一、下载并安装trivy漏洞扫描工具
下载:
https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.rpm
以下为centos平台的安装:
[root@localhost ~]# rpm -ivh trivy_0.31.3_Linux-64bit.rpm
Preparing... ################################# [100%]
Updating / installing...
1:trivy-0:0.31.3-1 ################################# [100%]
[root@localhost ~]#其他平台的安装和使用方法参考官网链接:
trivy官网A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI
https://aquasecurity.github.io/trivy/v0.31.3/getting-started/installation/
trivy工具帮助
[root@localhost ~]# trivy --help
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Available Commands:
aws scan aws account
config Scan config files for misconfigurations
filesystem Scan local filesystem
help Help about any command
image Scan a container image
kubernetes scan kubernetes cluster
module Manage modules
plugin Manage plugins
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/root/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
[root@localhost ~]#
二、下载镜像并镜像漏洞扫描
2.1 almalinux8.7 云原生镜像漏洞扫描
2.1.1 almalinux8.7下载去官网:
docker-hub官网-almalinux镜像下载
https://hub.docker.com/_/almalinux
[root@localhost ~]# docker pull almalinux:8.7
8.7: Pulling from library/almalinux
3fc9bb6a1ce5: Pull complete
Digest: sha256:e045e93d1a86963aa1bd4aa0aec05362ed529174d0d6c5617aa1116223b04d6f
Status: Downloaded newer image for almalinux:8.7
docker.io/library/almalinux:8.7
[root@localhost ~]#2.1.2 对almalinux:8.7镜像进行安全扫描
[root@localhost ~]# trivy image almalinux:8.7
2023-01-12T02:04:36.220+0800 INFO Vulnerability scanning is enabled
2023-01-12T02:04:36.220+0800 INFO Secret scanning is enabled
2023-01-12T02:04:36.220+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T02:04:36.220+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T02:04:41.567+0800 INFO Detected OS: alma
2023-01-12T02:04:41.567+0800 INFO Detecting AlmaLinux vulnerabilities...
2023-01-12T02:04:41.568+0800 INFO Number of language-specific files: 0
almalinux:8.7 (alma 8.7)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
[root@localhost ~]#2.1.3 almalinux:8.7镜像扫描结果
无漏洞
2.2 openeuler:22.03云原生镜像漏洞扫描
2.2.1 openeuler:22.03下载去官网:
docker-hub官网-openeuler镜像下载https://hub.docker.com/r/openeuler/openeuler/tags
[root@localhost ~]# docker pull openeuler/openeuler:22.03
22.03: Pulling from openeuler/openeuler
bed316d08390: Pull complete
986e755e283c: Pull complete
Digest: sha256:0ca0f215a0f9142c6b46fdedbc1f9f4c23a191e7f2e50bed33eff19d5ac2a158
Status: Downloaded newer image for openeuler/openeuler:22.03
docker.io/openeuler/openeuler:22.03
[root@localhost ~]#2.2.2 对openeuler:22.03镜像进行安全扫描
[root@localhost ~]# trivy image openeuler/openeuler:22.03
2023-01-12T01:59:42.883+0800 INFO Vulnerability scanning is enabled
2023-01-12T01:59:42.883+0800 INFO Secret scanning is enabled
2023-01-12T01:59:42.883+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T01:59:42.883+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T01:59:48.416+0800 INFO Detected OS: none
2023-01-12T01:59:48.416+0800 WARN unsupported os : none
2023-01-12T01:59:48.416+0800 INFO Number of language-specific files: 1
2023-01-12T01:59:48.416+0800 INFO Detecting python-pkg vulnerabilities...
[root@localhost ~]#
2.2.3 openeuler:22.03镜像扫描结果
trivy工具不支持openeuler的系统的漏洞扫描
2.3 rockylinux:8.7云原生镜像漏洞扫描
2.3.1 rockylinux:8.7下载去官网:
docker-hub官网-rockylinux镜像下载https://hub.docker.com/_/rockylinux
[root@localhost ~]# docker pull rockylinux:8.7
8.7: Pulling from library/rockylinux
5461c86c2e54: Pull complete
Digest: sha256:80fccd745a0f0ce80e02a50c271c6b59e85d780c47759edb2e5f4f0f4d73e31a
Status: Downloaded newer image for rockylinux:8.7
docker.io/library/rockylinux:8.7
[root@localhost ~]#2.3.2 对rockylinux:8.7镜像进行安全扫描
[root@localhost ~]# trivy image rockylinux:8.7
2023-01-12T01:49:48.588+0800 INFO Need to update DB
2023-01-12T01:49:48.588+0800 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-12T01:49:48.588+0800 INFO Downloading DB...
36.03 MiB / 36.03 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.05 MiB p/s 34s
2023-01-12T01:50:25.590+0800 INFO Vulnerability scanning is enabled
2023-01-12T01:50:25.590+0800 INFO Secret scanning is enabled
2023-01-12T01:50:25.590+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T01:50:25.590+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T01:50:31.168+0800 INFO Detected OS: rocky
2023-01-12T01:50:31.168+0800 INFO Detecting Rocky Linux vulnerabilities...
2023-01-12T01:50:31.170+0800 INFO Number of language-specific files: 1
2023-01-12T01:50:31.170+0800 INFO Detecting python-pkg vulnerabilities...
rockylinux:8.7 (rocky 8.7)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2023-01-12T01:50:31.189+0800 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Python (python-pkg)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH │ 39.2.0 │ 65.5.1 │ pypa-setuptools: Regular Expression Denial of Service │
│ │ │ │ │ │ (ReDoS) in package_index.py │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40897 │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘
[root@localhost ~]#2.3.3 rockylinux:8.7镜像扫描结果
setuptools (METADATA)存在一个高危漏洞
2.4 anolisos:8.6-x86_64云原生镜像漏洞扫描
2.4.1 anolisos:8.6-x86_64下载去官网:
docker-hub官网-anolisos镜像下载https://hub.docker.com/r/openanolis/anolisos
[root@localhost ~]# docker pull openanolis/anolisos:8.6-x86_64
8.6-x86_64: Pulling from openanolis/anolisos
f4bed4d02f43: Pull complete
Digest: sha256:0546f1e8b0526f5c0b554a6e5d96b5c7374dbc7260c22a9ca9110ba2a95393c3
Status: Downloaded newer image for openanolis/anolisos:8.6-x86_64
docker.io/openanolis/anolisos:8.6-x86_64
[root@localhost ~]# 2.4.2 对anolisos:8.6-x86_64镜像进行安全扫描
[root@localhost ~]# trivy image openanolis/anolisos:8.6-x86_64
2023-01-12T01:38:21.471+0800 INFO Vulnerability scanning is enabled
2023-01-12T01:38:21.472+0800 INFO Secret scanning is enabled
2023-01-12T01:38:21.472+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T01:38:21.472+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T01:38:26.584+0800 INFO Detected OS: none
2023-01-12T01:38:26.584+0800 WARN unsupported os : none
2023-01-12T01:38:26.584+0800 INFO Number of language-specific files: 1
2023-01-12T01:38:26.584+0800 INFO Detecting python-pkg vulnerabilities...
2023-01-12T01:38:26.585+0800 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Python (python-pkg)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH │ 39.2.0 │ 65.5.1 │ pypa-setuptools: Regular Expression Denial of Service │
│ │ │ │ │ │ (ReDoS) in package_index.py │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40897 │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘
[root@localhost ~]#2.4.3 anolisos:8.6-x86_64镜像扫描结果
setuptools (METADATA)存在一个高危漏洞
2.5 ubuntu:23.04云原生镜像漏洞扫描
2.5.1 ubuntu:23.04下载去官网:
docker-hub官网-ubuntu镜像下载https://hub.docker.com/_/ubuntu
[root@localhost ~]# docker pull ubuntu:23.04
23.04: Pulling from library/ubuntu
2627e5235478: Pull complete
Digest: sha256:2ca8fe42bcc2979f66dd80c2987a43cfc5502626094b7f838f89759173f3956b
Status: Downloaded newer image for ubuntu:23.04
docker.io/library/ubuntu:23.04
[root@localhost ~]#2.5.2 对ubuntu:23.04镜像进行安全扫描
[root@localhost ~]# trivy image ubuntu:23.04
2023-01-12T01:14:22.448+0800 INFO Vulnerability scanning is enabled
2023-01-12T01:14:22.448+0800 INFO Secret scanning is enabled
2023-01-12T01:14:22.448+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T01:14:22.448+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T01:14:24.518+0800 INFO Detected OS: ubuntu
2023-01-12T01:14:24.518+0800 WARN This OS version is not on the EOL list: ubuntu 23.04
2023-01-12T01:14:24.518+0800 INFO Detecting Ubuntu vulnerabilities...
2023-01-12T01:14:24.518+0800 INFO Number of language-specific files: 0
2023-01-12T01:14:24.518+0800 WARN This OS version is no longer supported by the distribution: ubuntu 23.04
2023-01-12T01:14:24.518+0800 WARN The vulnerability detection may be insufficient because security updates are not provided
ubuntu:23.04 (ubuntu 23.04)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
[root@localhost ~]#2.5.3 ubuntu:23.04镜像扫描结果
无漏洞
2.6 centos7.9.2009 云原生镜像漏洞扫描
2.6.1 centos7.9.2009 下载去官网:
docker-hub官网-centos镜像下载https://hub.docker.com/_/centos
[root@localhost ~]# docker pull centos:7.9.2009
7.9.2009: Pulling from library/centos
Digest: sha256:9d4bcbbb213dfd745b58be38b13b996ebb5ac315fe75711bd618426a630e0987
Status: Downloaded newer image for centos:7.9.2009
docker.io/library/centos:7.9.2009
[root@localhost ~]#2.6.2 对centos7.9.2009镜像进行安全扫描
[root@localhost ~]# trivy image centos:7.9.2009
2023-01-12T02:50:03.014+0800 INFO Vulnerability scanning is enabled
2023-01-12T02:50:03.014+0800 INFO Secret scanning is enabled
2023-01-12T02:50:03.014+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T02:50:03.014+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T02:50:03.020+0800 INFO Detected OS: centos
2023-01-12T02:50:03.020+0800 INFO Detecting RHEL/CentOS vulnerabilities...
2023-01-12T02:50:03.048+0800 INFO Number of language-specific files: 0
centos:7.9.2009 (centos 7.9.2009)
Total: 927 (UNKNOWN: 0, LOW: 461, MEDIUM: 442, HIGH: 21, CRITICAL: 3)
...
2.6.3 centos7.9.2009镜像扫描结果
Total: 927 (UNKNOWN: 0, LOW: 461, MEDIUM: 442, HIGH: 21, CRITICAL: 3)
2.7 对网上安装了组件的镜像进行扫描
docker pull how2j/centos7_tools_ftp_java_mysql55_tomcat7
trivy image how2j/centos7_tools_ftp_java_mysql55_tomcat7
2.7.1扫描结果3个严重,98个高危,812个中危
[root@localhost ~]# trivy image how2j/centos7_tools_ftp_java_mysql55_tomcat7
2023-01-12T02:58:08.823+0800 INFO Need to update DB
2023-01-12T02:58:08.823+0800 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-12T02:58:08.823+0800 INFO Downloading DB...
36.03 MiB / 36.03 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.63 MiB p/s 5.6s
2023-01-12T02:58:16.322+0800 INFO Vulnerability scanning is enabled
2023-01-12T02:58:16.322+0800 INFO Secret scanning is enabled
2023-01-12T02:58:16.322+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T02:58:16.322+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T02:58:16.335+0800 INFO Detected OS: centos
2023-01-12T02:58:16.335+0800 INFO Detecting RHEL/CentOS vulnerabilities...
2023-01-12T02:58:16.379+0800 INFO Number of language-specific files: 1
2023-01-12T02:58:16.379+0800 INFO Detecting jar vulnerabilities...
how2j/centos7_tools_ftp_java_mysql55_tomcat7 (centos 7.6.1810)
Total: 1566 (UNKNOWN: 0, LOW: 653, MEDIUM: 812, HIGH: 98, CRITICAL: 3)
...
![[ docker相关知识 ] 删除 docker 拉取的容器 -- 解决删除镜像报错问题](https://img-blog.csdnimg.cn/cb001eb61b2f483ba7b20931249f7652.png)