티스토리 뷰
개요
컨테이너가 IT 시장을 잠식한지 벌써 수년이 흘렀다. 빠른 흐름의 변화에 따라 많은 프로젝트에서는 컨테이너 이미지를 적용하고 활용하고 있다.
특히 Docker는 대표적인 컨테이너 플랫폼으로 DockerHub라는 강력하고 다양한 이미지 레지스트리를 보유하고 있어 많은 사용자에게 Docker를 알리고 있다.
최근 흐름은 사실 Java와 맞먹을 정도의 인지로를 갖고 있다고 할까나..
이러한 강력한 Docker Container를 활용하고 있지만, 한가지 심각한 문제점을 갖고 있다.
바로 컨테이너 이미지는 누가 작성한 것이고 어떻게 작성한 것인지 파악하기 어렵다는 점이다. 물론 Dockerfile 정보와 DockerHub의 Manifest 정보를 활용할 수도 있지만, 여전히 어떠한 파일이 사용되었는지는 알 수 없는 일이다.
이러한 사유로 인한 Docker Image의 취약점을 분석하고 조치해야 할 필요성이 있다.
본 포스팅에서는 도커 이미지 취약점 분석 툴인 Anchore에 대해 알아보도록 하자.
본론
Anchore 특징
Anchore 오픈 소스 버전은 다음에서 참고할 수 있다.
https://anchore.com/opensource/
Anchore On-Premis를 포함한 Public Cloud 환경 기반의 플랫폼에서도 사용 가능하다.
1) 이미지 분석
컨테이너 이미지의 심층 검사를 수행하여 모든 OS의 패키지, 파일 및 소프트웨어 아티팩트 (Ruby GEMs, JARs, Node Modules) Cataloging화 한다.
2) 정책 관리
보안 모범 사례를 기반으로 정책을 정의하고 적용하여 위험한 빌드가 완료되지 않고 문제가 있는 이미지가 배포되지 않도록 한다.
3) Continuous Monitoring
이미지가 업데이트되거나 CVE가 추가 또는 제거되거나 새로운 모범 사례가 설정 될 때 생성 된 문제를 파악하기 위해 정책을 지속적으로 관리한다.
4) CI / CD 통합
Anchore Engine을 CI/CD 파이프 라인에 통합하여 이미지가 사용자 지정 보안 및 요구 사항을 충족할 때만 성공적으로 빌드되도록한다.
5) 커스터마이징
이미지 내부 Package, Whitelists, Blacklists, 설정파일, 보안, Manifest, 포트 등에 대한 취약점을 점검하기 정책을 유연하게 정의할 수 있다.
Anchore 설치
Anchore는 Engine & CLI Tool 두가지 모듈로 구성되어 있다.
1) Anchore Engine : 보안 취약점을 점검하는 엔진
- 사실 엔진은 설치라기보다는 Docker Image로 생성되어 있는 Anchore를 기동하는 것 뿐이다.
자세한 방법은 Anchore 홈페이지에 명시되어 있지만 간단히 살펴보자.
본 포스팅에서는 docker.io/anchore/anchore-engine:dev 이미지를 사용하였다.
a) docker-compose.yaml 파일 다운로드
먼저 Docker Compose로 기동할 yaml 파일을 다운받는다.
curl https://docs.anchore.com/current/docs/quickstart/docker-compose.yaml > docker-compose.yaml
<docker-compose.yaml>
---
version: '2.1'
volumes:
anchore-db-volume:
# Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create anchore-db-volume"
external: false
anchore-scratch: {}
services:
# The primary API endpoint service
engine-api:
image: anchore/anchore-engine:v0.6.1
depends_on:
- anchore-db
- engine-catalog
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
ports:
- "8228:8228"
logging:
driver: "json-file"
options:
max-size: 100m
environment:
- ANCHORE_ENDPOINT_HOSTNAME=engine-api
- ANCHORE_DB_HOST=anchore-db
- ANCHORE_DB_PASSWORD=mysecretpassword
- ANCHORE_LOG_LEVEL=INFO
command: ["anchore-manager", "service", "start", "apiext"]
# Catalog is the primary persistence and state manager of the system
engine-catalog:
image: anchore/anchore-engine:v0.6.1
depends_on:
- anchore-db
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
logging:
driver: "json-file"
options:
max-size: 100m
expose:
- 8228
environment:
- ANCHORE_ENDPOINT_HOSTNAME=engine-catalog
- ANCHORE_DB_HOST=anchore-db
- ANCHORE_DB_PASSWORD=mysecretpassword
- ANCHORE_LOG_LEVEL=INFO
command: ["anchore-manager", "service", "start", "catalog"]
engine-simpleq:
image: anchore/anchore-engine:v0.6.1
depends_on:
- anchore-db
- engine-catalog
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
expose:
- 8228
logging:
driver: "json-file"
options:
max-size: 100m
environment:
- ANCHORE_ENDPOINT_HOSTNAME=engine-simpleq
- ANCHORE_DB_HOST=anchore-db
- ANCHORE_DB_PASSWORD=mysecretpassword
- ANCHORE_LOG_LEVEL=INFO
command: ["anchore-manager", "service", "start", "simplequeue"]
engine-policy-engine:
image: anchore/anchore-engine:v0.6.1
depends_on:
- anchore-db
- engine-catalog
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
expose:
- 8228
logging:
driver: "json-file"
options:
max-size: 100m
environment:
- ANCHORE_ENDPOINT_HOSTNAME=engine-policy-engine
- ANCHORE_DB_HOST=anchore-db
- ANCHORE_DB_PASSWORD=mysecretpassword
- ANCHORE_LOG_LEVEL=INFO
command: ["anchore-manager", "service", "start", "policy_engine"]
engine-analyzer:
image: anchore/anchore-engine:v0.6.1
depends_on:
- anchore-db
- engine-catalog
#volumes:
#- ./config-engine.yaml:/config/config.yaml:z
expose:
- 8228
logging:
driver: "json-file"
options:
max-size: 100m
environment:
- ANCHORE_ENDPOINT_HOSTNAME=engine-analyzer
- ANCHORE_DB_HOST=anchore-db
- ANCHORE_DB_PASSWORD=mysecretpassword
- ANCHORE_LOG_LEVEL=INFO
volumes:
- anchore-scratch:/analysis_scratch
command: ["anchore-manager", "service", "start", "analyzer"]
anchore-db:
image: "anchore/engine-db-preload:latest"
volumes:
- anchore-db-volume:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=mysecretpassword
expose:
- 5432
logging:
driver: "json-file"
options:
max-size: 100m
# Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported
# anchore-prometheus:
# image: docker.io/prom/prometheus:latest
# depends_on:
# - engine-api
# volumes:
# - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z
# logging:
# driver: "json-file"
# options:
# max-size: 100m
# ports:
# - "9090:9090"
# Uncomment this section to run a swagger UI service, for inspecting and interacting with the anchore engine API via a browser (http://localhost:8080 by default, change if needed in both sections below)
# anchore-swagger-ui-nginx:
# image: docker.io/nginx:latest
# depends_on:
# - engine-api
# - anchore-swagger-ui
# ports:
# - "8080:8080"
# volumes:
# - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z
# logging:
# driver: "json-file"
# options:
# max-size: 100m
# anchore-swagger-ui:
# image: docker.io/swaggerapi/swagger-ui
# environment:
# - URL=http://localhost:8080/v1/swagger.json
# logging:
# driver: "json-file"
# options:
# max-size: 100m
b) docker login
docker image를 다운로드 받기 위해 docker에 로그인한다.
[root@ciserver anchoredir]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (nara0617): nara0617
Password:
Login Succeeded
[root@ciserver anchoredir]#
c) docker-compose pull
docker-compose를 통해 Anchore Engine을 빌드 및 기동할 이미지를 다운로드 받는다.
[root@ciserver anchoredir]# docker-compose pull
Pulling anchore-db ... done
Pulling engine-catalog ... done
Pulling engine-analyzer ... done
Pulling engine-policy-engine ... done
Pulling engine-simpleq ... done
Pulling engine-api ... done
[root@ciserver anchoredir]#
d) docker-compose up -d
docker-compose를 사용하여 Anchore Engine을 기동한다.
[root@ciserver anchoredir]# docker-compose up -d
Creating network "anchoredir_default" with the default driver
Creating anchoredir_anchore-db_1 ... done
Creating anchoredir_engine-catalog_1 ... done
Creating anchoredir_engine-api_1 ... done
Creating anchoredir_engine-simpleq_1 ... done
Creating anchoredir_engine-analyzer_1 ... done
Creating anchoredir_engine-policy-engine_1 ... done
[root@ciserver anchoredir]#
e) docker-compose ps
Anchore의 기동 상태를 확인한다.
[root@ciserver anchoredir]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------
anchoredir_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp
anchoredir_engine-analyzer_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchoredir_engine-api_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8228->8228/tcp
anchoredir_engine-catalog_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchoredir_engine-policy-engine_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchoredir_engine-simpleq_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
[root@ciserver anchoredir]#
2) Anchore CLI : Anchore에 명령을 전달하는 CLI 툴
a) yum install -y epel-release
b) yum install -y python-pip
c) pip install --user --upgrade anchorecli
d) anchorecli path 등록
Anchore Cli는 pip로 손쉽게 설치할 수 있으며, python -m site --user-base 명령어를 통해 Python Package 경로를 확인할 수 있다.
[root@ciserver ~]# python -m site --user-base
/root/.local
[root@ciserver ~]# cd /root/.local/bin
[root@ciserver bin]# ls
anchore-cli chardetect
[root@ciserver bin]#
anchore-cli를 profile에 등록 후 사용한다.
Anchore Vulnerabilities(취약점) 점검
1) anchore-cli system status
anchore engine 기동 상태 확인
[root@ciserver bin]# anchore-cli system status
Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up
Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up
Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up
Service apiext (anchore-quickstart, http://engine-api:8228): up
Service catalog (anchore-quickstart, http://engine-catalog:8228): up
Engine DB Version: 0.0.12
Engine Code Version: 0.6.1
[root@ciserver bin]#
2) anchore-cli --debug image list
이미지 점검 상태 확인
[root@ciserver bin]# anchore-cli --debug image list
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 5
INFO:anchorecli.clients.apiexternal:Base = http://localhost:8228/v1
INFO:anchorecli.clients.apiexternal:Url = http://localhost:8228/v1/images
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:GET url=http://localhost:8228/v1/images
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1/images HTTP/1.1" 200 5452
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Full Tag Image Digest Analysis Status
docker.io/library/debian:7 sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264 analyzed
docker.io/nara0617/tomcat:tomcat8jdk8 sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1 analyzed
[root@ciserver bin]#
현재까지 점검한 대상을 확인할 수 있다.
3) anchore-cli system feeds list
취약점 점검 리스트(feed)를 확인하여 지원 가능한 리스틀 확인하고 점검 시 참고 가능한지 확인한다.
[root@ciserver bin]# anchore-cli system feeds list
Feed Group LastSync RecordCount
github github:composer 2020-05-29T09:16:45.667941 94
github github:gem 2020-05-29T09:16:45.247752 346
github github:java 2020-05-29T09:16:46.043835 469
github github:npm 2020-05-29T09:16:46.413560 684
github github:nuget 2020-05-29T09:16:46.845269 52
github github:python 2020-05-29T09:16:47.229427 267
nvdv2 nvdv2:cves 2020-05-29T09:11:36.067076 144415
vulnerabilities alpine:3.10 2020-05-29T09:11:28.471974 1725
vulnerabilities alpine:3.11 2020-05-29T09:11:33.005760 1904
vulnerabilities alpine:3.3 2020-05-29T09:11:26.348034 457
vulnerabilities alpine:3.4 2020-05-29T09:11:27.652503 681
vulnerabilities alpine:3.5 2020-05-29T09:11:25.919652 875
vulnerabilities alpine:3.6 2020-05-29T09:11:21.816577 1051
vulnerabilities alpine:3.7 2020-05-29T09:11:25.511945 1395
vulnerabilities alpine:3.8 2020-05-29T09:11:17.207841 1486
vulnerabilities alpine:3.9 2020-05-29T09:11:18.588787 1558
vulnerabilities amzn:2 2020-05-29T09:11:31.792406 351
vulnerabilities centos:5 2020-05-29T09:11:24.302577 1347
vulnerabilities centos:6 2020-05-29T09:11:30.442972 1407
vulnerabilities centos:7 2020-05-29T09:11:33.818200 1072
vulnerabilities centos:8 2020-05-29T09:11:28.812623 283
vulnerabilities debian:10 2020-05-29T09:11:21.023918 22827
vulnerabilities debian:11 2020-05-29T09:11:16.432998 19969
vulnerabilities debian:7 2020-05-29T09:11:17.633413 20455
vulnerabilities debian:8 2020-05-29T09:11:26.699205 23835
vulnerabilities debian:9 2020-05-29T09:11:32.188176 22909
vulnerabilities debian:unstable 2020-05-29T09:11:19.602533 24209
vulnerabilities ol:5 2020-05-29T09:11:33.428728 1246
vulnerabilities ol:6 2020-05-29T09:11:18.177987 1518
vulnerabilities ol:7 2020-05-29T09:11:30.834957 1195
vulnerabilities ol:8 2020-05-29T09:11:12.251008 185
vulnerabilities rhel:5 2020-05-29T09:11:31.319580 7237
vulnerabilities rhel:6 2020-05-29T09:11:11.268421 6859
vulnerabilities rhel:7 2020-05-29T09:11:20.496573 5894
vulnerabilities rhel:8 2020-05-29T09:11:14.691825 1481
vulnerabilities ubuntu:12.04 2020-05-29T09:11:34.930159 14948
vulnerabilities ubuntu:12.10 2020-05-29T09:11:34.432379 5652
vulnerabilities ubuntu:13.04 2020-05-29T09:11:23.756474 4127
vulnerabilities ubuntu:14.04 2020-05-29T09:11:15.149093 21762
vulnerabilities ubuntu:14.10 2020-05-29T09:11:22.224782 4456
vulnerabilities ubuntu:15.04 2020-05-29T09:11:19.013452 5912
vulnerabilities ubuntu:15.10 2020-05-29T09:11:11.760582 6513
vulnerabilities ubuntu:16.04 2020-05-29T09:11:22.745811 18874
vulnerabilities ubuntu:16.10 2020-05-29T09:11:29.418110 8647
vulnerabilities ubuntu:17.04 2020-05-29T09:11:15.895332 9157
vulnerabilities ubuntu:17.10 2020-05-29T09:11:29.925688 7941
vulnerabilities ubuntu:18.04 2020-05-29T09:11:12.654832 13133
vulnerabilities ubuntu:18.10 2020-05-29T09:11:28.050062 8397
vulnerabilities ubuntu:19.04 2020-05-29T09:11:35.456199 8664
vulnerabilities ubuntu:19.10 2020-05-29T09:11:13.761818 7917
vulnerabilities ubuntu:20.04 2020-05-29T09:11:24.659772 6960
[root@ciserver bin]#
4) 이미지 취약점 분석
이미지 레포지토리에 있는 이미지 취약점을 점검한다.
[root@ciserver anchoredir]# anchore-cli image add docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2020-05-30T09:06:01Z
Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 7
Size: 100884480
Architecture: amd64
Layer Count: 1
Full Tag: docker.io/library/debian:7
Tag Detected At: 2020-05-30T09:04:46Z
[root@ciserver anchoredir]# anchore-cli image content docker.io/library/debian:7
os: available
files: available
npm: available
gem: available
python: available
java: available
[root@ciserver anchoredir]# anchore-cli image content docker.io/library/debian:7 os
Package Version License
apt 0.9.7.9+deb7u7 GPLv2+
base-files 7.1wheezy11 Unknown
base-passwd 3.5.26 GPL-2 PD
bash 4.2+dfsg-0.1+deb7u4 Unknown
bsdutils 1:2.20.1-5.3 Unknown
coreutils 8.13-3.5 Unknown
dash 0.5.7-3 Unknown
debconf 1.5.49 BSD-2-clause
debconf-i18n 1.5.49 BSD-2-clause
debian-archive-keyring 2014.3~deb7u1 Unknown
debianutils 4.3.2 Unknown
diffutils 1:3.2-6 Unknown
dpkg 1.16.18 Unknown
e2fslibs 1.42.5-1.1+deb7u1 Unknown
e2fsprogs 1.42.5-1.1+deb7u1 Unknown
findutils 4.4.2-4 Unknown
gcc-4.7-base 4.7.2-5 Unknown
gnupg 1.4.12-7+deb7u9 GPL-3+
gpgv 1.4.12-7+deb7u9 GPL-3+
grep 2.12-2 Unknown
gzip 1.5-1.1 Unknown
hostname 3.11 Unknown
initscripts 2.88dsf-41+deb7u1 Unknown
insserv 1.14.0-5 Unknown
iproute 20120521-3+b3 Unknown
iputils-ping 3:20101006-1+b1 Unknown
libacl1 2.2.51-8 Unknown
libapt-pkg4.12 0.9.7.9+deb7u7 GPLv2+
libattr1 1:2.4.46-8 Unknown
libblkid1 2.20.1-5.3 Unknown
libbz2-1.0 1.0.6-4 Unknown
libc-bin 2.13-38+deb7u12 Unknown
libc6 2.13-38+deb7u12 Unknown
libcomerr2 1.42.5-1.1+deb7u1 Unknown
libdb5.1 5.1.29-5+deb7u1 Unknown
libgcc1 1:4.7.2-5 Unknown
liblocale-gettext-perl 1.05-7+b1 Artistic GPL-1+
liblzma5 5.1.1alpha+20120614-2 PD probably-PD GPL-2+ LGPL-2.1+ permissive-fsf Autoconf GPL-2 none permissive-nowarranty config-h noderivs PD-debian
libmount1 2.20.1-5.3 Unknown
libncurses5 5.9-10 Unknown
libpam-modules 1.1.3-7.1 Unknown
libpam-modules-bin 1.1.3-7.1 Unknown
libpam-runtime 1.1.3-7.1 Unknown
libpam0g 1.1.3-7.1 Unknown
libreadline6 6.2+dfsg-0.1 Unknown
libselinux1 2.1.9-5 Unknown
libsemanage-common 2.1.6-6 Unknown
libsemanage1 2.1.6-6 Unknown
libsepol1 2.1.4-3 Unknown
libslang2 2.2.4-15 GPL-2+
libss2 1.42.5-1.1+deb7u1 Unknown
libssl1.0.0 1.0.1t-1+deb7u4 Unknown
libstdc++6 4.7.2-5 Unknown
libtext-charwidth-perl 0.04-7+b1 Unknown
libtext-iconv-perl 1.7-5 Unknown
libtext-wrapi18n-perl 0.06-7 Unknown
libtinfo5 5.9-10 Unknown
libusb-0.1-4 2:0.1.12-20+nmu1 Unknown
libustr-1.0-1 1.0.4-3 LGPL-2+ GPL-2+ BSD-2-clause MIT
libuuid1 2.20.1-5.3 Unknown
login 1:4.1.5.1-1+deb7u1 Unknown
lsb-base 4.1+Debian8+deb7u1 GPL-2 BSD-3-clause
mawk 1.3.3-17 Unknown
mount 2.20.1-5.3 Unknown
multiarch-support 2.13-38+deb7u12 Unknown
ncurses-base 5.9-10 Unknown
ncurses-bin 5.9-10 Unknown
passwd 1:4.1.5.1-1+deb7u1 Unknown
perl-base 5.14.2-21+deb7u6 GPL-1+ Expat REGCOMP, Unicode Artistic S2P BZIP ZLIB GPL-2+ BSD-4-clause TEXT-SOUNDEX TEXT-TABS BSD-3-clause SDBM-PUBLIC-DOMAIN PERLDOCS DONT-CHANGE-THE-GPL Artistic-2 BSD-4-clause-POWERDOG BSD-3-clause-GENERIC REGCOMP
readline-common 6.2+dfsg-0.1 Unknown
sed 4.2.1-10 Unknown
sensible-utils 0.0.7+deb7u1 Unknown
sysv-rc 2.88dsf-41+deb7u1 Unknown
sysvinit 2.88dsf-41+deb7u1 Unknown
sysvinit-utils 2.88dsf-41+deb7u1 Unknown
tar 1.26+dfsg-0.1+deb7u1 Unknown
tzdata 2018e-0+deb7u1 Unknown
util-linux 2.20.1-5.3 Unknown
xz-utils 5.1.1alpha+20120614-2 PD probably-PD GPL-2+ LGPL-2.1+ permissive-fsf Autoconf GPL-2 none permissive-nowarranty config-h noderivs PD-debian
zlib1g 1:1.2.7.dfsg-13 Unknown
[root@ciserver anchoredir]# anchore-cli image vuln docker.io/library/debian:7 all
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None CVE-2005-2541 https://security-tracker.debian.org/tracker/CVE-2005-2541 dpkg debian:7 None
CVE-2007-5686 login-1:4.1.5.1-1+deb7u1 Negligible None CVE-2007-5686 https://security-tracker.debian.org/tracker/CVE-2007-5686 dpkg debian:7 None
CVE-2007-5686 passwd-1:4.1.5.1-1+deb7u1 Negligible None CVE-2007-5686 https://security-tracker.debian.org/tracker/CVE-2007-5686 dpkg debian:7 None
CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None CVE-2007-6755 https://security-tracker.debian.org/tracker/CVE-2007-6755 dpkg debian:7 None
CVE-2010-0928 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None CVE-2010-0928 https://security-tracker.debian.org/tracker/CVE-2010-0928 dpkg debian:7 None
CVE-2010-3192 libc-bin-2.13-38+deb7u12 Negligible None CVE-2010-3192 https://security-tracker.debian.org/tracker/CVE-2010-3192 dpkg debian:7 None
CVE-2010-3192 libc6-2.13-38+deb7u12 Negligible None CVE-2010-3192 https://security-tracker.debian.org/tracker/CVE-2010-3192 dpkg debian:7 None
CVE-2010-3192 multiarch-support-2.13-38+deb7u12 Negligible None CVE-2010-3192 https://security-tracker.debian.org/tracker/CVE-2010-3192 dpkg debian:7 None
CVE-2010-4051 libc-bin-2.13-38+deb7u12 Negligible None CVE-2010-4051 https://security-tracker.debian.org/tracker/CVE-2010-4051 dpkg debian:7 None
CVE-2010-4051 libc6-2.13-38+deb7u12 Negligible None CVE-2010-4051 https://security-tracker.debian.org/tracker/CVE-2010-4051 dpkg debian:7 None
CVE-2010-4051 multiarch-support-2.13-38+deb7u12 Negligible None CVE-2010-4051 https://security-tracker.debian.org/tracker/CVE-2010-4051 dpkg debian:7 None
CVE-2010-4052 libc-bin-2.13-38+deb7u12 Negligible None CVE-2010-4052 https://security-tracker.debian.org/tracker/CVE-2010-4052 dpkg debian:7 None
CVE-2010-4052 libc6-2.13-38+deb7u12 Negligible None CVE-2010-4052 https://security-tracker.debian.org/tracker/CVE-2010-4052 dpkg debian:7 None
CVE-2010-4052 multiarch-support-2.13-38+deb7u12 Negligible None CVE-2010-4052 https://security-tracker.debian.org/tracker/CVE-2010-4052 dpkg debian:7 None
CVE-2010-4756 libc-bin-2.13-38+deb7u12 Negligible None CVE-2010-4756 https://security-tracker.debian.org/tracker/CVE-2010-4756 dpkg debian:7 None
CVE-2010-4756 libc6-2.13-38+deb7u12 Negligible None CVE-2010-4756 https://security-tracker.debian.org/tracker/CVE-2010-4756 dpkg debian:7 None
CVE-2010-4756 multiarch-support-2.13-38+deb7u12 Negligible None CVE-2010-4756 https://security-tracker.debian.org/tracker/CVE-2010-4756 dpkg debian:7 None
CVE-2010-4777 perl-base-5.14.2-21+deb7u6 Negligible None CVE-2010-4777 https://security-tracker.debian.org/tracker/CVE-2010-4777 dpkg debian:7 None
CVE-2011-3374 apt-0.9.7.9+deb7u7 Negligible None CVE-2011-3374 https://security-tracker.debian.org/tracker/CVE-2011-3374 dpkg debian:7 None
CVE-2011-3374 libapt-pkg4.12-0.9.7.9+deb7u7 Negligible None CVE-2011-3374 https://security-tracker.debian.org/tracker/CVE-2011-3374 dpkg debian:7 None
CVE-2011-4116 perl-base-5.14.2-21+deb7u6 Negligible None CVE-2011-4116 https://security-tracker.debian.org/tracker/CVE-2011-4116 dpkg debian:7 None
CVE-2013-4235 login-1:4.1.5.1-1+deb7u1 Negligible None CVE-2013-4235 https://security-tracker.debian.org/tracker/CVE-2013-4235 dpkg debian:7 None
CVE-2013-4235 passwd-1:4.1.5.1-1+deb7u1 Negligible None CVE-2013-4235 https://security-tracker.debian.org/tracker/CVE-2013-4235 dpkg debian:7 None
CVE-2015-5218 libblkid1-2.20.1-5.3 Negligible None CVE-2015-5218 https://security-tracker.debian.org/tracker/CVE-2015-5218 dpkg debian:7 None
CVE-2015-5218 libmount1-2.20.1-5.3 Negligible None CVE-2015-5218 https://security-tracker.debian.org/tracker/CVE-2015-5218 dpkg debian:7 None
CVE-2015-5218 libuuid1-2.20.1-5.3 Negligible None CVE-2015-5218 https://security-tracker.debian.org/tracker/CVE-2015-5218 dpkg debian:7 None
CVE-2015-5218 mount-2.20.1-5.3 Negligible None CVE-2015-5218 https://security-tracker.debian.org/tracker/CVE-2015-5218 dpkg debian:7 None
CVE-2015-5218 util-linux-2.20.1-5.3 Negligible None CVE-2015-5218 https://security-tracker.debian.org/tracker/CVE-2015-5218 dpkg debian:7 None
CVE-2015-5224 libblkid1-2.20.1-5.3 Negligible None CVE-2015-5224 https://security-tracker.debian.org/tracker/CVE-2015-5224 dpkg debian:7 None
CVE-2015-5224 libmount1-2.20.1-5.3 Negligible None CVE-2015-5224 https://security-tracker.debian.org/tracker/CVE-2015-5224 dpkg debian:7 None
CVE-2015-5224 libuuid1-2.20.1-5.3 Negligible None CVE-2015-5224 https://security-tracker.debian.org/tracker/CVE-2015-5224 dpkg debian:7 None
CVE-2015-5224 mount-2.20.1-5.3 Negligible None CVE-2015-5224 https://security-tracker.debian.org/tracker/CVE-2015-5224 dpkg debian:7 None
CVE-2015-5224 util-linux-2.20.1-5.3 Negligible None CVE-2015-5224 https://security-tracker.debian.org/tracker/CVE-2015-5224 dpkg debian:7 None
CVE-2016-0634 bash-4.2+dfsg-0.1+deb7u4 Negligible None CVE-2016-0634 https://security-tracker.debian.org/tracker/CVE-2016-0634 dpkg debian:7 None
CVE-2017-18018 coreutils-8.13-3.5 Negligible None CVE-2017-18018 https://security-tracker.debian.org/tracker/CVE-2017-18018 dpkg debian:7 None
CVE-2017-2616 coreutils-8.13-3.5 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-2616 libblkid1-2.20.1-5.3 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-2616 libmount1-2.20.1-5.3 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-2616 libuuid1-2.20.1-5.3 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-2616 mount-2.20.1-5.3 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-2616 util-linux-2.20.1-5.3 Negligible None CVE-2017-2616 https://security-tracker.debian.org/tracker/CVE-2017-2616 dpkg debian:7 None
CVE-2017-8283 dpkg-1.16.18 Negligible None CVE-2017-8283 https://security-tracker.debian.org/tracker/CVE-2017-8283 dpkg debian:7 None
CVE-2018-6829 gnupg-1.4.12-7+deb7u9 Negligible None CVE-2018-6829 https://security-tracker.debian.org/tracker/CVE-2018-6829 dpkg debian:7 None
CVE-2018-6829 gpgv-1.4.12-7+deb7u9 Negligible None CVE-2018-6829 https://security-tracker.debian.org/tracker/CVE-2018-6829 dpkg debian:7 None
CVE-2018-11236 libc-bin-2.13-38+deb7u12 Unknown None CVE-2018-11236 https://security-tracker.debian.org/tracker/CVE-2018-11236 dpkg debian:7 None
CVE-2018-11236 libc6-2.13-38+deb7u12 Unknown None CVE-2018-11236 https://security-tracker.debian.org/tracker/CVE-2018-11236 dpkg debian:7 None
CVE-2018-11236 multiarch-support-2.13-38+deb7u12 Unknown None CVE-2018-11236 https://security-tracker.debian.org/tracker/CVE-2018-11236 dpkg debian:7 None
CVE-2018-11237 libc-bin-2.13-38+deb7u12 Unknown None CVE-2018-11237 https://security-tracker.debian.org/tracker/CVE-2018-11237 dpkg debian:7 None
CVE-2018-11237 libc6-2.13-38+deb7u12 Unknown None CVE-2018-11237 https://security-tracker.debian.org/tracker/CVE-2018-11237 dpkg debian:7 None
CVE-2018-11237 multiarch-support-2.13-38+deb7u12 Unknown None CVE-2018-11237 https://security-tracker.debian.org/tracker/CVE-2018-11237 dpkg debian:7 None
[root@ciserver anchoredir]# anchore-cli evaluate check docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Full Tag: docker.io/library/debian:7
Status: pass
Last Eval: 2020-05-30T14:07:38Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
[root@ciserver anchoredir]#
# 주요 명령어
- anchore-cli image add docker.io/library/debian:7
취약점을 점검 할 이미지를 추가한다.
- anchore-cli image content docker.io/library/debian:7
해당 이미지가 포함하고 있는 컨텐츠를 확인한다.
- anchore-cli image content docker.io/library/debian:7 os
컨텐츠의 상세 정보를 확인한다.
- anchore-cli image vuln docker.io/library/debian:7 all
취약점 결과를 확인한다. CVE-xxx가 실제 취약점 검사 결과에 나타난 취약 항목이며, Vulnerability URL에서 상세 정보를 확인할 수 있다.
- anchore-cli evaluate check docker.io/library/debian:7
이미지 검사 결과를 평가한다.
위와 같은 과정을 통해 이미지의 취약점을 점검할 수 있다.
위 이미지는 dockerhub official 이미지로 Negligible과 Unknown만 존재하며 Status를 pass 할 수 있었다.
다음 검사 결과는 신규로 생성한 Custom Image인 tomcat:tomcat8jdk8 이미지를 동일하게 검사해 보았다.
[root@ciserver anchoredir]# anchore-cli image add docker.io/nara0617/tomcat:tomcat8jdk8
Image Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Parent Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2020-05-30T09:14:55Z
Image ID: c166235e31c775f66da0fcd0dd24317d3790a2c5b7033af2f2282b1604619e91
Dockerfile Mode: Guessed
Distro: centos
Distro Version: 7
Size: 826429440
Architecture: amd64
Layer Count: 9
Full Tag: docker.io/nara0617/tomcat:tomcat8jdk8
Tag Detected At: 2020-05-30T09:11:02Z
[root@ciserver anchoredir]# anchore-cli image content docker.io/nara0617/tomcat:tomcat8jdk8
os: available
files: available
npm: available
gem: available
python: available
java: available
[root@ciserver anchoredir]# anchore-cli image vuln docker.io/nara0617/tomcat:tomcat8jdk8 all
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
CVE-2014-4650 Python-2.7.5 Critical None CVE-2014-4650 https://nvd.nist.gov/vuln/detail/CVE-2014-4650 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2016-5636 Python-2.7.5 Critical None CVE-2016-5636 https://nvd.nist.gov/vuln/detail/CVE-2016-5636 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2017-1000158 Python-2.7.5 Critical None CVE-2017-1000158 https://nvd.nist.gov/vuln/detail/CVE-2017-1000158 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2019-9636 Python-2.7.5 Critical None CVE-2019-9636 https://nvd.nist.gov/vuln/detail/CVE-2019-9636 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/bin/tomcat-juli.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-api.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-coyote.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-dbcp.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-es.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-fr.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ja.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ru.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-jni.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-util-scan.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-util.jar
CVE-2020-1938 tomcat-8.5.45 Critical None CVE-2020-1938 https://nvd.nist.gov/vuln/detail/CVE-2020-1938 java nvdv2:cves /opt/tomcat/lib/tomcat-websocket.jar
CVE-2013-1753 Python-2.7.5 High None CVE-2013-1753 https://nvd.nist.gov/vuln/detail/CVE-2013-1753 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2014-1912 Python-2.7.5 High None CVE-2014-1912 https://nvd.nist.gov/vuln/detail/CVE-2014-1912 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2015-5652 Python-2.7.5 High None CVE-2015-5652 https://nvd.nist.gov/vuln/detail/CVE-2015-5652 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2017-17522 Python-2.7.5 High None CVE-2017-17522 https://nvd.nist.gov/vuln/detail/CVE-2017-17522 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2018-1060 Python-2.7.5 High None CVE-2018-1060 https://nvd.nist.gov/vuln/detail/CVE-2018-1060 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2018-1061 Python-2.7.5 High None CVE-2018-1061 https://nvd.nist.gov/vuln/detail/CVE-2018-1061 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/bin/tomcat-juli.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-api.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-coyote.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-dbcp.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-es.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-fr.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ja.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ru.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-jni.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-util-scan.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-util.jar
CVE-2019-12418 tomcat-8.5.45 High None CVE-2019-12418 https://nvd.nist.gov/vuln/detail/CVE-2019-12418 java nvdv2:cves /opt/tomcat/lib/tomcat-websocket.jar
CVE-2019-13404 Python-2.7.5 High None CVE-2019-13404 https://nvd.nist.gov/vuln/detail/CVE-2019-13404 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/bin/tomcat-juli.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-api.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-coyote.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-dbcp.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-es.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-fr.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ja.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ru.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-jni.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-util-scan.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-util.jar
CVE-2019-17563 tomcat-8.5.45 High None CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 java nvdv2:cves /opt/tomcat/lib/tomcat-websocket.jar
CVE-2019-9674 Python-2.7.5 High None CVE-2019-9674 https://nvd.nist.gov/vuln/detail/CVE-2019-9674 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/bin/tomcat-juli.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-api.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-coyote.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-dbcp.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-es.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-fr.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ja.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ru.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-jni.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-util-scan.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-util.jar
CVE-2020-1745 tomcat-8.5.45 High None CVE-2020-1745 https://nvd.nist.gov/vuln/detail/CVE-2020-1745 java nvdv2:cves /opt/tomcat/lib/tomcat-websocket.jar
CVE-2018-1000030 Python-2.7.5 Low None CVE-2018-1000030 https://nvd.nist.gov/vuln/detail/CVE-2018-1000030 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2013-7040 Python-2.7.5 Medium None CVE-2013-7040 https://nvd.nist.gov/vuln/detail/CVE-2013-7040 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2013-7440 Python-2.7.5 Medium None CVE-2013-7440 https://nvd.nist.gov/vuln/detail/CVE-2013-7440 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2014-4616 Python-2.7.5 Medium None CVE-2014-4616 https://nvd.nist.gov/vuln/detail/CVE-2014-4616 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2014-7185 Python-2.7.5 Medium None CVE-2014-7185 https://nvd.nist.gov/vuln/detail/CVE-2014-7185 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2014-9365 Python-2.7.5 Medium None CVE-2014-9365 https://nvd.nist.gov/vuln/detail/CVE-2014-9365 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2016-0772 Python-2.7.5 Medium None CVE-2016-0772 https://nvd.nist.gov/vuln/detail/CVE-2016-0772 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2016-1000110 Python-2.7.5 Medium None CVE-2016-1000110 https://nvd.nist.gov/vuln/detail/CVE-2016-1000110 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2016-5699 Python-2.7.5 Medium None CVE-2016-5699 https://nvd.nist.gov/vuln/detail/CVE-2016-5699 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2017-18207 Python-2.7.5 Medium None CVE-2017-18207 https://nvd.nist.gov/vuln/detail/CVE-2017-18207 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2018-20852 Python-2.7.5 Medium None CVE-2018-20852 https://nvd.nist.gov/vuln/detail/CVE-2018-20852 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2019-17006 nss-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2019-17006 rpm rhel:7 None
CVE-2019-17006 nss-sysinit-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2019-17006 rpm rhel:7 None
CVE-2019-17006 nss-tools-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2019-17006 rpm rhel:7 None
CVE-2019-18348 Python-2.7.5 Medium None CVE-2019-18348 https://nvd.nist.gov/vuln/detail/CVE-2019-18348 python nvdv2:cves /usr/lib64/python2.7/lib-dynload/Python
CVE-2019-19338 kernel-headers-3.10.0-957.27.2.el7 Medium 3.10.0-1062.18.1.el7 https://access.redhat.com/security/cve/CVE-2019-19338 rpm rhel:7 None
CVE-2020-10708 kernel-headers-3.10.0-957.27.2.el7 Medium None https://access.redhat.com/security/cve/CVE-2020-10708 rpm rhel:7 None
CVE-2020-12399 nss-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2020-12399 rpm rhel:7 None
CVE-2020-12399 nss-sysinit-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2020-12399 rpm rhel:7 None
CVE-2020-12399 nss-tools-3.36.0-7.1.el7_6 Medium None https://access.redhat.com/security/cve/CVE-2020-12399 rpm rhel:7 None
CVE-2020-1749 kernel-headers-3.10.0-957.27.2.el7 Medium None https://access.redhat.com/security/cve/CVE-2020-1749 rpm rhel:7 None
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/bin/tomcat-juli.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-api.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-coyote.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-dbcp.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-es.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-fr.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ja.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-i18n-ru.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-jni.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-util-scan.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-util.jar
CVE-2020-1935 tomcat-8.5.45 Medium None CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 java nvdv2:cves /opt/tomcat/lib/tomcat-websocket.jar
[root@ciserver anchoredir]# anchore-cli evaluate check docker.io/nara0617/tomcat:tomcat8jdk8
Image Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Full Tag: docker.io/nara0617/tomcat:tomcat8jdk8
Status: fail
Last Eval: 2020-05-30T14:23:54Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
[root@ciserver anchoredir]#
위 이미지는 Critical, High, Mideum 등 다양한 취약점이 검사되었다. 이로 인해 Status가 fail 상태를 나타낸다.
그 밖에 Anchore의 큰 특징 중 하나가 Jenkins와의 연동 플러그인을 지원한다는 점이다.
https://plugins.jenkins.io/anchore-container-scanner/
이를 통해 보다 고도화 된 CI/CD Flow를 정립할 수 있으며, 보안이 강화된 이미지를 사용할 경우에만 이후 테스팅 또는 배포 단계로 넘어 갈 수 있도록 Stage를 설계할 수 있다.
위 이미지는 Jenkins.io에 게시된 Jenkins와 Anchore의 통합 프로세스이다. FAIL Status를 받을 경우 Jenkins로 Retry 또는 Exception 처리, PASS 또는 WARNING Status를 받을 경우 이후 과정이 진행되는 과정으로 앞서 tomcat8jdk8 이미지를 사용했다면, 빌드가 진행되지 않을 것이다.
자세한 사항은 위 URL을 참고하시 바란다.
결과
실제 이를 기반으로 도커 이미지의 취약점을 검사할 수 있지만, Custom Image를 생성하고 매번 이미지의 취약점을 검사하는 것은 대단히 힘든 과정이 될 수 있다. 또한 각 과정에 대한 결과를 파악하기 위해 하나하나 결과 페이지를 살펴보는 것도 어려운 과정이 될 것이다.
현재 기준 취약점 점검 리스트는 총 50만여개이다. 이 모든 리스트를 누군가 관리하는 것 자체도 또는 지금 이순간 생성되고 있는 취약점 점검 리스트를 관리하는 것부터 파악하는 것까지 사실상 불가능에 가깝다고 볼 수 있다.
그렇다고 손놓고 취약한 이미지를 사용할 수도 없는 노릇이다. 따라서 최소한으로 관리되어야 할 리스트를 Critical 또는 High 이상으로 포함하거나, 이미지 점검 이전 OS 취약점 점검을 수행하듯 사전에 이미지에 접속하여 점검을 진행하고 이미지 점검을 확인하는 방법 등을 충분히 검토해 봐야 할 것이다.
'③ 클라우드 > ⓓ Docker' 카테고리의 다른 글
docker network 대역 변경하기 (172.17.0.0 - 10.10.0.0) (3) | 2020.08.29 |
---|---|
[Dockerfile] 애매한 명령어 파헤치기 (0) | 2020.07.04 |
도커 이미지 관리를 위한 Garbage Collection (Docker GC) (0) | 2020.03.12 |
docker save, load & docker export, import 비교하기 (0) | 2020.02.05 |
Docker Container - Status Exited (n) Code 알아보기 (0) | 2019.12.27 |
- Total
- Today
- Yesterday
- Architecture
- API Gateway
- webtob
- openstack token issue
- TA
- MSA
- 쿠버네티스
- apache
- kubernetes
- wildfly
- git
- SA
- jeus
- 마이크로서비스 아키텍처
- 아키텍처
- nodejs
- aa
- 마이크로서비스
- JBoss
- OpenStack
- node.js
- k8s
- JEUS7
- openstack tenant
- 오픈스택
- SWA
- JEUS6
- Da
- Docker
- aws
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |