imiphumela evela kumathuluzi okuhlola ukuhlonza ubungozi obungakopishiwe futhi ihlonze izinkinga zokuphepha ezithombeni zesiqukathi se-Docker ezihlukanisiwe. Ukuhlola kubonise ukuthi izikena zesithombe ze-Docker ezingu-4 kwezingu-6 zaziqukethe ubungozi obubalulekile obenze kwaba nokwenzeka ukuhlasela isithwebuli ngokwaso ngokuqondile futhi kuzuzwe ukusetshenziswa kwekhodi yaso ohlelweni, kwezinye izimo (ngokwesibonelo, uma usebenzisa i-Snyk) enamalungelo ezimpande.
Ukuze ahlasele, umhlaseli umane aqale ukuhlola i-Dockerfile yakhe noma i-manifest.json, ehlanganisa imethadatha eklanywe ngokukhethekile, noma abeke i-Podfile namafayela e-gradled ngaphakathi kwesithombe. Sebenzisa ama-prototypes okwezinhlelo
, ,
и
. Iphakheji ibonise ukuphepha okungcono kakhulu , ekuqaleni yayibhalwe kucatshangwa ngokuphepha. Azikho izinkinga eziphawulwe kuphakheji futhi. . Ngenxa yalokho, kwaphetha ngokuthi izikena zesitsha se-Docker kufanele zisetshenziswe ezindaweni ezingazodwa noma zisetshenziselwe ukuhlola izithombe zazo kuphela, nokuthi kufanele kuqashelwe lapho kuxhunywa amathuluzi anjalo ezinhlelweni zokuhlanganisa eziqhubekayo ezizenzakalelayo.
Ku-FOSSA, i-Snyk ne-WhiteSource, ukuba sengozini kuhlotshaniswe nokubiza umphathi wephakheji wangaphandle ukuze anqume ukuncika futhi akuvumele ukuthi uhlele ukusetshenziswa kwekhodi yakho ngokucacisa ukuthinta kanye nemiyalo yesistimu kumafayela. и .
I-Snyk ne-WhiteSource nabo babenayo , ngokuhlelwa kokwethulwa kwemiyalelo yohlelo lapho kudluliswa i-Dockerfile (isibonelo, ku-Snyk, nge-Dockefile, bekungenzeka ukuthi kuthathelwe indawo insiza ethi /bin/ls ebizwa yisithwebuli, futhi ku-WhiteSurce, bekungenzeka ukufaka ikhodi esikhundleni ngokuphikisana ifomu elithi “echo ';thinta /tmp/hacked_whitesource_pip;=1.0 ′").
Ukuba sengozini kwe-anchore ngokusebenzisa uhlelo ukusebenza ngezithombe ze-docker. Ukusebenza kubilisiwe ukuze kwengezwe amapharamitha afana ne-'"os": "$(touch hacked_anchore)"' kufayela le-manifest.json, elishintshwayo lapho kubizwa i-skopeo ngaphandle kokubaleka okufanele (kuphela izinhlamvu ezithi ";&<>" ezisikiwe, kodwa ukwakhiwa "$( )").
Umbhali ofanayo wenze ucwaningo ngokusebenza ngempumelelo kokuhlonza ubungozi obungavaliwe kusetshenziswa izikena zokuphepha zesitsha se-Docker kanye nezinga lezinto ezingamanga (, , ). Ngezansi kunemiphumela yokuhlola izithombe ezingama-73 eziqukethe ubungozi obaziwayo, futhi ihlola ukusebenza kahle kokunquma ukuba khona kwezinhlelo zokusebenza ezijwayelekile ezithombeni (nginx, tomcat, haproxy, gunicorn, redis, ruby, node).
Source: opennet.ru
