mhedzisiro kubva kumaturusi ekuyedza kuona kusarongeka uye kuona nyaya dzekuchengetedza mune yakasarudzika Docker mudziyo mifananidzo. Ongororo yacho yakaratidza kuti 4 kubva pa6 inozivikanwa Docker mifananidzo scanner yaive nenjodzi dzakakomba dzakaita kuti zvikwanise kurwisa scanner pachayo uye kuzadzisa kuurayiwa kwekodhi yayo pane system, mune dzimwe nguva (semuenzaniso, kana uchishandisa Snyk) ine midzi kodzero.
Kuti varwise, munhu anorwisa anongoda kutanga cheki yeDockerfile yake kana manifest.json, iyo inosanganisira metadata yakagadzirwa, kana kuisa Podfile uye gradlew mafaira mukati memufananidzo. Shandisa prototypes zvehurongwa
, ,
ΠΈ
. Pasuru yacho yakaratidza kuchengetedzwa kwakanyanya , yakanyorwa pakutanga ichifunga nezvekuchengeteka. Hapana matambudziko akaonekwa mupasuru zvakare. . Nekuda kweizvozvo, zvakagumiswa kuti maDocker container scanner anofanirwa kumhanyiswa munzvimbo dziri kure kana kushandiswa chete kutarisa mifananidzo yavo, uye kuchenjerera kunofanirwa kuitwa kana uchibatanidza maturusi akadaro kune otomatiki anoenderera ekubatanidza masisitimu.
MuFOSSA, Snyk neWhiteSource, kusazvibata kwakabatana nekufonera maneja wepasuru yekunze kuti aone zvinovimbika uye akakubvumidza kuti uronge maitirwo ekodhi yako nekutsanangura kubata uye mirairo yehurongwa mumafaira. ΠΈ .
Snyk neWhiteSource zvakare vaive nazvo , nesangano rekutanga masisitimu mirairo pakudhirowa iyo Dockerfile (semuenzaniso, muSnyk, kuburikidza neDockefile, zvaigoneka kutsiva iyo /bin/ls utility yakadanwa nescanner, uye muWhiteSurce, zvaigoneka kutsiva kodhi kuburikidza nekukakavara mukati. chimiro "echo '; bata /tmp/hacked_whitesource_pip;=1.0 β²").
Anchore vulnerability kushandisa chishandiso yekushanda nemifananidzo ye docker. Kushanda kwakabikwa pakuwedzera maparamendi akaita se'"os": "$(bata hacked_anchore)"' kune manifest.json faira, inotsiviwa pakudaidza skopeo pasina kupukunyuka chaiko (";&<>" chete mavara akachekwa, asi kuvaka "$( )").
Iye munyori mumwecheteyo akaita ongororo yekubudirira kwekuona kusabatwa zvisina kujeka uchishandisa Docker mudziyo kuchengetedza scanner uye nhanho yenhema positives (, , ) Pazasi pane mhedzisiro yekuyedza mifananidzo makumi manomwe nenhatu ine zvinozivikanwa kusadzivirirwa, uye zvakare ongorora mashandiro ekuona kuvepo kweakajairika maapplication mumifananidzo (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru