------------+----------+-------------------+---------------+--------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------+------------------+----------+-------------------+---------------+--------------------------------+| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 || | | | | | with long nonces |+---------+------------------+----------+-------------------+---------------+--------------------------------+

此选项对CI/CD很有用。
在以下示例中，仅当创造严重漏洞时，测试才会失落败。

$ trivy --exit-code 0 --severity MEDIUM,HIGH ruby:2.3.0$ trivy --exit-code 1 --severity CRITICAL ruby:2.3.0

忽略指定漏洞

利用.trivyignore。

$ cat .trivyignore# Accept the riskCVE-2018-14618# No impact in our settingsCVE-2019-1543$ trivy python:3.4-alpine3.9

结果：

2019-05-16T12:53:10.076+0900 INFO Updating vulnerability database...2019-05-16T12:53:28.134+0900 INFO Detecting Alpine vulnerabilities...python:3.4-alpine3.9 (alpine 3.9.2)===================================Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

打消镜像缓存

利用--clear-cache选项打消镜像缓存。
如果更新具有相同标签的镜像（例如利用最新标签时），则此选项很有用。

$ trivy --clear-cache python:3.7

结果：

2019-05-16T12:55:24.749+0900 INFO Removing image caches...2019-05-16T12:55:24.769+0900 INFO Updating vulnerability database...2019-05-16T12:56:14.055+0900 INFO Detecting Debian vulnerabilities...python:3.7 (debian 9.9)=======================Total: 3076 (UNKNOWN: 0, LOW: 127, MEDIUM: 2358, HIGH: 578, CRITICAL: 13)+------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+| apt | CVE-2011-3374 | LOW | 1.4.9 | | |+------------------------------+---------------------+ +--------------------------+------------------+-------------------------------------------------------+| bash | TEMP-0841856-B18BAF | | 4.4-5 | | |+------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+...

重启

利用--reset选项打消所有缓存和数据库。
在此之后，须要很永劫光才能在本地重修漏洞数据库。

$ trivy --reset

结果：

2019-05-16T13:05:31.935+0900 INFO Resetting...

持续集成（CI）

扫描Travis CI/CircleCI内置的镜像。
如果创造漏洞，测试将失落败。
如果你不想测试失落败，请指定--exit-code 0。

把稳：第一次可能须要等待一段韶光（第二次缓存后会快许多）

Travis CI

$ cat .travis.ymlservices: - dockerenv: global: - COMMIT=${TRAVIS_COMMIT::8}before_install: - docker build -t trivy-ci-test:${COMMIT} . - export VERSION=$(curl --silent \"大众https://api.github.com/repos/knqyf263/trivy/releases/latest\"大众 | grep '\"大众tag_name\公众:' | sed -E 's/.\"大众v([^\"大众]+)\"大众./\1/') - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gzscript: - ./trivy --exit-code 0 --severity HIGH --quiet --auto-refresh trivy-ci-test:${COMMIT} - ./trivy --exit-code 1 --severity CRITICAL --quiet --auto-refresh trivy-ci-test:${COMMIT}cache: directories: - $HOME/.cache/trivy

示例：https://travis-ci.org/knqyf263/trivy-ci-test

存储库：https://github.com/knqyf263/trivy-ci-test

CircleCI

$ cat .circleci/config.ymljobs: build: docker: - image: docker:18.09-git steps: - checkout - setup_remote_docker - restore_cache: key: vulnerability-db - run: name: Build image command: docker build -t trivy-ci-test:${CIRCLE_SHA1} . - run: name: Install trivy command: | apk add --update curl VERSION=$( curl --silent \"大众https://api.github.com/repos/knqyf263/trivy/releases/latest\"大众 | \ grep '\"大众tag_name\公众:' | \ sed -E 's/.\公众v([^\公众]+)\"大众./\1/' ) wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz mv trivy /usr/local/bin - run: name: Scan the local image with trivy command: trivy --exit-code 0 --quiet --auto-refresh trivy-ci-test:${CIRCLE_SHA1} - save_cache: key: vulnerability-db paths: - $HOME/.cache/trivyworkflows: version: 2 release: jobs: - build

示例：https://circleci.com/gh/knqyf263/trivy-ci-test

存储库：https://github.com/knqyf263/trivy-ci-test

私有Docker Registry的授权

Trivy可以从私有注册表下载镜像，而无需安装Docker和任何第三方的工具。
那是由于它很随意马虎在CI进程中运行。

你所要做的便是安装Trivy并设置ENV vars。
但我并不建议在你确当地皮算机上利用ENV vars。

Docker Hub

Docker Hub须要TRIVY_AUTH_URL，TRIVY_USERNAME和TRIVY_PASSWORD。
从公共存储库下载时，你不须要设置ENV变量。

export TRIVY_AUTH_URL=https://registry.hub.docker.comexport TRIVY_USERNAME={DOCKERHUB_USERNAME}export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}

Amazon ECR（弹性容器注册表）

Trivy利用AWS SDK。
你不须要安装aws CLI工具。
你可以利用AWS CLI的ENV Vars。

GCR（谷歌容器注册表）

Trivy利用Google Cloud SDK。
你不须要安装gcloud命令。

如果你想利用目标项目的存储库，可以通过GOOGLE_APPLICATION_CREDENTIAL设置。

# must set TRIVY_USERNAME empty charexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json

自托管注册表（BasicAuth）

BasicAuth做事器须要TRIVY_USERNAME和TRIVY_PASSWORD。

export TRIVY_USERNAME={USERNAME}export TRIVY_PASSWORD={PASSWORD}# if you want to use 80 port, use NonSSLexport TRIVY_NON_SSL=true

漏洞检测

系统软件包

未修复/不可修复的漏洞意味着尚未在其分发中供应该修补程序。

系统支持版本目标软件包检测未修复的漏洞Alpine Linux2.2 – 2.7, 3.0 – 3.10Installed by apkNORed Hat Universal Base Image7, 8Installed by yum/rpmYESRed Hat Enterprise Linux6, 7, 8Installed by yum/rpmYESCentOS6, 7Installed by yum/rpmYESDebian GNU/Linuxwheezy, jessie, stretch, busterInstalled by apt/apt-get/dpkgYESUbuntu12.04, 14.04, 16.04, 18.04, 18.10, 19.04Installed by apt/apt-get/dpkgYES

运用程序依赖项

Trivy会自动检测容器中的以下文件，并扫描运用程序依赖项中的漏洞。

Gemfile.lockPipfile.lockpoetry.lockcomposer.lockpackage-lock.jsonyarn.lockCargo.lock

这些文件的路径不主要。

示例：https://npm.pkg.github.com/knqyf263/trivy-ci-test/blob/master/Dockerfile

利用

NAME: trivy - A simple and comprehensive vulnerability scanner for containersUSAGE: main [options] image_nameVERSION: 0.0.15OPTIONS: --format value, -f value format (table, json) (default: \公众table\公众) --input value, -i value input file path instead of image name --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: \"大众UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL\"大众) --output value, -o value output file name --exit-code value Exit code when vulnerabilities were found (default: 0) --skip-update skip db update --reset remove all caches and database --clear-cache, -c clear image caches --quiet, -q suppress progress bar --ignore-unfixed display only fixed vulnerabilities --refresh refresh DB (usually used after version update of trivy) --auto-refresh refresh DB automatically when updating version of trivy --debug, -d debug mode --vuln-type value comma-separated list of vulnerability types (os,library) --help, -h show help --version, -v print the version

与其他扫描器的比拟

扫描器系统软件包运用依赖项大略单纯利用精确度适用于CITrivy◯◯◯◎◯Clair◯×△◯△Anchore Engine◯△△◯△Quay◯×◯◯×MicroScanner◯×◯△◯Docker Hub◯×◯××GCR◯×◯◯×

准确性

以下条形图显示了扫描composer:1.7.2 和 crate:3.2.2 的结果。
这些镜像都是随机选择的。

扫描器：Clair，Quay，MicroScanner（免费），Docker Hub，Anchore Engine

请参阅电子表格理解有关详情

在这种情形下，所有漏洞扫描器检测到的漏洞的联合将用作数据集。

把稳：

可能存在所有扫描程序都无法检测到的漏洞。

可能存在误报，由于我已手动进行了确认。

Alpine Linux

利用Alpine Linux 3.7.1的composer:1.7.2结果（截至2019/05/12）。

Trivy具有较高的精确度，而GCR没有检测到任何的漏洞。
虽然Docker Hub有许多True Positive，但它也存在很多误报。

RHEL/CentOS

利用CentOS 7.6.1810的crate:3.2.2结果（截至2019/05/14）。

以下图表仅包含可修复的漏洞。

大多数扫描程序仅检测RHEL/CentOS上的修补/可修复的漏洞，但Trivy还会检测未修补/无法修复的漏洞。

此图还包括无法修复的漏洞。

其他系统

在其他OS的情形下，结果类似于其他容器扫描程序。

vs Clair

Clair利用alpine-secdb。
但该数据库的目的是知道哪些包具有backport的修复。
正如README描述的那样，它不是Alpine中所有安全问题的完全数据库。

Trivy从Alpine Linux Redmine网络Alpine Linux中的漏洞信息。
然后，这些漏洞将被保存在vuln-list上。

alpine-secdb有6959个漏洞（截至2019/05/12）。
vuln-list有11101个与Alpine Linux干系的漏洞（截至2019/05/12）。
检测准确性存在差异，由于漏洞数量险些翻了一番。

此外，Trivy还剖析了中间层，并找出了哪个版本的库用于静态链接。

Clair无法处理以下情形，由于它在运用所有图层后剖析图像。

RUN apk add --no-cache sqlite-dev \ && wget https://xxx/yyy.tar.gz \ && tar zxvf yyy.tar.gz && cd yyy \ && make && make install \ && apk del sqlite-dev

正如许多人所知，很难选择Clair客户端，由于很多客户都被弃用了。

末了，Trivy还可以检测运用程序干系库中的漏洞，例如Bundler，Composer，Pipenv等。

vs Anchore Engine

与Clair类似，Alpine Linux的检测准确度也有所不同。
Anchore Engine不会检测RHEL/CentOS上的无法修复的漏洞，而Trivy则会进行检测。

此外，Anchore Engine须要一些额外操作才能开始扫描。
Trivy则更随意马虎利用。

vs Quay，Docker Hub，GCR

由于Quay在内部利用Clair，因此它具有与Clair相同的精确度。
Docker Hub只能扫描官方镜像。
GCR险些无法检测到Alpine Linux上的漏洞。
此外，它还被锁定到了特定的注册表。

无论注册表如何，都可以利用Trivy。
而且它也很随意马虎与CI/CD做事集成。

问答

Homebrew

Error: Your macOS keychain GitHub credentials do not have sufficient scope!

$ brew tap knqyf263/trivyError: Your macOS keychain GitHub credentials do not have sufficient scope!Scopes they need: noneScopes they have:Create a personal access token:https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrewecho 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc

考试测验：

$ printf \"大众protocol=https\nhost=github.com\n\"大众 | git credential-osxkeychain erase

Error: knqyf263/trivy/trivy 64 already installed

$ brew upgrade...Error: knqyf263/trivy/trivy 64 already installed

考试测验：

$ brew unlink trivy && brew uninstall trivy($ rm -rf /usr/local/Cellar/trivy/64)$ brew install knqyf263/trivy/trivy

其他

检测到trivy的新版本。
请利用–refresh选项再试一次

$ trivy --refresh alpine:3.9

未知缺点

请利用–reset选项再试一次

$ trivy --reset