Muva nje kwaziwa ngokusebenzisa okuthunyelwe kwebhulogi, imiphumela yamathuluzi wokuhlola ukukhomba ukuba sengozini akukho patch futhi ukukhomba izingqinamba zokuphepha ezithombeni ezikude ze-Docker container.
Ukuhlolwa kukhombise ukuthi ama-scanner ama-4 kwayi-6 izithombe ezaziwayo zeDocker babe nobuthakathaka obubucayi evumele ukuthi ihlasele isithwebuli uqobo futhi isebenzise ikhodi yayo kusistimu, kwezinye izimo (kusetshenziswa iSnyk ngokwesibonelo) ngamalungelo ezimpande.
Ukuhlaselwa, umhlaseli udinga nje ukuqala ukuhlola i-Dockerfile yakhe noma i-manifest.json, efaka imethadatha efomethwe ngokukhethekile, noma faka i-podfile namafayela we-gradlew ngaphakathi kwesithombe.
Sikwazile ukulungiselela izindlela zokuxhaphaza ze-WhiteSource, Snyk, Fossa nezinhlelo zehange.
Iphakheji Clair, ebhalwe ekuqaleni ngokuphepha engqondweni, ikhombise ukuphepha okuhle kakhulu.
Azikho izinkinga ezikhonjwe kuphakheji ye-Trivy futhi ngenxa yalokho, kuphethwe ukuthi ama-Docker container scanner kufanele asetshenziswe ezindaweni eziqhelile noma asetshenziselwe kuphela ukuqinisekisa izithombe zawo, futhi aqaphele lapho exhuma lawo mathuluzi kuzinhlelo zokuhlanganisa ezizenzakalelayo.
La ma-scanner enza izinto eziyinkimbinkimbi nezinamaphutha. Babhekene ne-docker, bakhipha izingqimba / amafayela, basebenzisana nabaphathi bephakeji noma bahlaziya amafomethi ahlukile. Ukuwavikela, ngenkathi izama ukufaka wonke amacala wokusetshenziswa konjiniyela, kunzima kakhulu. Ake sibone ukuthi amathuluzi ahlukahlukene azama futhi aphatha ukukwenza kanjani:
Isibalo sokudalula esinomthwalo siveza umbono wami: Ngicabanga ukuthi kubalulekile ukuthi abathengisi be-software baphendule ezindabeni zokuphepha ezibikwe kubo, bathembeke futhi babeke obala mayelana nokuba sengozini, ukuze baqiniseke ukuthi abantu abasebenzisa imikhiqizo yabo baziswa ngokufanelekile ukwenza izinqumo mayelana nokuvuselelwa. Lokhu kufaka imininingwane ephezulu yokuthi isibuyekezo sinezinguquko ezihambisana nokuphepha, kuvulwa i-CVE ukulandelela nokuxhumana ngenkinga, futhi nokwazisa amakhasimende akho. Ngicabanga ukuthi lokhu kunengqondo ikakhulukazi ukucabanga ukuthi ngabe umkhiqizo umayelana ne-CVE, ukuhlinzeka ngolwazi mayelana nobungozi kusoftware. Futhi, ngiyaqinisekiswa yimpendulo esheshayo, izikhathi zokulungisa ezinengqondo, kanye nokuxhumana ngokukhululeka nomuntu obika lokhu kuhlaselwa.
E-FOSSA, Snyk naseWhiteSource, ukuba sengozini kwakuhlobene ngokushaya ucingo kumphathi wephakheji wangaphandle ukunquma ukuncika futhi ikuvumela ukuthi uhlele ukwenziwa kwekhodi yakho ngokucacisa imiyalo yokuthinta nohlelo kufayela le-gradlew ne-Podfile.
En ISnyk neWhiteSource nabo bathole ukuba sengozini, okuhambisana nemiyalo yohlelo lokuqalisa inhlangano ehlukanise i-Dockerfile (ngokwesibonelo, eSnyk nge-Dockefile ungathatha indawo ye-utility ls (/ bin / ls), ebangelwe yi-scanner bese ku-WhiteSurce ungayifaka ikhodi esikhundleni sezimpikiswano ezithi "echo"; thepha / tmp / hacked_whitesource_pip; = 1.0 '«).
E-Anchore, ukuba sengozini kubangelwe ukusetshenziswa kosizo lwe-skopeo ukusebenza ngezithombe ze-docker. Umsebenzi wehliselwe ukwengeza imingcele yefomu '»os»: «$ (touch hacked_anchore)»' kufayela le-manifest.json, elifakwe esikhundleni lapho kubizwa i-skopeo ngaphandle kokweqa okufanele (kususwe izinhlamvu kuphela «; & < > ", Kepha ukwakhiwa" $ () ").
Umbhali ofanayo wenze isifundo ngokusebenza kokutholakala kobungozi akulandwanga ngezikena zokuphepha kweziqukathi zedokodo kanye nezinga lokuhle okungamanga.
Ngaphandle kombhali uthi amanye ala mathuluzi sebenzisa ngqo abaphathi bephakheji ukuxazulula ukuncika. Lokhu kubenza kube nzima ikakhulukazi ukuvikela. Abanye abaphathi bokuthembela banamafayela wokumisa avumela ukufakwa kwekhodi yeShell.
Noma lezi zindlela ezilula zisingathwa ngandlela thile, ukubiza lezi zimenenja zamaphakeji nakanjani kuzosho ukukhipha imali. Lokhu, ukusho ngobumnene, akukuhambisi ukuvikelwa kwesicelo.
Imiphumela Yokuhlolwa Yezithombe ezingama-73 eziqukethe ubungozi eyaziwa, kanye nokuhlolwa kokusebenza kokunquma ubukhona bezinhlelo ezijwayelekile ezithombeni (nginx, tomcat, haproxy, gunicorn, redis, ruby, node), kungaboniswana ngaphakathi kokushicilelwa okwenziwe Kulesi sixhumanisi esilandelayo.