Mhedzisiro yezvishandiso zvekuedza kuona kusarongeka uye kuona nyaya dzekuchengetedza mune yakasarudzika Docker mudziyo mifananidzo. Muedzo wacho wakaratidza kuti 4 kubva pa6 inozivikanwa Docker mifananidzo scanner ine dzakakomba vulnerabilities inobvumira vanorwisa zvakananga kurwisa scanner pachayo uye kubudirira kuurayiwa kwekodhi yavo muhurongwa, mune dzimwe nguva (somuenzaniso, kana uchishandisa Snyk) nemidzi kodzero.
Kuti aite kurwisa, munhu anorwisa anongoda chete kutanga cheki yeDockerfile yavo kana manifest.json, iyo inosanganisira metadata yakanyatso kurongwa, kana kuisa Podfile uye gradlew mafaira mukati memufananidzo. Shandisa prototypes zvehurongwa
, ,
Šø
. Pasuru yacho yakaratidza kuchengetedzwa kwakanyanya , yakanyorwa pakutanga ichifunga nezvekuchengeteka. Hapana matambudziko akawanikwa mupasuru zvakare. . Mhedziso ndeyokuti Docker container scanners inofanirwa kumhanyirwa munzvimbo dziri kure kana kushandiswa chete kutarisa mifananidzo yavo, uye kungwarira kunofanirwa kuitwa kana uchibatanidza maturusi akadaro kune otomatiki anoenderera ekubatanidza masisitimu.
MuFOSSA, Snyk neWhiteSource, kusazvibata kwanga kwakabatana nekufonera maneja wepasuru yekunze kuti aone zvinoenderana uye akakubvumidza kuti uronge maitirwo ekodhi yako nekutsanangura kubata uye mirairo yehurongwa mumafaira. Šø .
Snyk neWhiteSource zvakare vaive nazvo , nesangano rekutanga masisitimu mirairo pakudhirowa Dockerfile (semuenzaniso, muSnyk, kuburikidza neDockefile, zvaigoneka kutsiva /bin/ls utility yakadanwa nescanner, uye muWhiteSurce, zvaigoneka kutsiva kodhi kuburikidza nemakakatanwa muchimiro "echo '; bata /tmp/hacked_whitesource_pip;=1.0ā²").
Pane kusagadzikana muAnchore kushandisa chishandiso yekushanda nemifananidzo ye docker. Kushandiswa kwakaganhurirwa pakuwedzera maparameter echimiro che'Ā» osĀ»: Ā«$(touch hacked_anchore)Ā»' kune manifest.json faira, iyo inotsiviwa pakudaidza skopeo pasina kupukunyuka kwakakodzera (zviratidzo chete Ā«;&<>Ā» zvakachekwa, asi Ā«$()Ā» kuvaka kwakabvumidzwa).
Iye munyori mumwecheteyo akaita ongororo yekubudirira kwekuona kusabatwa zvisina kujeka neDocker container kuchengetedza scanners uye nhanho yenhema positives (, , ) Pazasi pane mhedzisiro yekuyedza mifananidzo makumi manomwe nenhatu ine zvinozivikanwa kusagadzikana, pamwe nekuongorora kwekubudirira kwekuona kuvepo kweakajairika maapplication mumifananidzo (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru
