liphetho ho tsoa ho lisebelisoa tsa liteko ho tsebahatsa bofokoli bo sa ngolisoang le ho supa mathata a ts'ireletso litšoantšong tsa sets'oants'o sa Docker se ikhethileng. Tlhahlobo e bontšitse hore 4 ho tse 6 tse tsejoang li-scanner tsa litšoantšo tsa Docker li na le bofokoli ba bohlokoa bo entseng hore ho khonehe ho hlasela scanner ka ho toba le ho finyella ho phethahatsa khoutu ea eona tsamaisong, maemong a mang (ka mohlala, ha u sebelisa Snyk) ka litokelo tsa metso.
Ho hlasela, mohlaseli o hloka feela ho qala tlhahlobo ea Dockerfile ea hae kapa manifest.json, e kenyelletsang metadata e entsoeng ka ho khetheha, kapa ho beha lifaele tsa Podfile le gradlew ka har'a setšoantšo. Sebelisa li-prototypes bakeng sa litsamaiso
, ,
и
. Sephutheloana se bontšitse tšireletso e ntle ka ho fetisisa , eo qalong e neng e ngotsoe ka morero oa tšireletso. Ha ho mathata a fumanoeng ka har'a sephutheloana. . Ka lebaka leo, ho ile ha fihleloa qeto ea hore li-scanner tsa li-container tsa Docker li lokela ho tsamaisoa libakeng tse ka thōko kapa li sebelisoe feela ho hlahloba litšoantšo tsa tsona, le hore ho lokela ho sebelisoa tlhokomeliso ha ho hokeloa lisebelisoa tse joalo le mekhoa ea ho kopanya e tsoelang pele.
Ho FOSSA, Snyk le WhiteSource, ho ba kotsing ho ne ho amahanngoa le ho letsetsa mookameli oa sephutheloana sa kantle ho tseba hore na ba its'epahalla 'me a u lumella ho hlophisa ts'ebetso ea khoutu ea hau ka ho hlakisa litaelo tsa ho ama le sistimi ho lifaele. и .
Snyk le WhiteSource le tsona li bile teng , ka mokhatlo o hlophisitsoeng oa ho qala litaelo tsa tsamaiso ha ho fetisoa Dockerfile (mohlala, ho Snyk, ka Dockefile, ho ne ho ka khoneha ho nkela sebaka sa / bin/ls se bitsoang scanner, 'me ho WhiteSurce, ho ne ho khoneha ho kenya khoutu ka likhang. sebopeho “echo ';touch /tmp/hacked_whitesource_pip;=1.0 ′").
Anchore vulnerability sebelisa lisebelisoa bakeng sa ho sebetsa le litšoantšo tsa docker. Ts'ebetso e phehiloe ho kenya liparamente tse kang ""os": "$(touch hacked_anchore)"' faeleng ea manifest.json, e nkeloang sebaka ha e bitsa skopeo ntle le ho phonyoha ka nepo (ke litlhaku tsa ";&<>" feela tse khaotsoeng, empa kaho "$( )").
Sengoli eena eo o ile a etsa boithuto ka katleho ea ho tsebahatsa bofokoli bo sa sebetsoang ho sebelisa li-scanner tsa ts'ireletso ea setshelo sa Docker le boemo ba lintlha tse fosahetseng (, , ). Ka tlase ke liphetho tsa tlhahlobo ea litšoantšo tse 73 tse nang le bofokoli bo tsebahalang, hape le ho lekola katleho ea ho fumana boteng ba lits'ebetso tse tloaelehileng litšoantšong (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru