Kwanan nan ya zama sananne mediante rubutun blog, sakamakon kayan aikin gwaji don gano rauni ba faci da gano batutuwan tsaro a keɓe hotunan akwatin Docker.
Jarabawar ta nuna cewa 4 daga cikin sikanna 6 sanannun hotunan Docker yana da matukar damuwa wannan ya ba da izinin kai hari kan na'urar daukar hotan takardu da kansa kuma ya yi amfani da lambarta a kan tsarin, a wasu lokuta (ta amfani da Snyk misali) tare da gata.
Don hari, mai kai hari kawai yana buƙatar fara duba Dockerfile nasa ko manifest.json, wanda ya haɗa da metadata da aka tsara ta musamman, ko sanya fayil ɗin fayil da fayilolin gradlew a cikin hoton.
Muna gudanar da shirya samfurorin amfani don WhiteSource, Snyk, Fossa da kuma tsarin dakatarwa.
Kunshin Clair, asali an rubuta shi da aminci a zuciya, ya nuna mafi kyawun tsaro.
Babu matsaloli da aka gano a cikin kunshin Trivy kuma sakamakon haka, an kammala cewa yakamata a gudanar da sikan ɗora kwantenan Docker a keɓaɓɓun mahalli ko amfani da su don tabbatar da hotunansu kawai, kuma a yi hankali lokacin haɗa irin waɗannan kayan aikin zuwa tsarin haɗin kai mai sarrafa kansa.
Waɗannan hotunan na yin abubuwa masu rikitarwa da masu saurin kuskure. Suna ma'amala da docker, cire layuka / fayiloli, yin hulɗa tare da manajojin kunshin, ko nazarin tsarukan daban-daban. Kare su, yayin ƙoƙarin saukar da duk wasu maganganun amfani ga masu haɓaka, yana da matukar wahala. Bari mu ga yadda kayan aiki daban-daban ke gwadawa da sarrafa shi.
Sakamakon bayyanawa na alhakin ya nuna ra'ayina na kaina: Ina tsammanin yana da mahimmanci ga masu siyar da software su kasance masu karban lamuran tsaro da aka kawo musu rahoto, su kasance masu gaskiya da gaskiya game da yanayin rauni, don tabbatar da cewa mutanen da suke amfani da samfuran su ana sanar dasu yadda zasu yanke hukunci game da sabuntawa. Wannan ya haɗa da babban bayanin cewa sabuntawa yana da canje-canje masu dacewa da tsaro, buɗe CVE don waƙa da sadarwa game da matsalar, kuma mai yiwuwa sanar da abokan cinikin ku. Ina tsammanin wannan ya dace musamman don ɗauka idan samfurin yana game da CVE, yana ba da bayani game da rauni a cikin software. Hakanan, na sami tabbaci ta hanyar saurin amsawa, lokutan gyara daidai, da buɗe sadarwa tare da wanda ke kawo rahoton harin.
A FOSSA, Snyk da WhiteSource, yanayin rashin lafiyar yana da alaƙa tare da kira zuwa manajan kunshin waje don ƙayyade abubuwan dogaro da ba ku damar tsara aiwatar da lambar ku ta hanyar tantance taɓawa da umarnin tsarin a cikin gradlew da fayilolin Podfile.
En Snyk da WhiteSource suma sun sami rauni, hade da umarnin tsarin ƙaddamarwa kungiyar da ta bugu da Dockerfile (misali, a Snyk ta hanyar Dockefile zaka iya maye gurbin mai amfani ls (/ bin / ls), wanda na'urar daukar hotan takardu ta haifar kuma a cikin WhiteSurce zaka iya maye gurbin lambar ta hanyar muhawara ta hanyar "amsa kuwwa" ; matsa /tmp/hacked_whitesource_pip ;=1.0 '«).
A cikin Anchore, rashin lafiyar ya samo asali ne ta hanyar amfani da kayan aikin skopeo yi aiki tare da hotunan docker. Aikin an rage shi ne don kara sigogi na nau'in '»os»: «$ (touch hacked_anchore)»' zuwa fayil ɗin manifest.json, waɗanda aka maye gurbinsu yayin kiran skopeo ba tare da wata hanyar da ta dace ba (kawai an cire haruffa «; & < > ", Amma gina" $ () ").
Haka marubucin ya gudanar da bincike kan tasirin gano yanayin rauni ba patched ta hanyar sikanin tsaro na kwantena na docker da matakin ƙaryar ƙarya.
Bayan marubucin yayi jayayya cewa yawancin waɗannan kayan aikin kai tsaye amfani da manajan kunshin don warware dogaro. Wannan yana sanya musu wahala musamman karewa. Wasu manajojin dogaro suna da fayilolin daidaitawa waɗanda ke ba da damar haɗa lambar ƙira.
Kodayake waɗannan hanyoyin masu sauƙi ana sarrafa su ta wata hanya, kiran waɗannan manajojin kunshin babu makawa yana nufin ba da kuɗi. Wannan, don sanya shi a hankali, ba ya sauƙaƙe tsaron aikace-aikacen.
Sakamakon gwaji na hotuna 73 masu dauke da rauni sanannu, kazalika da kimanta tasirin don tantance kasancewar aikace-aikace na al'ada a cikin hotuna (nginx, tomcat, haproxy, gunicorn, redis, ruby, node), za a iya shawarta a cikin littafin da aka yi A cikin mahaɗin mai zuwa.