ã“ã‚“ã«ã¡ã¯ã€‚コーãƒãƒ¬ãƒ¼ãƒˆæœ¬éƒ¨ サイãƒãƒ¼ã‚»ã‚ュリティ推進部ã®è€¿ã§ã™ã€‚
2024/6ã« Amazon Inspector ㌠GitHub Actions ã§ã®ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã‚¹ã‚ャンをサãƒãƒ¼ãƒˆã—ãŸã¨ã®ã‚¢ãƒŠã‚¦ãƒ³ã‚¹ãŒã‚ã‚Šã¾ã—ãŸã€‚コンテナイメージã®è„†å¼±æ€§ã‚¹ã‚ャンã«æ—¢ã«Trivyを利用ã—ã¦ã„る方も多ã„ã¨æ€ã„ã¾ã™ãŒã€åˆ¥ã®é¸æŠžè‚¢ã¨ã—㦠Inspector ã«ã‚ˆã‚‹ã‚¹ã‚ャンを試ã—ã¦ã¿ã¾ã—ãŸã€‚
ã¾ãŸã€å®Ÿã¯ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã®ã‚¹ã‚ャンã ã‘ã§ã¯ãªãã€è¨€èªžãƒ‘ッケージã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãƒ•ã‚¡ã‚¤ãƒ«ã‚„Dockerfileã‚’é™çš„解æžã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã®ãŸã‚ã€ãれもやã£ã¦ã¿ã¾ã—ãŸã€‚
- 仕組ã¿
- アクションをç´è§£ã
- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚‹å ´åˆ
- コンテナイメージをスã‚ャンã™ã‚‹å ´åˆ
- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚¹ã‚ャンã¨ã€ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã‚¹ã‚ャンã®ä½¿ã„分ã‘ã«ã¤ã„ã¦
- ã¾ã¨ã‚
仕組ã¿
å…¬å¼ãƒ‰ã‚ュメント: https://docs.aws.amazon.com/inspector/latest/user/scanning-cicd.html
アクション「aws-actions/vulnerability-scan-github-action-for-amazon-inspectorã€ã‚’利用ã—ã¾ã™ã€‚仕組ã¿ã¯ä»¥ä¸‹ã§ã™ã€‚
- Amazon Inspector SBOM Generator を使ã„ã€CycloneDX å½¢å¼ã® SBOM を生æˆã™ã‚‹
- 生æˆã—㟠SBOM ã‚’ Amazon Inspector ã«é€ä¿¡ã—ã€è„†å¼±æ€§ã‚’解æžã™ã‚‹
- ãã®ãŸã‚ AWS アカウントãŠã‚ˆã³
inspector-scan:ScanSbom権é™ãŒå¿…è¦
- ãã®ãŸã‚ AWS アカウントãŠã‚ˆã³
æ°—ã«ãªã‚‹ã®ã¯ä½•ã«åŸºã¥ã„㦠SBOM を生æˆã™ã‚‹ã‹ã§ã™ãŒã€4ã¤ã®é¸æŠžè‚¢ãŒã‚ã‚Šã¾ã™ã€‚
- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«
- コンテナイメージ
- コンパイル後ã®Goã‚„Rustã®ãƒã‚¤ãƒŠãƒª
.zip.tar.tar.gzã®ã‚¢ãƒ¼ã‚«ã‚¤ãƒ–
GitHub Actionsã®å ´åˆã€ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã®å…¥åŠ›ãƒ‘ラメータã§æŒ‡å®šã—ã¾ã™ã€‚ã“ã®è¨˜äº‹ã§ã¯ Node.js アプリを例ã«ã€ã€Œãƒªãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã€ã¨ã€Œã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã€ã®2ã¤ã‚’試ã—ã¦ã¿ã¾ã™ã€‚
アクションをç´è§£ã
書ãæ–¹ã®ã‚µãƒ³ãƒ—ルã§ã™ã€‚
- name: Inspector Scan id: inspector uses: aws-actions/[email protected] with: artifact_type: "repository" artifact_path: "./" display_vulnerability_findings: "enabled" critical_threshold: 1 high_threshold: 1 medium_threshold: 1 low_threshold: 1 other_threshold: 1 scanners: "javascript-nodemodules"
よã使ã„ãã†ãªãƒ‘ラメータã«ã¯ä»¥ä¸‹ãŒã‚ã‚Šã¾ã™ã€‚
artifact_type- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚‹å ´åˆã¯
repository - コンテナをスã‚ャンã™ã‚‹å ´åˆã¯
container
- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚‹å ´åˆã¯
artifact_path- リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚‹å ´åˆã¯ã€åŸºæœ¬çš„ã«ãƒªãƒã‚¸ãƒˆãƒªãƒ«ãƒ¼ãƒˆ
- コンテナをスã‚ャンã™ã‚‹å ´åˆã¯ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸å
display_vulnerability_findings- GitHub Actions ã®å®Ÿè¡Œã‚µãƒžãƒªãƒšãƒ¼ã‚¸ã«çµæžœã‚’表示ã™ã‚‹ã‹ã€‚表示ã™ã‚‹å ´åˆã¯
enabled - 便利ãªã®ã§åŸºæœ¬çš„ã«
enabledãŒãŠã™ã™ã‚
- GitHub Actions ã®å®Ÿè¡Œã‚µãƒžãƒªãƒšãƒ¼ã‚¸ã«çµæžœã‚’表示ã™ã‚‹ã‹ã€‚表示ã™ã‚‹å ´åˆã¯
sbomgen_version- 使用ã™ã‚‹ Amazon Inspector SBOM Generator ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’明示的ã«æŒ‡å®šã—ãŸã„å ´åˆã«ä½¿ã†
critical_thresholdhigh_thresholdmedium_thresholdlow_thresholdother_thresholdscanners- 利用ã™ã‚‹ã‚¹ã‚ャナを指定ã§ãる。指定ãŒãªã„å ´åˆã¯å…¨ã¦ã®ã‚¹ã‚ャナãŒæœ‰åŠ¹
- 複数を利用ã™ã‚‹å ´åˆã¯
,区切りã§è¨˜è¿°
skip_scanners- 利用を除外ã™ã‚‹ã‚¹ã‚ャナを指定ã§ãã‚‹
- 複数を除外ã™ã‚‹å ´åˆã¯
,区切りã§è¨˜è¿°
skip_files- スã‚ャン対象ã‹ã‚‰é™¤å¤–ã—ãŸã„ファイルを明示的ã«è¨˜è¿°
- 複数指定ã™ã‚‹å ´åˆã¯
,区切りã§è¨˜è¿°
特㫠scanners 㨠skip_scanners ã®è¨å®šå€¤ãŒã‚ã‹ã‚Šã«ãã„ã§ã™ãŒã€SBOM Generator v1.4.0 ã§åˆ©ç”¨ã§ãã‚‹è¨å®šå€¤ã«ã¯ä»¥ä¸‹ã®33種類ã‚ã‚Šã¾ã—ãŸã€‚
(SBOM Generator ã® inspector-sbomgen list-scanners コマンドã§ç¢ºèªã—ãŸçµæžœï¼‰
| NAME | GROUPS | DESCRIPTION |
|---|---|---|
| alpine-apk | os pkg-scanner |
Scans packages installed with apk |
| apache-httpd | extra-ecosystems pkg-scanner |
Scans Apache HTTP Server based on contents of ap_release.h |
| binaries | binary pkg-scanner |
Scans compiled Rust and Go binaries for package dependencies |
| csharp-csproj | pkg-scanner programming-language-packages |
Scans C# packages based on contents of .csproj files |
| csharp-depsjson | pkg-scanner programming-language-packages |
Scans C# packages based on contents of .deps.json files |
| csharp-pkgconfig | pkg-scanner programming-language-packages |
Scans C# packages based on contents of Packages.config files |
| csharp-pkglock | pkg-scanner programming-language-packages |
Scans C# packages based on contents of packages.lock.json files |
| debian-distroless | os pkg-scanner |
Scans packages installed in Debian distroless containers |
| dockerfile | dockerfile pkg-scanner |
Scans Dockerfile contents for security issues |
| dpkg | os pkg-scanner |
Scans installed Debian packages |
| go-gopkg | pkg-scanner programming-language-packages |
Scans Go packages based on go.sum |
| go-modcache | pkg-scanner programming-language-packages |
Scans Go packages based on contents of $HOME/go/pkg/mod directory |
| java-installation | extra-ecosystems pkg-scanner |
Scans for Java installations in default paths |
| java-jar | pkg-scanner programming-language-packages |
Scans Java packages based on contents of pom.properties and archive files (.jar, .par, .war, .ear) |
| java-pomxml | pkg-scanner programming-language-packages |
Scans Java dependencies based on the content of pom.xml |
| javascript-nodemodules | pkg-scanner programming-language-packages |
Scans for installed packages based on contents of node_modules/*/package.json files |
| javascript-npm-packagelock | pkg-scanner programming-language-packages |
Scans NPM dependencies based on the content of package-lock.json file |
| javascript-pnpm-yaml | pkg-scanner programming-language-packages |
Scans PNPM dependencies based on the content of pnpm-lock.yaml file |
| javascript-yarnlock | pkg-scanner programming-language-packages |
Scans Yarn dependencies based on the content of yarn.lock file |
| php | pkg-scanner programming-language-packages |
Scans PHP packages based on contents of composer.lock and installed.json files |
| python-pipfile | pkg-scanner programming-language-packages |
Scans python packages based on contents of Pipfile.lock files |
| python-pkg | pkg-scanner programming-language-packages |
Scans python packages based on contents of egg-info and dist-info files |
| python-poetry | pkg-scanner programming-language-packages |
Scans python packages based on contents of poetry.lock files |
| python-requirements | pkg-scanner programming-language-packages |
Scans python packages based on content of requirements.txt files |
| rhel-rpm | os pkg-scanner |
Scans installed rpm packages |
| ruby-gemfiles | pkg-scanner programming-language-packages |
Scans Ruby packages based on contents of Gemfile.lock files |
| ruby-gemspec | pkg-scanner programming-language-packages |
Scans Ruby packages based on contents of .gemspec files |
| ruby-globalgems | pkg-scanner programming-language-packages |
Scans Ruby packages based on contents of globally installed gems |
| rust-cargolock | pkg-scanner programming-language-packages |
Scans Rust packages based on contents of Cargo.lock files |
| rust-cargotoml | pkg-scanner programming-language-packages |
Scans Rust packages based on contents of Cargo.toml files |
| wordpress-installation | extra-ecosystems pkg-scanner |
Scans for Wordpress |
| wordpress-plugin-installation | extra-ecosystems pkg-scanner |
Scans for Wordpress plugins |
| wordpress-theme-installation | extra-ecosystems pkg-scanner |
Scans for Wordpress themes |
余談ã§ã™ãŒã€v1.3.2 ã§ã¯ javascript-nodemodules javascript-npm-packagelock javascript-pnpm-yaml javascript-yarnlock ãŒå˜åœ¨ã›ãšã€ä»£ã‚ã‚Šã« javascript-nodejs を指定ã§ãã¾ã—ãŸã€‚ã“れを使ã£ã¦ã„ãŸã¨ã“ã‚ã€8月下旬ã«ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ãŒåˆ©ç”¨ã™ã‚‹ SBOM Generator ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒ 1.4.0 ã«åˆ‡ã‚Šæ›¿ã‚ã£ãŸã‚‰ã—ãã€ã€Œä½•ã‚‚ã—ã¦ã„ãªã„ã®ã«å£Šã‚ŒãŸã€çŠ¶æ…‹ã«ãªã‚Šç„¦ã‚Šã¾ã—ãŸã€‚
リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚‹å ´åˆ
artifact_type 入力パラメータ㯠repository を指定ã—ã¾ã™ã€‚ジョブã®å…¨ä½“åƒã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ファイルをé™çš„解æžã™ã‚‹ãŸã‚ã€ã‚³ãƒ³ãƒ†ãƒŠã‚’ビルドã™ã‚‹å¿…è¦ã¯ã‚ã‚Šã¾ã›ã‚“。
生æˆã—㟠SBOM ã‚’ Inspector ã«æ¸¡ã™ãŸã‚ã€aws-actions/configure-aws-credentials アクションã§ä¸€æ™‚çš„ãªã‚¯ãƒ¬ãƒ‡ãƒ³ã‚·ãƒ£ãƒ«ã‚’å–å¾—ã—ã¾ã™ã€‚利用ã™ã‚‹ãƒãƒ¼ãƒ«ã«ã¯ inspector-scan:ScanSbom 権é™ã‚’ã¤ã‘ã¦ãŠãã¾ã—ょã†ã€‚
jobs: scan: runs-on: ubuntu-latest # コンテナアクションãªã®ã§ Linux ã®ã¿ã§å®Ÿè¡Œå¯èƒ½ timeout-minutes: 20 steps: - name: Checkout Respository uses: actions/checkout@v4 # AWS クレデンシャルã®è¨å®š - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::111122223333:role/my-sample-role-name aws-region: ap-northeast-1 - name: Inspector Scan id: inspector uses: aws-actions/[email protected] with: artifact_type: "repository" # repository を指定 artifact_path: "./" # リãƒã‚¸ãƒˆãƒªã®ãƒ«ãƒ¼ãƒˆã‚’指定 display_vulnerability_findings: "enabled" critical_threshold: 1 high_threshold: 1 medium_threshold: 1 low_threshold: 1 other_threshold: 1 # SBOM ã®è¡¨ç¤ºï¼ˆå¿…è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display CycloneDX SBOM (JSON) run: cat ${{ steps.inspector.outputs.artifact_sbom }} # JSON å½¢å¼ã®æ¤œå‡ºçµæžœã‚’表示(必è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display Inspector vulnerability scan results (JSON) run: cat ${{ steps.inspector.outputs.inspector_scan_results }} # CSV å½¢å¼ã®æ¤œå‡ºçµæžœã‚’表示(必è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display Inspector vulnerability scan results (CSV) run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} # Markdown å½¢å¼ã®æ¤œå‡ºçµæžœã‚’表示(必è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display Inspector vulnerability scan results (Markdown) run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }} # CSV å½¢å¼ã®Dockerfile検出çµæžœã‚’表示(必è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display Dockerfile scan results (CSV) run: cat ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} # Markdown å½¢å¼ã®Dockerfile検出çµæžœã‚’表示(必è¦ã«å¿œã˜ã¦åˆ©ç”¨ï¼‰ - name: Display Dockerfile scan results (Markdown) run: cat ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} # スã‚ャンçµæžœã‚’アーティファクトã«ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ - name: Upload Scan Results uses: actions/upload-artifact@v4 with: name: Inspector Vulnerability Scan Artifacts path: | ${{ steps.inspector.outputs.inspector_scan_results }} ${{ steps.inspector.outputs.inspector_scan_results_csv }} ${{ steps.inspector.outputs.artifact_sbom }} ${{ steps.inspector.outputs.inspector_scan_results_markdown }} ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} # 検出ã—ãŸè„†å¼±æ€§ã®æ•°ãŒé–¾å€¤ã‚’超ãˆãŸå ´åˆã€ã‚¸ãƒ§ãƒ–を失敗ステータスã«ã™ã‚‹ - name: Fail job if vulnerability threshold is exceeded run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
試ã—ã¦ã¿ãŸ
以下ã®è„†å¼±æ€§ã®ã‚るパッケージãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’インストールã—ã€ã‚¹ã‚ャンã•ã›ã¦ã¿ã¾ã—ãŸã€‚ã“ã®ã†ã¡ã€micromatch 㯠devDependencies ã«è¨˜è¼‰ã—ãŸãƒ‘ッケージ由æ¥ã®ã‚‚ã®ã§ã‚ã‚Šã€æœ¬ç•ªã«ãƒ“ルドã™ã‚‹ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã«å«ã‚ãªã„よã†ã«æ§‹æˆã—ã¦ã„ã¾ã™ã€‚
| npmパッケージå | ãƒãƒ¼ã‚¸ãƒ§ãƒ³ | CVE | 本番コンテナã«å«ã¾ã‚Œã‚‹ã‹ |
|---|---|---|---|
| next | 14.1.0 | CVE-2024-34351 | ✅ |
| fast-xml-parser | 4.2.5 | CVE-2024-41818 | ✅ |
| micromatch | 14.0.5 | CVE-2024-4067 | ⌠|
ã¾ãŸ Dockerfile ã®è¨å®šã‚‚スã‚ャンå¯èƒ½ã¨ã®ã“ã¨ãªã®ã§ã€Dockerfile ã«æ¬¡ã®ä¸€è¡Œã‚’å«ã‚ã¾ã™ã€‚
USER root
実行ã™ã‚‹ã¨ã€è„†å¼±æ€§ãŒæ¤œå‡ºã•ã‚ŒãŸãŸã‚ジョブãŒå¤±æ•—ステータスã«ãªã‚Šã¾ã—ãŸã€‚
サマリページã®çµæžœ
サマリページã«æ¬¡ã®ã‚ˆã†ãªçµæžœãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
3ã¤ã®ãƒ‘ッケージã®è„†å¼±æ€§ã€ãŠã‚ˆã³ Dockerfile ã«ã¦ root ユーザーを使用ã—ã¦ã„ã‚‹ã¨ã®æ¤œå‡ºçµæžœãŒè¡¨ç¤ºã•ã‚Œã¦ã„ã¾ã™ã€‚
パッケージã®è„†å¼±æ€§ã«ã¤ã„ã¦ã¯ã€ãƒªãƒã‚¸ãƒˆãƒªå†…ã® yarn.lock ファイルã‹ã‚‰æ¤œå‡ºã—ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚従ã£ã¦æœ¬ç•ªã®ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã«ã¯å«ã¾ã‚Œãªã„ micromatch ã®è„†å¼±æ€§ã‚‚検出ã•ã‚Œã¦ã„ã¾ã™ã€‚
CSVå½¢å¼ã®æ¤œå‡ºçµæžœ
(2024/11/19)Dockerfileã®æ¤œå‡ºçµæžœã«ã¤ã„ã¦è¿½è¨˜ã—ã¾ã—ãŸã€‚
CSVå½¢å¼ã®æ¤œå‡ºçµæžœã®ã†ã¡ã€inspector_scan_ ã¨ãƒ•ã‚¡ã‚¤ãƒ«åã«ä»˜ãã‚‚ã®ï¼ˆoutputs.inspector_scan_results_csv)ã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã¡ã‚‰ã¯ãƒ‘ッケージã®è„†å¼±æ€§ã®ã¿ã§ã€Dockerfile ã®è¨å®šã«ã¤ã„ã¦ã¯å‡ºåŠ›ãŒã‚ã‚Šã¾ã›ã‚“。
"#artifact_name:./","artifact_type:directory","artifact_hash:null","build_id:null" "#critical_vulnerabilities:0","high_vulnerabilities:1","medium_vulnerabilities:1","low_vulnerabilities:0","other_vulnerabilities:2" "ID","Severity","Source","CVSS","Installed Package","Fixed Package","Path","EPSS","Exploit Available","Exploit Last Seen","CWEs" "CVE-2024-4067","medium","MITRE","5.3","pkg:npm/[email protected]","4.0.8","yarn.lock","0.00045","true","2024-08-26T14:20:30Z","CWE-1333" "CVE-2024-41818","untriaged","NVD","null","pkg:npm/[email protected]","4.4.1","yarn.lock","0.00045","null","null","null" "CVE-2024-34351","high","MITRE","7.5","pkg:npm/[email protected]","14.1.1","yarn.lock","0.00119","true","2024-08-24T07:21:02Z","CWE-918"
inspector_dockerfile_scan_ ã¨ãƒ•ã‚¡ã‚¤ãƒ«åã«ä»˜ãã‚‚ã®ï¼ˆoutputs.inspector_dockerile_scan_results_csv)ã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã¡ã‚‰ã«Dockerfile ã®è¨å®šã«ã¤ã„ã¦ã®æ¤œå‡ºçµæžœãŒæ›¸ã‹ã‚Œã¦ã„ã¾ã™ã€‚
ID,SEVERITY,DESCRIPTION,FILE,LINE IN-DOCKER-003,info,Last USER is root: If a service can run without privileges use USER to change to a non-root user.,dockerfile:Dockerfile,41-41
JSONå½¢å¼ã®æ¤œå‡ºçµæžœ
JSONå½¢å¼ã®æ¤œå‡ºçµæžœã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
脆弱性ã ã‘ã§ã¯ãªãコンãƒãƒ¼ãƒãƒ³ãƒˆãŒå…¨ã¦è¨˜è¼‰ã•ã‚Œã¦ã„ã‚‹ã®ã§å¤§å¤‰é•·ã„ã®ã§ã™ãŒã€sbom.vulnerabilities ã«è„†å¼±æ€§ã®æƒ…å ±ãŒè¨˜éŒ²ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚Dockerfile ã®è¨å®šã«ã¤ã„ã¦ã‚‚記載ã•ã‚Œã¦ã„ã¾ã™ã€‚
JSONå½¢å¼ã®æ¤œå‡ºçµæžœ
{ "sbom": { "specVersion": "1.5", "metadata": { // (çœç•¥) }, "components": [ // (çœç•¥) ], "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071631" }, { "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4067" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2024-4067" } ], "bom-ref": "vuln-1", "references": [ { "id": "GHSA-952p-6rrq-rcjv", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv" } } ], "created": "2024-05-14T15:42:47Z", "description": "The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.", "affects": [ { "ref": "comp-988" } ], "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067" }, "cwes": [ 1333 ], "analysis": { "state": "exploitable" }, "ratings": [ { "severity": "none", "score": 0.00045, "method": "other", "vector": "model:v2023.03.01,date:2024-08-27T00:00:00+0000", "source": { "name": "EPSS", "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4067" } }, { "severity": "medium", "score": 5.3, "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "source": { "name": "MITRE", "url": "https://cve.org/CVERecord?id=CVE-2024-4067" } } ], "id": "CVE-2024-4067", "updated": "2024-05-22T12:15:10Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:priority", "value": "standard" }, { "name": "amazon:inspector:sbom_scanner:priority_intelligence", "value": "unverified" }, { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2024-08-26T14:20:30Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-988", "value": "4.0.8" } ] }, { "advisories": [ { "url": "https://docs.docker.com/develop/develop-images/instructions/" } ], "bom-ref": "vuln-2", "ratings": [ { "severity": "info", "method": "other", "source": { "name": "AMAZON_INSPECTOR", "url": "https://aws.amazon.com/inspector/" } } ], "created": "2024-03-27T14:36:39Z", "description": "Last USER is root: If a service can run without privileges, use USER to change to a non-root user.", "affects": [ { "ref": "comp-1106" } ], "id": "IN-DOCKER-003", "source": { "name": "AMAZON_INSPECTOR", "url": "https://aws.amazon.com/inspector/" }, "analysis": { "state": "in_triage" }, "updated": "2024-03-27T14:36:39Z" }, { "advisories": [ { "url": "https://access.redhat.com/errata/RHSA-2024:5054" } ], "bom-ref": "vuln-3", "references": [ { "id": "GHSA-mpg4-rc92-vx8v", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-mpg4-rc92-vx8v" } } ], "ratings": [ { "severity": "none", "score": 0.00045, "method": "other", "vector": "model:v2023.03.01,date:2024-08-27T00:00:00+0000", "source": { "name": "EPSS", "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41818" } } ], "created": "2024-07-29T16:15:05Z", "description": "fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.", "affects": [ { "ref": "comp-1068" } ], "id": "CVE-2024-41818", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41818" }, "analysis": { "state": "in_triage" }, "updated": "2024-08-02T20:17:01Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:priority", "value": "standard" }, { "name": "amazon:inspector:sbom_scanner:priority_intelligence", "value": "unverified" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1068", "value": "4.4.1" } ] }, { "advisories": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34351" } ], "bom-ref": "vuln-4", "references": [ { "id": "GHSA-fr5h-rqp8-mj6g", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-fr5h-rqp8-mj6g" } } ], "created": "2024-05-14T15:38:42Z", "description": "Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.", "affects": [ { "ref": "comp-829" } ], "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34351" }, "cwes": [ 918 ], "analysis": { "state": "exploitable" }, "ratings": [ { "severity": "none", "score": 0.00119, "method": "other", "vector": "model:v2023.03.01,date:2024-08-27T00:00:00+0000", "source": { "name": "EPSS", "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34351" } }, { "severity": "high", "score": 7.5, "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "source": { "name": "MITRE", "url": "https://cve.org/CVERecord?id=CVE-2024-34351" } } ], "id": "CVE-2024-34351", "updated": "2024-05-14T16:12:23Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:priority", "value": "standard" }, { "name": "amazon:inspector:sbom_scanner:priority_intelligence", "value": "unverified" }, { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2024-08-24T07:21:02Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-829", "value": "14.1.1" } ] } ] } }
Markdownå½¢å¼ã®æ¤œå‡ºçµæžœ
(2024/11/19)Dockerfileã®æ¤œå‡ºçµæžœã«ã¤ã„ã¦è¿½è¨˜ã—ã¾ã—ãŸã€‚
Markdownå½¢å¼ã®æ¤œå‡ºçµæžœã®ã†ã¡ã€inspector_scan_ ã¨ãƒ•ã‚¡ã‚¤ãƒ«åã«ä»˜ãã‚‚ã®ï¼ˆoutputs.inspector_scan_results_markdown)ã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã¡ã‚‰ã¯ãƒ‘ッケージã®è„†å¼±æ€§ã®ã¿ã§ã€Dockerfile ã®è¨å®šã«ã¤ã„ã¦ã¯å‡ºåŠ›ãŒã‚ã‚Šã¾ã›ã‚“。
# Amazon Inspector Scan Results Artifact Type: repository ## Vulnerability Counts by Severity | Severity | Count | |----------|-------| | Critical | 0| | High | 1| | Medium | 1| | Low | 0| | Other | 2| ## Vulnerability Findings | ID | Severity | Source | [CVSS](https://www.first.org/cvss/) | Installed Package ([PURL](https://github.com/package-url/purl-spec/tree/master?tab=readme-ov-file#purl)) | Fixed Package | Path | [EPSS](https://www.first.org/epss/) | Exploit Available | Exploit Last Seen | CWEs | | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | | CVE-2024-34351 | high | MITRE | 7.5 | `pkg:npm/[email protected]` | `14.1.1` | `yarn.lock` | 0.00119 | true | 2024-08-24T07:21:02Z | `CWE-918` | | CVE-2024-4067 | medium | MITRE | 5.3 | `pkg:npm/[email protected]` | `4.0.8` | `yarn.lock` | 0.00045 | true | 2024-08-26T14:20:30Z | `CWE-1333` | | CVE-2024-41818 | untriaged | NVD | | `pkg:npm/[email protected]` | `4.4.1` | `yarn.lock` | 0.00045 | | | |
inspector_dockerfile_scan_ ã¨ãƒ•ã‚¡ã‚¤ãƒ«åã«ä»˜ãã‚‚ã®ï¼ˆoutputs.inspector_dockerile_scan_results_markdown)ã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã¡ã‚‰ã«Dockerfile ã®è¨å®šã«ã¤ã„ã¦ã®æ¤œå‡ºçµæžœãŒæ›¸ã‹ã‚Œã¦ã„ã¾ã™ã€‚
## Dockerfile Findings
|ID|SEVERITY|DESCRIPTION|FILE|LINES|
|---|---|---|---|---|
| IN-DOCKER-003 | info | Last USER is root: If a service can run without privileges, use USER to change to a non-root user. | dockerfile:Dockerfile | 41-41 |
脆弱性ãŒæ¤œå‡ºã•ã‚Œãªã‹ã£ãŸå ´åˆ
(2024/11/18追記)本セクションã«è¨˜è¼‰ã—ã¦ã„ã‚‹å•é¡Œã¯ v1.1.4 ã«ã¦è§£æ¶ˆã•ã‚Œã¾ã—ãŸã€‚
ã¡ãªã¿ã«è„†å¼±æ€§ãŒ1ã¤ã‚‚検出ã•ã‚Œãªã‹ã£ãŸå ´åˆã€CSVå½¢å¼ã®ãƒ¬ãƒãƒ¼ãƒˆã¯ç”Ÿæˆã•ã‚Œãªã„よã†ã§ã€ä»¥ä¸‹ã®ã‚ˆã†ãªã‚¹ãƒ†ãƒƒãƒ—ã®æ›¸ãæ–¹ã«ã™ã‚‹ã¨ã€è„†å¼±æ€§ãŒãªã„ã«ã‚‚é–¢ã‚らãšã‚¸ãƒ§ãƒ–ãŒå¤±æ•—ã—ã¦ã—ã¾ã„ã¾ã™ã€‚
- name: Display Inspector vulnerability scan results (CSV) run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
ãã“㧠cat コマンドãŒå¤±æ•—ã—ã¦ã‚‚異常終了ã•ã›ãªã„よã†ã«ã—ã¦ãŠãã¨è‰¯ã„ã§ã™ã€‚
- name: Display Inspector vulnerability scan results (CSV) run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} || true
コンテナイメージをスã‚ャンã™ã‚‹å ´åˆ
コンテナイメージをスã‚ャンã™ã‚‹å ´åˆã®ã‚¸ãƒ§ãƒ–ã®è¨˜è¿°ä¾‹ã§ã™ã€‚artifact_type 入力パラメータ㯠container を指定ã—〠artifact_path ã«ã¯ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸åを渡ã—ã¾ã™ã€‚事å‰ã«ã‚³ãƒ³ãƒ†ãƒŠã‚’ビルドã—ã¦ãŠãå¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
個人的ãªæŽ¨å¥¨ã¨ã—ã¦ã€ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã®ã‚¹ã‚ャンã®å ´åˆã¯ lock ファイルをスã‚ャン対象外ã«ã—ã¦ãŠãã¨è‰¯ã„ã¨æ€ã„ã¾ã™ã€‚devDependencies ã®ç”±æ¥ãƒ‘ッケージã¯å®Ÿéš›ã«ã¯æœ¬ç•ªã‚³ãƒ³ãƒ†ãƒŠã«å«ã¾ã‚Œãªã„よã†ã«ã—ã¦ã„ã‚‹ã“ã¨ãŒå¤šã„ã¨æ€ã„ã¾ã™ãŒã€ãƒ“ルド済ã¿ã®ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’スã‚ャンã™ã‚‹ã‹ã‚‰ã«ã¯ã€å®Ÿéš›ã«ã‚³ãƒ³ãƒ†ãƒŠã«å…¥ã£ã¦ã„るパッケージã®ã¿ã‚’対象ã¨ã—ãŸæ–¹ãŒç¨¼åƒç’°å¢ƒã®è„†å¼±æ€§ãŒã‚ã‹ã‚Šã‚„ã™ã„ã§ã™ã€‚開発ã®ã¿ã§ä½¿ç”¨ã—ã¦ã„るパッケージã®è„†å¼±æ€§ã‚’知りãŸã„å ´åˆã¯ã€ã‚ã–ã‚ã–時間をã‹ã‘ã¦ã‚³ãƒ³ãƒ†ãƒŠã‚’ビルドã›ãšã«ãƒªãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャンã™ã‚Œã°è‰¯ã„ã®ã§ã™ã€‚
# docker/build-push-action ã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ— - name: Set up docker build prereqs (QEMU) uses: docker/setup-qemu-action@v3 - name: Set up docker build prereqs (Buildx) uses: docker/setup-buildx-action@v3 # イメージをビルド - name: Build Docker image uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile push: false tags: my-container:${{ github.sha }} load: true - name: Inspector Scan id: inspector uses: aws-actions/[email protected] with: artifact_type: "container" artifact_path: "my-container:${{ github.sha }}" display_vulnerability_findings: "enabled" critical_threshold: 1 high_threshold: 1 medium_threshold: 1 low_threshold: 1 other_threshold: 1 skip_files: "/usr/app/yarn.lock" # コンテナ内ã®ãƒãƒƒã‚¯ãƒ•ã‚¡ã‚¤ãƒ«ã‚’スã‚ャン対象ã‹ã‚‰é™¤å¤–
サマリページã®çµæžœ
サマリページã«æ¬¡ã®ã‚ˆã†ãªçµæžœãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
skip_files: "/usr/app/yarn.lock" ã¨è¨å®šã—ãŸãŸã‚ã€æœ¬ç•ªã‚³ãƒ³ãƒ†ãƒŠã«å«ã‚ã‚‹2ã¤ã®ãƒ‘ッケージã®è„†å¼±æ€§ã®ã¿ãŒæ¤œå‡ºã•ã‚Œã¾ã—ãŸã€‚検出ã—ãŸã‚½ãƒ¼ã‚¹ã¯ node_modules ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚ŒãŸãƒ‘ッケージ内㮠package.json ファイルã ã¨ã‚ã‹ã‚Šã¾ã™ã€‚
Dockerfile ã«ã¤ã„ã¦ã‚‚スã‚ャン対象ã§ã¯ã‚ã‚Šã¾ã™ãŒã€ä»Šå›žã¯Dockerfile 自体をコンテナ内ã«ã‚³ãƒ”ーã—ã¦ã„ãªã„ãŸã‚ã€ã“ã“ã§ã¯æ¤œå‡ºã•ã‚Œã¦ã„ã¾ã›ã‚“。
リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚¹ã‚ャンã¨ã€ã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã‚¹ã‚ャンã®ä½¿ã„分ã‘ã«ã¤ã„ã¦
2ã¤ã®ã‚¹ã‚ャン対象ã«ã¤ã„ã¦è©¦ã—ã¾ã—ãŸãŒã€ä½¿ã„分ã‘ã«ã¤ã„ã¦è€ƒãˆã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
ã¾ãšã‚³ãƒ³ãƒ†ãƒŠã‚¤ãƒ¡ãƒ¼ã‚¸ã‚¹ã‚ャンã§ã™ãŒã€ã‚³ãƒ³ãƒ†ãƒŠã‚’ビルドã™ã‚‹ãŸã‚スã‚ャン速度ã¯é…ãã€é »ç¹ãªå®Ÿè¡Œã«ã¯å‘ãã¾ã›ã‚“。ã—ã‹ã—実際ã®ã‚³ãƒ³ãƒ†ãƒŠãƒ“ルドã«ä½¿ã† Dockerfile を利用ã—ã¦ãƒ“ルドã—ãŸçµæžœã®çŠ¶æ…‹ã‚’見るã“ã¨ãŒã§ãã‚‹ãŸã‚ã€æœ¬ç•ªã¸ãƒ‡ãƒ—ãƒã‚¤ã™ã‚‹ãƒ¯ãƒ¼ã‚¯ãƒ•ãƒãƒ¼ã§å®Ÿè¡Œã™ã‚‹ã®ãŒè‰¯ã„ã§ã—ょã†ã€‚
ãã®ãŸã‚ã«ã‚³ãƒ³ãƒ†ãƒŠå†…ã® lock ファイルã¯ã‚¹ã‚ャン対象ã‹ã‚‰é™¤å¤–ã—ã€é–‹ç™ºã®ã¿ã§åˆ©ç”¨ã—ã¦ã„るパッケージã®è„†å¼±æ€§ã¯å‡ºåŠ›ã•ã›ãªã„ã“ã¨ã§ãƒŽã‚¤ã‚ºã‚’減らã—ã¾ã™ã€‚
Dockerfile もスã‚ャン対象ã§ã¯ã‚ã‚Šã¾ã™ãŒã€Dockerfile 自体をコンテナ内ã«ã‚³ãƒ”ーã—ã¦ã„ãªã„å ´åˆã‚‚ã‚ã‚‹ã®ã§ã€åˆ¥ã®ã¨ã“ã‚ã§ã‚¹ã‚ャンã•ã›ã‚‹ã“ã¨ã‚’考ãˆã¾ã™ã€‚
リãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚¹ã‚ャンã§ã™ãŒã€ã‚³ãƒ³ãƒ†ãƒŠã‚’ビルドã™ã‚‹å¿…è¦ãŒãªã„ã®ã§ã‚¹ã‚ャン速度ã¯é€Ÿã„ã§ã™ã€‚開発用ブランãƒã¸ã®ãƒ—ッシュã”ã¨ã«å®Ÿè¡Œã™ã‚‹ã¨è‰¯ã„ã§ã—ょã†ã€‚ 開発ã®ã¿ã§åˆ©ç”¨ã—ã¦ã„るパッケージや Dockerfile ã®ä¸é©åˆ‡ãªè¨å®šã‚‚スã‚ャン対象ã¨ã—ã€é–‹ç™ºä¸ã«ä¿®æ£ã™ã‚‹ãã£ã‹ã‘ã«ã—ã¾ã™ã€‚
ã¾ã¨ã‚
Node.js アプリを例㫠GitHub Actions 㧠Amazon Inspector を利用ã—ãŸè„†å¼±æ€§ã‚¹ã‚ャンを試ã—ã¾ã—ãŸã€‚
ä»–ã®è¨€èªžã«ã¤ã„ã¦ã‚‚試ã—ãŸæ–¹ãŒã„ã‚Œã°ã€ãœã²æƒ…å ±ã‚’ãŠå¾…ã¡ã—ã¦ãŠã‚Šã¾ã™ã€‚
執ç†ï¼š@kou.kinyoã€ãƒ¬ãƒ“ュー:寺山 è¼ (@terayama.akira)
(Shodoã§åŸ·ç†ã•ã‚Œã¾ã—ãŸï¼‰
