Munguva pfupi yapfuura yakazozivikanwa kuburikidza chinyorwa che blog, mhedzisiro yekuyedza maturusi ekuona kushomeka hapana chigamba uye uone nyaya dzekuchengetedza mune yakasarudzika Docker mudziyo mifananidzo.
Muedzo wakaratidza kuti mana eechina scanner inozivikanwa Docker mifananidzo yaive nematambudziko akakomba iyo yaibvumidza kurwisa iyo scanner pachayo uye kumhanyisa kodhi yayo pane system, mune dzimwe nguva (uchishandisa Snyk semuenzaniso) ine midzi yerombo.
Kurwisa, anorwisa anongoda kutanga kutarisa Dockerfile yake kana kuratidza.json, iyo inosanganisira yakasarudzika metadata, kana kuisa podfile uye gradlew mafaera mukati memufananidzo.
Isu tinokwanisa kugadzirira kushandisa prototypes yeWhiteSource, Snyk, Fossa uye anchore masystem.
Package Claire, pakutanga yakanyorwa nekuchengeteka mupfungwa, yakaratidza chengetedzo yakanakisa.
Hapana matambudziko akaonekwa mupakeji yeTrivy uye semhedzisiro, zvakagumiswa kuti maDocker makemikari ma scanner anofanirwa kumhanyisa munzvimbo dzakasarudzika kana kushandiswa chete kuongorora mifananidzo yavo, uye chenjerawo paunenge uchibatanidza maturusi akadaro kune otomatiki masystem ekubatanidza.
Aya ma scanner anoita zvinhu zvakaoma uye zvinokanganisa. Ivo vari kubata neiyo docker, kuburitsa zvidimbu / mafaera, kudyidzana nevane mamaneja emapakeji, kana kuongorora mafomati akasiyana. Kuvadzivirira, vachiyedza kugadzirisa ese mashandisiro emakesi evakagadziri, zvakaoma zvikuru. Ngatione kuti maturusi akasiyana anoedza uye kugona kuzviita:
Chikamu chakaburitswa pachena chinoratidza maonero angu: ndinofunga zvakakosha kuti vatengesi vema software vagamuchire nyaya dzekuchengetedzwa dzinotaurwa kwavari, kuti vave vakatendeseka uye vabude pachena nezvekusasimba, kuve nechokwadi chekuti vanhu vanoshandisa zvigadzirwa zvavo vanoziviswa nenzira kwayo kuita sarudzo nezve iyo yekuvandudza. Izvi zvinosanganisira ruzivo rwakanyanya kukosha rwekuti dudziro ine chengetedzo-inoenderana neshanduko, kuvhura CVE kuteedzera nekutaurirana nezvedambudziko, uye zvingango zivisa vatengi vako. Ini ndinofunga izvi zvinonyanya kufunga kufunga kuti chigadzirwa chiri cheCVE, ichipa ruzivo nezve kusasimba mune software. Zvakare, ini ndinosimbiswa nemhinduro yekukurumidza, inonzwisisika nguva dzekururamisa, uye kutaurirana kwakashama nemunhu ari kuzivisa kurwiswa uku.
KuFOSSA, Snyk, uye WhiteSource, kushomeka kwaive kwakabatana nekudana kune wekunze package maneja kuona kutsamira uye kubvumidza iwe kuronga kuitisa kodhi yako nekutsanangudza yekubata uye system mirairo mune iyo gradlew uye Podfile mafaera.
En Snyk uye WhiteSource yakawanawo kusagadzikana, kwakabatana neiyo yekutanga system mirairo sangano rakabvarura Dockerfile (semuenzaniso, muSnyk kuburikidza neDockefile unogona kutsiva chinoshandiswa ls (/ bin / ls), chakakonzerwa nesikena uye muWhiteSurce iwe unogona kutsiva kodhi kuburikidza nemakakatanwa ari muchimiro che "echo"; pombi / tmp / hacked_whitesource_pip; = 1.0 '«).
MuAnchore, kusagadzikana kwakakonzerwa nekushandiswa kweskopeo utility kushanda nemifananidzo ye docker. Kuvhiya kwacho kwakadzikisirwa kuwedzera maparamendi echimiro '»os»: «$ (bata hacked_anchore)»' kune iyo manifest.json faira, iyo inotsiviwa ichisheedza skopeo isina kutiza kwakakodzera (chete mavara «; & <vakabviswa > ", Asi iyo yekuvaka" $ () ").
Iye munyori mumwechete akaitisa chidzidzo nezve kugona kwekutsvaga kwekutambudzika kwete zvigamba kuburikidza nematanho ekuchengetedza yemidziyo yedocker uye iyo nhanho yezvakanaka manyepo.
Kunze kwemunyori inopokana kuti akati wandei emidziyo iyi shandisa zvakananga mamaneja emapakeji kugadzirisa kutsamira. Izvi zvinoita kuti zvinyanye kuoma kudzivirira. Vamwe mamaneja ekuvimbika ane mafaira ekumisikidza anotendera kuiswa kweiyo shell kodhi.
Kunyangwe kana idzi nzira dzakareruka dzikabatwa neimwe nzira, kudaidza maneja epakeji izvi zvinongoreva kureva kuburitsa mari kunze. Izvi, kuzviisa zvinyoro-nyoro, hazviitisire kudzivirira kwekushandisa.
Mhedzisiro mhedzisiro yemifananidzo 73 ine kushushikana inozivikanwa, pamwe nekuongorora kwekubudirira kuona kuvapo kwemaitiro ekushandisa mumifananidzo (nginx, tomcat, haproxy, gunicorn, redis, ruby, node), inogona kubvunzwa mukati mekuburitswa kwakaitwa Mune inotevera chinongedzo.