Sakamako daga kayan aikin gwaji don gano lahanin da ba a bayyana ba da kuma gano al'amuran tsaro a cikin keɓantaccen hotunan akwati na Docker. Binciken ya nuna cewa 4 daga cikin 6 sanannun na'urorin daukar hoto na Docker sun ƙunshi manyan lahani waɗanda suka ba da damar kai hari kan na'urar daukar hotan takardu kai tsaye tare da cimma nasarar aiwatar da lambar sa akan tsarin, a wasu lokuta (misali, lokacin amfani da Snyk) tare da haƙƙin tushen.
Don kai hari, maharin yana buƙatar kawai ya fara bincika Dockerfile ko manifest.json, wanda ya haɗa da ƙirar ƙira ta musamman, ko sanya fayilolin Podfile da gradlew cikin hoton. Yi amfani da samfuri don tsarin
, ,
и
. Kunshin ya nuna mafi kyawun tsaro , an rubuta asali da tsaro a zuciya. Ba a gano matsala ba a cikin kunshin kuma. . A sakamakon haka, an kammala cewa ya kamata a gudanar da na'urorin daukar hoto na Docker a cikin keɓantattun wurare ko kuma a yi amfani da su kawai don duba hotunan nasu, kuma ya kamata a yi taka tsantsan yayin haɗa irin waɗannan kayan aikin zuwa tsarin haɗin kai mai sarrafa kansa.
A cikin FOSSA, Snyk da WhiteSource, raunin yana da alaƙa da kiran mai sarrafa fakitin waje don tantance abin dogaro kuma ya ba ku damar tsara aiwatar da lambar ku ta hanyar ƙayyadaddun taɓawa da umarnin tsarin a cikin fayiloli. и .
Snyk da WhiteSource kuma suna da , tare da ƙungiyar ƙaddamar da umarnin tsarin lokacin da za a tantance Dockerfile (alal misali, a cikin Snyk, ta hanyar Dockfile, yana yiwuwa a maye gurbin mai amfani / bin / ls da ake kira na'urar daukar hotan takardu, kuma a cikin WhiteSurce, yana yiwuwa a canza lambar ta hanyar muhawara a ciki). nau'in "echo'; touch /tmp/hacked_whitesource_pip;=1.0 ′").
Anchore rauni amfani da mai amfani don aiki tare da hotunan docker. An tafasa aikin don ƙara sigogi kamar '"os": "$(taɓa hacked_anchore)"' zuwa fayil ɗin manifest.json, waɗanda ake maye gurbinsu lokacin kiran skopeo ba tare da tserewa da kyau ba (kawai an yanke haruffan ";&<>", amma ginin "$()").
Marubucin guda ya gudanar da bincike kan tasirin gano raunin da ba a taɓa gani ba ta amfani da na'urorin tsaro na kwantena Docker da matakin ƙirƙira na ƙarya (, , ). Da ke ƙasa akwai sakamakon gwajin hotuna 73 waɗanda ke ɗauke da sanannun lahani, sannan kuma kimanta tasirin tantance kasancewar aikace-aikacen yau da kullun a cikin hotuna (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
source: budenet.ru
