dockerバイナリに、脆弱性チェックのコマンド docker scanが追加されていました

公式ドキュメント

前提情報: Dockerバージョン

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Client: Docker Engine - Community
Cloud integration: 1.0.4
Version: 20.10.0
API version: 1.41
Go version: go1.13.15
Git commit: 7287ab3
Built: Tue Dec 8 18:59:53 2020
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.0
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: eeddea2
Built: Tue Dec 8 18:58:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0

ローカルイメージの脆弱性チェックをする

例えば、たまたまその時ローカルにあった hashicorp/terraformイメージをスキャンすると以下のようになりました

1
2
// 書式: docker scan [脆弱性チェックをするイメージ名]
$ docker scan hashicorp/terraform:0.14.2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Testing hashicorp/terraform:0.14.2...

✗ Medium severity vulnerability found in openssl/libcrypto1.1
Description: NULL Pointer Dereference
Info: https://snyk.io/vuln/SNYK-ALPINE312-OPENSSL-1050745
Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.5-r1, libtls-standalone/libtls-standalone@2.9.1-r1, ca-certificates/ca-certificates@20191127-r4, curl/libcurl@7.69.1-r1, openssh/openssh-client@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0
From: openssl/libcrypto1.1@1.1.1g-r0
From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
From: apk-tools/apk-tools@2.10.5-r1 > openssl/libcrypto1.1@1.1.1g-r0
and 12 more...
Fixed in: 1.1.1i-r0

✗ Medium severity vulnerability found in openssh/openssh-client
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-ALPINE312-OPENSSH-1051927
Introduced through: openssh/openssh-client@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0, openssh/openssh-server-common@8.3_p1-r0
From: openssh/openssh-client@8.3_p1-r0
From: openssh/openssh@8.3_p1-r0 > openssh/openssh-client@8.3_p1-r0
From: openssh/openssh-server@8.3_p1-r0
and 9 more...
Fixed in: 8.3_p1-r1

✗ Medium severity vulnerability found in musl/musl
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-ALPINE312-MUSL-1042762
Introduced through: musl/musl@1.1.24-r9, busybox/busybox@1.31.1-r19, alpine-baselayout/alpine-baselayout@3.2.0-r7, openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, zlib/zlib@1.2.11-r3, apk-tools/apk-tools@2.10.5-r1, libtls-standalone/libtls-standalone@2.9.1-r1, busybox/ssl_client@1.31.1-r19, ca-certificates/ca-certificates@20191127-r4, nghttp2/nghttp2-libs@1.41.0-r0, curl/libcurl@7.69.1-r1, expat/expat@2.2.9-r1, pcre2/pcre2@10.35-r0, git/git@2.26.2-r0, musl/musl-utils@1.1.24-r9, ncurses/ncurses-libs@6.2_p20200523-r0, libedit/libedit@20191231.3.1-r0, pax-utils/scanelf@1.2.6-r0, openssh/openssh-client@8.3_p1-r0, openssh/openssh-server@8.3_p1-r0, openssh/openssh-sftp-server@8.3_p1-r0, openssh/openssh@8.3_p1-r0, openssh/openssh-keygen@8.3_p1-r0, libc-dev/libc-utils@0.7.2-r3
From: musl/musl@1.1.24-r9
From: busybox/busybox@1.31.1-r19 > musl/musl@1.1.24-r9
From: alpine-baselayout/alpine-baselayout@3.2.0-r7 > musl/musl@1.1.24-r9
and 23 more...
Fixed in: 1.1.24-r10

✗ High severity vulnerability found in curl/libcurl
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050049
Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
From: curl/libcurl@7.69.1-r1
From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
Fixed in: 7.69.1-r2

✗ High severity vulnerability found in curl/libcurl
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050731
Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
From: curl/libcurl@7.69.1-r1
From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
Fixed in: 7.69.1-r3

✗ High severity vulnerability found in curl/libcurl
Description: Improper Certificate Validation
Info: https://snyk.io/vuln/SNYK-ALPINE312-CURL-1050732
Introduced through: curl/libcurl@7.69.1-r1, git/git@2.26.2-r0
From: curl/libcurl@7.69.1-r1
From: git/git@2.26.2-r0 > curl/libcurl@7.69.1-r1
Fixed in: 7.69.1-r3

Organization: undefined
Package manager: apk
Project name: docker-image|hashicorp/terraform
Docker image: hashicorp/terraform:0.14.2
Platform: linux/amd64

Tested 29 dependencies for known vulnerabilities, found 6 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

関連記事

DockerfileのLinter「hadolint」を使ってみたのでメモ | 7me