{"id":4025,"date":"2021-06-13T21:25:55","date_gmt":"2021-06-13T12:25:55","guid":{"rendered":"https:\/\/tech.akat.info\/?p=4025"},"modified":"2021-06-13T21:25:55","modified_gmt":"2021-06-13T12:25:55","slug":"trivy%e3%82%92%e4%bd%bf%e3%81%a3%e3%81%a6%e3%82%b3%e3%83%b3%e3%83%86%e3%83%8a%e3%82%a4%e3%83%a1%e3%83%bc%e3%82%b8%e3%81%ae%e8%84%86%e5%bc%b1%e6%80%a7%e3%82%92%e3%82%b9%e3%82%ad%e3%83%a3%e3%83%b3","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=4025","title":{"rendered":"Trivy\u3092\u4f7f\u3063\u3066\u30b3\u30f3\u30c6\u30ca\u30a4\u30e1\u30fc\u30b8\u306e\u8106\u5f31\u6027\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u305f(Ubuntu)"},"content":{"rendered":"

\u30fbTrivy<\/a>\u306fAqua Security Software\u793e\u3092\u4e2d\u5fc3\u306b\u958b\u767a\u3055\u308c\u3066\u3044\u308b\u30b7\u30f3\u30d7\u30eb\u306a\u8106\u5f31\u6027\u30b9\u30ad\u30e3\u30ca\u3002
\n\u30fbDB\u306a\u3069\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u4e0d\u8981\u3067\u3001\u7c21\u5358\u306b\u8106\u5f31\u6027\u30c1\u30a7\u30c3\u30af\u304c\u53ef\u80fd\u3002(Clair\u306fPostgreSQL\u304c\u5fc5\u8981)<\/p>\n

\u74b0\u5883<\/h2>\n
\r\n# lsb_release -a\r\nNo LSB modules are available.\r\nDistributor ID: Ubuntu\r\nDescription:    Ubuntu 18.04.5 LTS\r\nRelease:        18.04\r\nCodename:       bionic\r\n\r\n# docker -v\r\nDocker version 20.10.7, build f0df350\r\n<\/pre>\n
Trivy\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n
\u516c\u5f0f\u306eInstallation<\/a>\u3088\u308a\u3001\u30ea\u30dd\u30b8\u30c8\u30ea\u3092\u8ffd\u52a0\u3057\u3066apt\u306b\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u3002<\/p>\n
\r\n# apt-get install wget apt-transport-https gnupg lsb-release\r\n# wget -qO - https:\/\/aquasecurity.github.io\/trivy-repo\/deb\/public.key | apt-key add -\r\n# echo deb https:\/\/aquasecurity.github.io\/trivy-repo\/deb $(lsb_release -sc) main | tee -a \/etc\/apt\/sources.list.d\/trivy.list\r\n# apt update\r\n# apt install trivy\r\n# trivy --version\r\nVersion: 0.18.3\r\n<\/pre>\n
\u8106\u5f31\u6027\u30b9\u30ad\u30e3\u30f3\u3059\u308b<\/h2>\n
\r\n# docker images | grep nginx\r\nnginx              latest        f0b8a9a54136   4 weeks ago     133MB\r\n\r\n# trivy nginx\r\n2021-06-13T21:21:35.295+0900    INFO    Detected OS: debian\r\n2021-06-13T21:21:35.296+0900    INFO    Detecting Debian vulnerabilities...\r\n2021-06-13T21:21:35.312+0900    INFO    Number of PL dependency files: 1\r\n\r\nnginx (debian 10.9)\r\n===================\r\nTotal: 172 (UNKNOWN: 0, LOW: 113, MEDIUM: 14, HIGH: 28, CRITICAL: 17)\r\n\r\n+------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+\r\n|     LIBRARY      |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION     |   FIXED VERSION   |                            TITLE                             |\r\n+------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+\r\n| apt              | CVE-2011-3374       | LOW      | 1.8.2.3                   |                   | It was found that apt-key in apt,                            |\r\n|                  |                     |          |                           |                   | all versions, do not correctly...                            |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2011-3374                         |\r\n+------------------+---------------------+          +---------------------------+-------------------+--------------------------------------------------------------+\r\n| bash             | CVE-2019-18276      |          | 5.0-4                     |                   | bash: when effective UID is not                              |\r\n|                  |                     |          |                           |                   | equal to its real UID the...                                 |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2019-18276                        |\r\n+                  +---------------------+          +                           +-------------------+--------------------------------------------------------------+\r\n|                  | TEMP-0841856-B18BAF |          |                           |                   | -->security-tracker.debian.org\/tracker\/TEMP-0841856-B18BAF   |\r\n+------------------+---------------------+          +---------------------------+-------------------+--------------------------------------------------------------+\r\n| coreutils        | CVE-2016-2781       |          | 8.30-3                    |                   | coreutils: Non-privileged                                    |\r\n|                  |                     |          |                           |                   | session can escape to the                                    |\r\n|                  |                     |          |                           |                   | parent session in chroot                                     |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2016-2781                         |\r\n+                  +---------------------+          +                           +-------------------+--------------------------------------------------------------+\r\n|                  | CVE-2017-18018      |          |                           |                   | coreutils: race condition                                    |\r\n|                  |                     |          |                           |                   | vulnerability in chown and chgrp                             |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2017-18018                        |\r\n+------------------+---------------------+          +---------------------------+-------------------+--------------------------------------------------------------+\r\n| curl             | CVE-2021-22898      |          | 7.64.0-4+deb10u2          |                   | curl: TELNET stack                                           |\r\n|                  |                     |          |                           |                   | contents disclosure                                          |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2021-22898                        |\r\n+------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+\r\n| gcc-8-base       | CVE-2018-12886      | HIGH     | 8.3.0-6                   |                   | gcc: spilling of stack                                       |\r\n|                  |                     |          |                           |                   | protection address in cfgexpand.c                            |\r\n|                  |                     |          |                           |                   | and function.c leads to...                                   |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2018-12886                        |\r\n+                  +---------------------+          +                           +-------------------+--------------------------------------------------------------+\r\n|                  | CVE-2019-15847      |          |                           |                   | gcc: POWER9 "DARN" RNG intrinsic                             |\r\n|                  |                     |          |                           |                   | produces repeated output                                     |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2019-15847                        |\r\n+------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+\r\n| gpgv             | CVE-2019-14855      | LOW      | 2.2.12-1+deb10u1          |                   | gnupg2: OpenPGP Key Certification                            |\r\n|                  |                     |          |                           |                   | Forgeries with SHA-1                                         |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2019-14855                        |\r\n+------------------+---------------------+          +---------------------------+-------------------+--------------------------------------------------------------+\r\n| libapt-pkg5.0    | CVE-2011-3374       |          | 1.8.2.3                   |                   | It was found that apt-key in apt,                            |\r\n|                  |                     |          |                           |                   | all versions, do not correctly...                            |\r\n|                  |                     |          |                           |                   | -->avd.aquasec.com\/nvd\/cve-2011-3374                         |\r\n+------------------+---------------------+----------+---------------------------+-------------------+--------------------------------------------------------------+\r\n...\r\n<\/pre>\n
\"\"<\/a><\/p>\n
\u898b\u3084\u3059\u304f\u3059\u308b<\/h3>\n
SEVERITY\u3092CRITICAL\u306e\u307f\u3068\u3057(\u30c7\u30d5\u30a9\u30eb\u30c8\u306f”UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL”)\u3001json\u5f62\u5f0f\u3067\u51fa\u529b\u3057\u3066\u307f\u305f\u3002
\nCI\u306b\u7d44\u307f\u8fbc\u3080\u5834\u5408\u306a\u3069\u306e\u305f\u3081\u306b\u3001\u8106\u5f31\u6027\u304c\u3042\u3063\u305f\u5834\u5408\u306f\u6307\u5b9a\u3057\u305f\u7d42\u4e86\u30b3\u30fc\u30c9\u306b\u3059\u308b\u30aa\u30d7\u30b7\u30e7\u30f3(–exit-code)\u3082\u5b58\u5728\u3059\u308b\u3002<\/p>\n
\r\n# trivy --severity CRITICAL --format json nginx\r\n2021-06-13T21:20:28.473+0900    INFO    Detected OS: debian\r\n2021-06-13T21:20:28.474+0900    INFO    Detecting Debian vulnerabilities...\r\n2021-06-13T21:20:28.488+0900    INFO    Number of PL dependency files: 1\r\n[\r\n  {\r\n    "Target": "nginx (debian 10.9)",\r\n    "Type": "debian",\r\n    "Vulnerabilities": [\r\n      {\r\n        "VulnerabilityID": "CVE-2021-33574",\r\n        "PkgName": "libc-bin",\r\n        "InstalledVersion": "2.28-10",\r\n        "Layer": {\r\n          "DiffID": "sha256:02c055ef67f5904019f43a41ea5f099996d8e7633749b6e606c400526b2c4b33"\r\n        },\r\n        "SeveritySource": "nvd",\r\n        "PrimaryURL": "https:\/\/avd.aquasec.com\/nvd\/cve-2021-33574",\r\n        "Title": "glibc: mq_notify does not handle separately allocated thread attributes",\r\n        "Description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.",\r\n        "Severity": "CRITICAL",\r\n        "CweIDs": [\r\n          "CWE-416"\r\n        ],\r\n        "CVSS": {\r\n          "nvd": {\r\n            "V2Vector": "AV:N\/AC:L\/Au:N\/C:P\/I:P\/A:P",\r\n            "V3Vector": "CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H",\r\n            "V2Score": 7.5,\r\n            "V3Score": 9.8\r\n          },\r\n          "redhat": {\r\n            "V3Vector": "CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H",\r\n            "V3Score": 5.9\r\n          }\r\n        },\r\n        "References": [\r\n          "https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=27896",\r\n          "https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=27896#c1"\r\n        ],\r\n        "PublishedDate": "2021-05-25T22:15:00Z",\r\n        "LastModifiedDate": "2021-06-03T13:15:00Z"\r\n      },\r\n...\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u30fbTrivy\u306fAqua Security Software\u793e\u3092\u4e2d\u5fc3\u306b\u958b\u767a\u3055\u308c\u3066\u3044\u308b\u30b7\u30f3\u30d7\u30eb\u306a\u8106\u5f31\u6027\u30b9\u30ad\u30e3\u30ca\u3002 \u30fbDB\u306a\u3069\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u4e0d\u8981\u3067\u3001\u7c21\u5358\u306b\u8106\u5f31\u6027\u30c1\u30a7\u30c3\u30af\u304c\u53ef\u80fd\u3002(Clair\u306fPostgreSQL\u304c\u5fc5\u8981) \u74b0\u5883 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[72],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/4025"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4025"}],"version-history":[{"count":1,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/4025\/revisions"}],"predecessor-version":[{"id":4027,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/4025\/revisions\/4027"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}