dockerバイナリに、脆弱性チェックのコマンド docker scanが追加されていました

公式ドキュメント

前提情報: Dockerバージョン

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Client: Docker Engine - Community
 Cloud integration: 1.0.4
 Version:           20.10.0
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        7287ab3
 Built:             Tue Dec  8 18:59:53 2020
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.0
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       eeddea2
  Built:            Tue Dec  8 18:58:04 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

ローカルイメージの脆弱性チェックをする

例えば、たまたまその時ローカルにあった hashicorp/terraformイメージをスキャンすると以下のようになりました

1
2
// 書式: docker scan [脆弱性チェックをするイメージ名]
 $ docker scan hashicorp/terraform:0.14.2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Testing hashicorp/terraform:0.14.2...

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE312-OPENSSL-1050745
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.5-r1, libtls-standalone/libtls-standalone@2.9.1-r1, ca-certificates/ca-certificates@20191127-r4, curl/libcurl@7.69.1-r1, openssh/openssh-client@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.5-r1 > openssl/libcrypto1.1@1.1.1g-r0
  and 12 more...
  Fixed in: 1.1.1i-r0

✗ Medium severity vulnerability found in openssh/openssh-client
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-ALPINE312-OPENSSH-1051927
  Introduced through: openssh/openssh-client@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0, openssh/openssh-server-common@8.3_p1-r0
  From: openssh/openssh-client@8.3_p1-r0
  From: openssh/openssh@8.3_p1-r0 > openssh/openssh-client@8.3_p1-r0
  From: openssh/openssh-server@8.3_p1-r0
  and 9 more...
  Fixed in: 8.3_p1-r1

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE312-MUSL-1042762
  Introduced through: musl/musl@1.1.24-r9, busybox/busybox@1.31.1-r19, alpine-baselayout/alpine-baselayout@3.2.0-r7, openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, zlib/zlib@1.2.11-r3, apk-tools/apk-tools@2.10.5-r1, libtls-standalone/libtls-standalone@2.9.1-r1, busybox/ssl_client@1.31.1-r19, ca-certificates/ca-certificates@20191127-r4, nghttp2/nghttp2-libs@1.41.0-r0, curl/libcurl@7.69.1-r1, expat/expat@2.2.9-r1, pcre2/pcre2@10.35-r0, git/git@2.26.2-r0, musl/musl-utils@1.1.24-r9, ncurses/ncurses-libs@6.2_p20200523-r0, libedit/libedit@20191231.3.1-r0, pax-utils/scanelf@1.2.6-r0, openssh/openssh-client@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0, libc-dev/libc-utils@0.7.2-r3
  From: musl/musl@1.1.24-r9
  From: busybox/busybox@1.31.1-r19 > musl/musl@1.1.24-r9
  From: alpine-baselayout/alpine-baselayout@3.2.0-r7 > musl/musl@1.1.24-r9
  and 23 more...
  Fixed in: 1.1.24-r10

✗ High severity vulnerability found in curl/libcurl
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050049
  Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
  From: curl/libcurl@7.69.1-r1
  From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
  Fixed in: 7.69.1-r2

✗ High severity vulnerability found in curl/libcurl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050731
  Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
  From: curl/libcurl@7.69.1-r1
  From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
  Fixed in: 7.69.1-r3

✗ High severity vulnerability found in curl/libcurl
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050732
  Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
  From: curl/libcurl@7.69.1-r1
  From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
  Fixed in: 7.69.1-r3

Organization:      undefined
Package manager:   apk
Project name:      docker-image|hashicorp/terraform
Docker image:      hashicorp/terraform:0.14.2
Platform:          linux/amd64

Tested 29 dependencies for known vulnerabilities, found 6 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

関連記事

DockerfileのLinter「hadolint」を使ってみたのでメモ | 7me