・TrivyはAqua Security Software社を中心に開発されているシンプルな脆弱性スキャナ。
・DBなどのインストールが不要で、簡単に脆弱性チェックが可能。(ClairはPostgreSQLが必要)
環境
# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic # docker -v Docker version 20.10.7, build f0df350
Trivyのインストール
公式のInstallationより、リポジトリを追加してaptにてインストールした。
# apt-get install wget apt-transport-https gnupg lsb-release # wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - # echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list # apt update # apt install trivy # trivy --version Version: 0.18.3
脆弱性スキャンする
# docker images | grep nginx nginx latest f0b8a9a54136 4 weeks ago 133MB # trivy nginx 2021-06-13T21:21:35.295+0900 INFO Detected OS: debian 2021-06-13T21:21:35.296+0900 INFO Detecting Debian vulnerabilities... 2021-06-13T21:21:35.312+0900 INFO Number of PL dependency files: 1 nginx (debian 10.9) =================== Total: 172 (UNKNOWN: 0, LOW: 113, MEDIUM: 14, HIGH: 28, CRITICAL: 17) +------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+ | apt | CVE-2011-3374 | LOW | 1.8.2.3 | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +------------------+---------------------+ +---------------------------+-------------------+--------------------------------------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is not | | | | | | | equal to its real UID the... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 | + +---------------------+ + +-------------------+--------------------------------------------------------------+ | | TEMP-0841856-B18BAF | | | | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF | +------------------+---------------------+ +---------------------------+-------------------+--------------------------------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | | | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 | + +---------------------+ + +-------------------+--------------------------------------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and chgrp | | | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 | +------------------+---------------------+ +---------------------------+-------------------+--------------------------------------------------------------+ | curl | CVE-2021-22898 | | 7.64.0-4+deb10u2 | | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | +------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+ | gcc-8-base | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in cfgexpand.c | | | | | | | and function.c leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 | + +---------------------+ + +-------------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic | | | | | | | produces repeated output | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 | +------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key Certification | | | | | | | Forgeries with SHA-1 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14855 | +------------------+---------------------+ +---------------------------+-------------------+--------------------------------------------------------------+ | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2.3 | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+ ...
見やすくする
SEVERITYをCRITICALのみとし(デフォルトは”UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL”)、json形式で出力してみた。
CIに組み込む場合などのために、脆弱性があった場合は指定した終了コードにするオプション(–exit-code)も存在する。
# trivy --severity CRITICAL --format json nginx
2021-06-13T21:20:28.473+0900 INFO Detected OS: debian
2021-06-13T21:20:28.474+0900 INFO Detecting Debian vulnerabilities...
2021-06-13T21:20:28.488+0900 INFO Number of PL dependency files: 1
[
{
"Target": "nginx (debian 10.9)",
"Type": "debian",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-33574",
"PkgName": "libc-bin",
"InstalledVersion": "2.28-10",
"Layer": {
"DiffID": "sha256:02c055ef67f5904019f43a41ea5f099996d8e7633749b6e606c400526b2c4b33"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-33574",
"Title": "glibc: mq_notify does not handle separately allocated thread attributes",
"Description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-416"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.9
}
},
"References": [
"https://sourceware.org/bugzilla/show_bug.cgi?id=27896",
"https://sourceware.org/bugzilla/show_bug.cgi?id=27896#c1"
],
"PublishedDate": "2021-05-25T22:15:00Z",
"LastModifiedDate": "2021-06-03T13:15:00Z"
},
...