Kutshanje kuye kwaziwa mediante iposti yebhlog, iziphumo zezixhobo zokuvavanya ukuchonga ubuthathaka ingakhutshwa kwaye ichonge imiba yokhuseleko kwimifanekiso yesikhongozeli seDocker ekwanti.
Uvavanyo lubonise ukuba i-4 ye-6 scanners yemifanekiso eyaziwayo yeDocker babenobuthathaka obubalulekileyo evumele iskena ngokwaso ukuba sihlaselwe kwaye ikhowudi yayo yenziwe kwindlela, kwezinye iimeko (umzekelo, xa usebenzisa iSnyk) ngamalungelo engcambu.
Uhlaselo, umhlaseli ufuna kuphela ukuqalisa isiqinisekiso seDockerfile yakho okanye i-manifest.json, equka idata efomathwe ngokukodwa, okanye ubeke iPodfile kwaye gradlew iifayile ngaphakathi komfanekiso.
Sikwazile ukulungiselela iiprototypes zeWhiteSource, iSnyk, iFossa kunye neenkqubo zeankile.
Iphakheji Claire, eyayibhalwe kuqala kukhunjulwa ukhuseleko, ubonise ukhuseleko olungcono.
Akukho miba echongiweyo kwiphakheji ye-Trivy kwaye ngenxa yoko, kwagqitywa ekubeni iiskena zekhonteyina ze-Docker kufuneka ziqhutywe kwindawo ezizimeleyo okanye zisetyenziswe kuphela ukuqinisekisa imifanekiso yazo, kwaye zilumke xa zidibanisa izixhobo ezinjalo kwiisistim ezizenzekelayo eziqhubekayo zokudibanisa.
Ezi skena zenza izinto ezintsonkothileyo nezinempazamo. Bajongene ne-docker, ukutsala iileya / iifayile, ukusebenzisana nabaphathi bephakheji, okanye ukuhlalutya iifomathi ezahlukeneyo. Ukuzikhusela, ngelixa uzama ukubonelela zonke iimeko zokusetyenziswa kubaphuhlisi, kunzima kakhulu. Makhe sibone ukuba izixhobo ezahlukeneyo zizame kwaye zilawule ukuyenza:
Inqaku lokubhengeza elinoxanduva libonisa uluvo lwam lobuqu: Ndikholelwa ukuba kubalulekile ukuba abathengisi besoftware baphendule kwimiba yokhuseleko exelwe kubo, banyaniseke kwaye bacace malunga nokuba semngciphekweni, ukuqinisekisa ukuba abantu abasebenzisa iimveliso zabo banolwazi ngokufanelekileyo ukwenza izigqibo. malunga nohlaziyo. Oku kubandakanya olona lwazi lubalulekileyo lokuba uhlaziyo lunotshintsho olunxulumene nokhuseleko, ukuvula i-CVE ukulandelela kunye nokunxibelelana ngalo mba, kunye nokwazisa abathengi bakho. Ndicinga ukuba kusengqiqweni ukucinga oku ukuba imveliso imalunga neCVE, ibonelela ngolwazi malunga nokuba semngciphekweni kwisoftware. Ukongeza, ndiqinisekiswa yimpendulo ekhawulezayo, amaxesha afanelekileyo okulungisa, kunye nonxibelelwano oluvulekileyo nomntu oxela uhlaselo.
KwiFOSSA, Snyk kunye neWhiteSource, ukuba sesichengeni kwakunxulumene ngokufowuna kumphathi wepakethe yangaphandle ukumisela ukuxhomekeka kwaye ikuvumela ukuba uququzelele ukuphunyezwa kwekhowudi yakho ngokukhankanya uthintelo kunye nemiyalelo yenkqubo kwifayile ye gradlew kunye ne Podfile.
En I-Snyk kunye ne-WhiteSource nayo ifumene ubuthathaka, obunxulunyaniswa nemiyalelo yokuqaliswa kwenkqubo yombutho ohlalutye i-Dockerfile (umzekelo, kwi-Snyk ngeDockefile inokutshintsha into eluncedo ye-ls (/bin/ls), ebangelwa sisikena kwaye kwi-WhiteSurce inokubuyisela ikhowudi ngeengxoxo ezikwimo ye-'echo' ; touch /tmp/hacked_whitesource_pip;=1.0' «).
Kwi-Anchore, ubuthathaka bubangelwa ukusetyenziswa kwe-skopeo utility ukusebenza ngemifanekiso ye-docker. Umsebenzi wancitshiswa ukongeza iiparameters zefomu '»os»: «$ (touch hacked_anchore)»' kwifayile ye-manifest.json, ethi ibekwe endaweni yayo xa ufowunela i-skopeo ngaphandle kokubaleka okufanelekileyo (kuphela abasebenzi «; & < basusiwe> ", kodwa ulwakhiwo "$ ( ) ").
Kwalo mbhali mnye uqhube uphononongo malunga nokusebenza kokufunyanwa sesichengeni ayikhutshwanga ngokusebenzisa izikena zokhuseleko yezikhongozeli zedokhi kunye nenqanaba leepositi zobuxoki.
Ngaphezu koko, umbhali uxoxa ukuba ezininzi zezi zixhobo sebenzisa ngokuthe ngqo abaphathi bephakheji ukusombulula ukuxhomekeka. Oku kubenza kube nzima ngakumbi ukukhusela. Abanye abaphathi abaxhomekeke kwiifayile zoqwalaselo ezivumela ukubandakanywa kwe-shellcode.
Nokuba ezi ndlela zilula ziphathwa ngandlel’ ithile, ukubiza aba baphathi bephakheji ngokuqinisekileyo kuya kuthetha ukukhupha imali. Oku, ukuyibeka kakuhle, akwenzi kube lula ukukhusela isicelo.
Iziphumo zovavanyo lwemifanekiso engama-73 equlethe ubuthathaka eyaziwayo, kunye novavanyo lwempumelelo yokumisela ubukho bezicelo eziqhelekileyo kwimifanekiso (nginx, tomcat, haproxy, gunicorn, redis, ruby, node), kungaboniswana kupapasho olwenziweyo Kule khonkco ilandelayo.