Zotsatira za zida zoyesera kuti muzindikire zofooka zomwe sizinalembedwe ndikuzindikira zovuta zachitetezo pazithunzi zachidebe cha Docker. Kafukufukuyu adawonetsa kuti masikelo 4 mwa 6 odziwika a Docker anali ndi zovuta zomwe zidapangitsa kuti zitheke kuukira sikisiniyoyo mwachindunji ndikukwaniritsa ma code ake pamakina, nthawi zina (mwachitsanzo, mukamagwiritsa ntchito Snyk) ndi ufulu wa mizu.
Kuti aukire, wowukira amangofunika kuyambitsa cheke cha Dockerfile yake kapena manifest.json, yomwe imaphatikizapo metadata yopangidwa mwapadera, kapena kuyika mafayilo a Podfile ndi gradlew mkati mwa chithunzicho. Gwiritsani ntchito ma prototypes za machitidwe
, ,
ΠΈ
. Phukusili linasonyeza chitetezo chabwino kwambiri , lolembedwa poyambirira ndi cholinga cha chitetezo. Palibe zovuta zomwe zidadziwika mu phukusi. . Zotsatira zake, zidaganiziridwa kuti makina ojambulira ziwiya za Docker ayenera kuyendetsedwa kumalo akutali kapena kugwiritsidwa ntchito poyang'ana zithunzi zawo zokha, ndikuti kusamala kuyenera kuchitidwa polumikiza zida zotere ndi makina ophatikizira opitilira apo.
Ku FOSSA, Snyk ndi WhiteSource, kusatetezekaku kudalumikizidwa ndikuyimbira woyang'anira phukusi kuti adziwe zomwe amadalira ndikukulolani kuti mukonzekere kachitidwe ka code yanu pofotokoza zakukhudza ndi machitidwe pamafayilo. ΠΈ .
Snyk ndi WhiteSource anali nawonso , ndi bungwe lokhazikitsa malamulo a dongosolo poyika Dockerfile (mwachitsanzo, ku Snyk, kupyolera mu Dockefile, zinali zotheka kusintha / bin/ls zofunikira zomwe zimatchedwa scanner, ndipo mu WhiteSurce, zinali zotheka kulowetsa code kupyolera mu mikangano mu mawonekedwe "echo '; touch /tmp/hacked_whitesource_pip;=1.0 β²").
Kusatetezeka kwa Anchore kugwiritsa ntchito pogwira ntchito ndi zithunzi za docker. Opaleshoniyo idawonjezedwa powonjezera magawo ngati '"os": "$(touch hacked_anchore)"' ku fayilo ya manifest.json, yomwe imalowetsedwa poyitana skopeo popanda kuthawa bwino (zilembo za ";&<>" zokha zidadulidwa, koma kumanga "$( )").
Wolemba yemweyo adachita kafukufuku wokhudzana ndi kuthekera kozindikiritsa zowopsa zomwe sizinagwiritsidwe ntchito pogwiritsa ntchito makina osungira chitetezo cha Docker komanso kuchuluka kwazabodza (, , ). Pansipa pali zotsatira zoyesa zithunzi 73 zomwe zili ndi zovuta zomwe zimadziwika, ndikuwunikanso mphamvu yodziwira kukhalapo kwazomwe zimagwiritsidwa ntchito pazithunzi (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru