티스토리 뷰

728x90
반응형

개요

컨테이너가 IT 시장을 잠식한지 벌써 수년이 흘렀다. 빠른 흐름의 변화에 따라 많은 프로젝트에서는 컨테이너 이미지를 적용하고 활용하고 있다.

특히 Docker는 대표적인 컨테이너 플랫폼으로 DockerHub라는 강력하고 다양한 이미지 레지스트리를 보유하고 있어 많은 사용자에게 Docker를 알리고 있다.

최근 흐름은 사실 Java와 맞먹을 정도의 인지로를 갖고 있다고 할까나..

이러한 강력한 Docker Container를 활용하고 있지만, 한가지 심각한 문제점을 갖고 있다.

바로 컨테이너 이미지는 누가 작성한 것이고 어떻게 작성한 것인지 파악하기 어렵다는 점이다. 물론 Dockerfile 정보와 DockerHub의 Manifest 정보를 활용할 수도 있지만, 여전히 어떠한 파일이 사용되었는지는  알 수 없는 일이다.

이러한 사유로 인한 Docker Image의 취약점을 분석하고 조치해야 할 필요성이 있다.

 

 

본 포스팅에서는 도커 이미지 취약점 분석 툴인 Anchore에 대해 알아보도록 하자.

본론

Anchore 특징

Anchore 오픈 소스 버전은 다음에서 참고할 수 있다.

https://anchore.com/opensource/

Anchore On-Premis를 포함한 Public Cloud 환경 기반의 플랫폼에서도 사용 가능하다.


1) 이미지 분석
컨테이너 이미지의 심층 검사를 수행하여 모든 OS의 패키지, 파일 및 소프트웨어 아티팩트 (Ruby GEMs, JARs, Node Modules) Cataloging화 한다.
2) 정책 관리
보안 모범 사례를 기반으로 정책을 정의하고 적용하여 위험한 빌드가 완료되지 않고 문제가 있는 이미지가 배포되지 않도록 한다. 
3) Continuous Monitoring
이미지가 업데이트되거나 CVE가 추가 또는 제거되거나 새로운 모범 사례가 설정 될 때 생성 된 문제를 파악하기 위해 정책을 지속적으로 관리한다.
4) CI / CD 통합
Anchore Engine을 CI/CD 파이프 라인에 통합하여 이미지가 사용자 지정 보안 및 요구 사항을 충족할 때만 성공적으로 빌드되도록한다.

5) 커스터마이징
이미지 내부 Package, Whitelists, Blacklists, 설정파일, 보안, Manifest, 포트 등에 대한 취약점을 점검하기 정책을 유연하게 정의할 수 있다.


Anchore 설치

Anchore는 Engine & CLI Tool 두가지 모듈로 구성되어 있다.

1) Anchore Engine : 보안 취약점을 점검하는 엔진

- 사실 엔진은 설치라기보다는 Docker Image로 생성되어 있는 Anchore를 기동하는 것 뿐이다.

자세한 방법은 Anchore 홈페이지에 명시되어 있지만 간단히 살펴보자.

본 포스팅에서는 docker.io/anchore/anchore-engine:dev 이미지를 사용하였다.


a) docker-compose.yaml 파일 다운로드

먼저 Docker Compose로 기동할 yaml 파일을 다운받는다.

curl https://docs.anchore.com/current/docs/quickstart/docker-compose.yaml > docker-compose.yaml  

<docker-compose.yaml>

---
version: '2.1'
volumes:
  anchore-db-volume:
    # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create anchore-db-volume"
    external: false

  anchore-scratch: {}

services:
  # The primary API endpoint service
  engine-api:
    image: anchore/anchore-engine:v0.6.1
    depends_on:
    - anchore-db
    - engine-catalog
    #volumes:
    #- ./config-engine.yaml:/config/config.yaml:z
    ports:
    - "8228:8228"
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
    - ANCHORE_ENDPOINT_HOSTNAME=engine-api
    - ANCHORE_DB_HOST=anchore-db
    - ANCHORE_DB_PASSWORD=mysecretpassword
    - ANCHORE_LOG_LEVEL=INFO
    command: ["anchore-manager", "service", "start", "apiext"]

  # Catalog is the primary persistence and state manager of the system
  engine-catalog:
    image: anchore/anchore-engine:v0.6.1
    depends_on:
    - anchore-db
    #volumes:
    #- ./config-engine.yaml:/config/config.yaml:z
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    expose:
    - 8228
    environment:
    - ANCHORE_ENDPOINT_HOSTNAME=engine-catalog
    - ANCHORE_DB_HOST=anchore-db
    - ANCHORE_DB_PASSWORD=mysecretpassword
    - ANCHORE_LOG_LEVEL=INFO
    command: ["anchore-manager", "service", "start", "catalog"]
  engine-simpleq:
    image: anchore/anchore-engine:v0.6.1
    depends_on:
    - anchore-db
    - engine-catalog
    #volumes:
    #- ./config-engine.yaml:/config/config.yaml:z
    expose:
    - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
    - ANCHORE_ENDPOINT_HOSTNAME=engine-simpleq
    - ANCHORE_DB_HOST=anchore-db
    - ANCHORE_DB_PASSWORD=mysecretpassword
    - ANCHORE_LOG_LEVEL=INFO
    command: ["anchore-manager", "service", "start", "simplequeue"]
  engine-policy-engine:
    image: anchore/anchore-engine:v0.6.1
    depends_on:
    - anchore-db
    - engine-catalog
    #volumes:
    #- ./config-engine.yaml:/config/config.yaml:z
    expose:
    - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
    - ANCHORE_ENDPOINT_HOSTNAME=engine-policy-engine
    - ANCHORE_DB_HOST=anchore-db
    - ANCHORE_DB_PASSWORD=mysecretpassword
    - ANCHORE_LOG_LEVEL=INFO
    command: ["anchore-manager", "service", "start", "policy_engine"]
  engine-analyzer:
    image: anchore/anchore-engine:v0.6.1
    depends_on:
    - anchore-db
    - engine-catalog
    #volumes:
    #- ./config-engine.yaml:/config/config.yaml:z
    expose:
    - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
    - ANCHORE_ENDPOINT_HOSTNAME=engine-analyzer
    - ANCHORE_DB_HOST=anchore-db
    - ANCHORE_DB_PASSWORD=mysecretpassword
    - ANCHORE_LOG_LEVEL=INFO
    volumes:
    - anchore-scratch:/analysis_scratch
    command: ["anchore-manager", "service", "start", "analyzer"]
  anchore-db:
    image: "anchore/engine-db-preload:latest"
    volumes:
    - anchore-db-volume:/var/lib/postgresql/data
    environment:
    - POSTGRES_PASSWORD=mysecretpassword
    expose:
    - 5432
    logging:
      driver: "json-file"
      options:
        max-size: 100m

# Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported
#  anchore-prometheus:
#      image: docker.io/prom/prometheus:latest
#      depends_on:
#       - engine-api
#      volumes:
#       - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z
#      logging:
#       driver: "json-file"
#       options:
#        max-size: 100m
#      ports:
#       - "9090:9090"

# Uncomment this section to run a swagger UI service, for inspecting and interacting with the anchore engine API via a browser (http://localhost:8080 by default, change if needed in both sections below)
#  anchore-swagger-ui-nginx:
#    image: docker.io/nginx:latest
#    depends_on:
#     - engine-api
#     - anchore-swagger-ui
#    ports:
#     - "8080:8080"
#    volumes:
#     - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z
#    logging:
#     driver: "json-file"
#     options:
#      max-size: 100m
#  anchore-swagger-ui:
#    image: docker.io/swaggerapi/swagger-ui
#    environment:
#      - URL=http://localhost:8080/v1/swagger.json
#    logging:
#     driver: "json-file"
#     options:
#      max-size: 100m

b) docker login

docker image를 다운로드 받기 위해 docker에 로그인한다.

[root@ciserver anchoredir]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (nara0617): nara0617
Password: 
Login Succeeded
[root@ciserver anchoredir]# 

c) docker-compose pull

docker-compose를 통해 Anchore Engine을 빌드 및 기동할 이미지를 다운로드 받는다.

[root@ciserver anchoredir]# docker-compose pull
Pulling anchore-db           ... done
Pulling engine-catalog       ... done
Pulling engine-analyzer      ... done
Pulling engine-policy-engine ... done
Pulling engine-simpleq       ... done
Pulling engine-api           ... done
[root@ciserver anchoredir]#

d) docker-compose up -d

docker-compose를 사용하여 Anchore Engine을 기동한다.

[root@ciserver anchoredir]# docker-compose up -d
Creating network "anchoredir_default" with the default driver
Creating anchoredir_anchore-db_1 ... done
Creating anchoredir_engine-catalog_1 ... done
Creating anchoredir_engine-api_1           ... done
Creating anchoredir_engine-simpleq_1       ... done
Creating anchoredir_engine-analyzer_1      ... done
Creating anchoredir_engine-policy-engine_1 ... done
[root@ciserver anchoredir]# 

e) docker-compose ps

Anchore의 기동 상태를 확인한다.

[root@ciserver anchoredir]# docker-compose ps
              Name                             Command                  State               Ports         
----------------------------------------------------------------------------------------------------------
anchoredir_anchore-db_1             docker-entrypoint.sh postgres    Up             5432/tcp              
anchoredir_engine-analyzer_1        /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchoredir_engine-api_1             /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8228->8228/tcp
anchoredir_engine-catalog_1         /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchoredir_engine-policy-engine_1   /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchoredir_engine-simpleq_1         /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
[root@ciserver anchoredir]#

2) Anchore CLI : Anchore에 명령을 전달하는 CLI 툴

a) yum install -y epel-release
b) yum install -y python-pip
c) pip install --user --upgrade anchorecli

d) anchorecli path 등록

Anchore Cli는 pip로 손쉽게 설치할 수 있으며, python -m site --user-base 명령어를 통해 Python Package 경로를 확인할 수 있다.

[root@ciserver ~]# python -m site --user-base
/root/.local
[root@ciserver ~]# cd /root/.local/bin
[root@ciserver bin]# ls
anchore-cli  chardetect
[root@ciserver bin]#

anchore-cli를 profile에 등록 후 사용한다.

Anchore Vulnerabilities(취약점) 점검

1) anchore-cli system status

anchore engine 기동 상태 확인

[root@ciserver bin]# anchore-cli system status
Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up
Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up
Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up
Service apiext (anchore-quickstart, http://engine-api:8228): up
Service catalog (anchore-quickstart, http://engine-catalog:8228): up

Engine DB Version: 0.0.12
Engine Code Version: 0.6.1

[root@ciserver bin]#

2) anchore-cli --debug image list

이미지 점검 상태 확인

[root@ciserver bin]# anchore-cli --debug image list
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 5
INFO:anchorecli.clients.apiexternal:Base = http://localhost:8228/v1
INFO:anchorecli.clients.apiexternal:Url = http://localhost:8228/v1/images
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:GET url=http://localhost:8228/v1/images
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1/images HTTP/1.1" 200 5452
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Full Tag                                     Image Digest                                                                   Analysis Status        
docker.io/library/debian:7                   sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264        analyzed               
docker.io/nara0617/tomcat:tomcat8jdk8        sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1        analyzed               
[root@ciserver bin]#

현재까지 점검한 대상을 확인할 수 있다.

3) anchore-cli system feeds list

취약점 점검 리스트(feed)를 확인하여 지원 가능한 리스틀 확인하고 점검 시 참고 가능한지 확인한다.

[root@ciserver bin]# anchore-cli system feeds list
Feed                   Group                  LastSync                          RecordCount        
github                 github:composer        2020-05-29T09:16:45.667941        94                 
github                 github:gem             2020-05-29T09:16:45.247752        346                
github                 github:java            2020-05-29T09:16:46.043835        469                
github                 github:npm             2020-05-29T09:16:46.413560        684                
github                 github:nuget           2020-05-29T09:16:46.845269        52                 
github                 github:python          2020-05-29T09:16:47.229427        267                
nvdv2                  nvdv2:cves             2020-05-29T09:11:36.067076        144415             
vulnerabilities        alpine:3.10            2020-05-29T09:11:28.471974        1725               
vulnerabilities        alpine:3.11            2020-05-29T09:11:33.005760        1904               
vulnerabilities        alpine:3.3             2020-05-29T09:11:26.348034        457                
vulnerabilities        alpine:3.4             2020-05-29T09:11:27.652503        681                
vulnerabilities        alpine:3.5             2020-05-29T09:11:25.919652        875                
vulnerabilities        alpine:3.6             2020-05-29T09:11:21.816577        1051               
vulnerabilities        alpine:3.7             2020-05-29T09:11:25.511945        1395               
vulnerabilities        alpine:3.8             2020-05-29T09:11:17.207841        1486               
vulnerabilities        alpine:3.9             2020-05-29T09:11:18.588787        1558               
vulnerabilities        amzn:2                 2020-05-29T09:11:31.792406        351                
vulnerabilities        centos:5               2020-05-29T09:11:24.302577        1347               
vulnerabilities        centos:6               2020-05-29T09:11:30.442972        1407               
vulnerabilities        centos:7               2020-05-29T09:11:33.818200        1072               
vulnerabilities        centos:8               2020-05-29T09:11:28.812623        283                
vulnerabilities        debian:10              2020-05-29T09:11:21.023918        22827              
vulnerabilities        debian:11              2020-05-29T09:11:16.432998        19969              
vulnerabilities        debian:7               2020-05-29T09:11:17.633413        20455              
vulnerabilities        debian:8               2020-05-29T09:11:26.699205        23835              
vulnerabilities        debian:9               2020-05-29T09:11:32.188176        22909              
vulnerabilities        debian:unstable        2020-05-29T09:11:19.602533        24209              
vulnerabilities        ol:5                   2020-05-29T09:11:33.428728        1246               
vulnerabilities        ol:6                   2020-05-29T09:11:18.177987        1518               
vulnerabilities        ol:7                   2020-05-29T09:11:30.834957        1195               
vulnerabilities        ol:8                   2020-05-29T09:11:12.251008        185                
vulnerabilities        rhel:5                 2020-05-29T09:11:31.319580        7237               
vulnerabilities        rhel:6                 2020-05-29T09:11:11.268421        6859               
vulnerabilities        rhel:7                 2020-05-29T09:11:20.496573        5894               
vulnerabilities        rhel:8                 2020-05-29T09:11:14.691825        1481               
vulnerabilities        ubuntu:12.04           2020-05-29T09:11:34.930159        14948              
vulnerabilities        ubuntu:12.10           2020-05-29T09:11:34.432379        5652               
vulnerabilities        ubuntu:13.04           2020-05-29T09:11:23.756474        4127               
vulnerabilities        ubuntu:14.04           2020-05-29T09:11:15.149093        21762              
vulnerabilities        ubuntu:14.10           2020-05-29T09:11:22.224782        4456               
vulnerabilities        ubuntu:15.04           2020-05-29T09:11:19.013452        5912               
vulnerabilities        ubuntu:15.10           2020-05-29T09:11:11.760582        6513               
vulnerabilities        ubuntu:16.04           2020-05-29T09:11:22.745811        18874              
vulnerabilities        ubuntu:16.10           2020-05-29T09:11:29.418110        8647               
vulnerabilities        ubuntu:17.04           2020-05-29T09:11:15.895332        9157               
vulnerabilities        ubuntu:17.10           2020-05-29T09:11:29.925688        7941               
vulnerabilities        ubuntu:18.04           2020-05-29T09:11:12.654832        13133              
vulnerabilities        ubuntu:18.10           2020-05-29T09:11:28.050062        8397               
vulnerabilities        ubuntu:19.04           2020-05-29T09:11:35.456199        8664               
vulnerabilities        ubuntu:19.10           2020-05-29T09:11:13.761818        7917               
vulnerabilities        ubuntu:20.04           2020-05-29T09:11:24.659772        6960               

[root@ciserver bin]#

4) 이미지 취약점 분석

이미지 레포지토리에 있는 이미지 취약점을 점검한다.

[root@ciserver anchoredir]# anchore-cli image add docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2020-05-30T09:06:01Z
Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 7
Size: 100884480
Architecture: amd64
Layer Count: 1

Full Tag: docker.io/library/debian:7
Tag Detected At: 2020-05-30T09:04:46Z

[root@ciserver anchoredir]# anchore-cli image content docker.io/library/debian:7   
os: available
files: available
npm: available
gem: available
python: available
java: available
[root@ciserver anchoredir]# anchore-cli image content docker.io/library/debian:7 os
Package                       Version                      License                                                                                                                                                                                                                           
apt                           0.9.7.9+deb7u7               GPLv2+                                                                                                                                                                                                                            
base-files                    7.1wheezy11                  Unknown                                                                                                                                                                                                                           
base-passwd                   3.5.26                       GPL-2 PD                                                                                                                                                                                                                          
bash                          4.2+dfsg-0.1+deb7u4          Unknown                                                                                                                                                                                                                           
bsdutils                      1:2.20.1-5.3                 Unknown                                                                                                                                                                                                                           
coreutils                     8.13-3.5                     Unknown                                                                                                                                                                                                                           
dash                          0.5.7-3                      Unknown                                                                                                                                                                                                                           
debconf                       1.5.49                       BSD-2-clause                                                                                                                                                                                                                      
debconf-i18n                  1.5.49                       BSD-2-clause                                                                                                                                                                                                                      
debian-archive-keyring        2014.3~deb7u1                Unknown                                                                                                                                                                                                                           
debianutils                   4.3.2                        Unknown                                                                                                                                                                                                                           
diffutils                     1:3.2-6                      Unknown                                                                                                                                                                                                                           
dpkg                          1.16.18                      Unknown                                                                                                                                                                                                                           
e2fslibs                      1.42.5-1.1+deb7u1            Unknown                                                                                                                                                                                                                           
e2fsprogs                     1.42.5-1.1+deb7u1            Unknown                                                                                                                                                                                                                           
findutils                     4.4.2-4                      Unknown                                                                                                                                                                                                                           
gcc-4.7-base                  4.7.2-5                      Unknown                                                                                                                                                                                                                           
gnupg                         1.4.12-7+deb7u9              GPL-3+                                                                                                                                                                                                                            
gpgv                          1.4.12-7+deb7u9              GPL-3+                                                                                                                                                                                                                            
grep                          2.12-2                       Unknown                                                                                                                                                                                                                           
gzip                          1.5-1.1                      Unknown                                                                                                                                                                                                                           
hostname                      3.11                         Unknown                                                                                                                                                                                                                           
initscripts                   2.88dsf-41+deb7u1            Unknown                                                                                                                                                                                                                           
insserv                       1.14.0-5                     Unknown                                                                                                                                                                                                                           
iproute                       20120521-3+b3                Unknown                                                                                                                                                                                                                           
iputils-ping                  3:20101006-1+b1              Unknown                                                                                                                                                                                                                           
libacl1                       2.2.51-8                     Unknown                                                                                                                                                                                                                           
libapt-pkg4.12                0.9.7.9+deb7u7               GPLv2+                                                                                                                                                                                                                            
libattr1                      1:2.4.46-8                   Unknown                                                                                                                                                                                                                           
libblkid1                     2.20.1-5.3                   Unknown                                                                                                                                                                                                                           
libbz2-1.0                    1.0.6-4                      Unknown                                                                                                                                                                                                                           
libc-bin                      2.13-38+deb7u12              Unknown                                                                                                                                                                                                                           
libc6                         2.13-38+deb7u12              Unknown                                                                                                                                                                                                                           
libcomerr2                    1.42.5-1.1+deb7u1            Unknown                                                                                                                                                                                                                           
libdb5.1                      5.1.29-5+deb7u1              Unknown                                                                                                                                                                                                                           
libgcc1                       1:4.7.2-5                    Unknown                                                                                                                                                                                                                           
liblocale-gettext-perl        1.05-7+b1                    Artistic GPL-1+                                                                                                                                                                                                                   
liblzma5                      5.1.1alpha+20120614-2        PD probably-PD GPL-2+ LGPL-2.1+ permissive-fsf Autoconf GPL-2 none permissive-nowarranty config-h noderivs PD-debian                                                                                                              
libmount1                     2.20.1-5.3                   Unknown                                                                                                                                                                                                                           
libncurses5                   5.9-10                       Unknown                                                                                                                                                                                                                           
libpam-modules                1.1.3-7.1                    Unknown                                                                                                                                                                                                                           
libpam-modules-bin            1.1.3-7.1                    Unknown                                                                                                                                                                                                                           
libpam-runtime                1.1.3-7.1                    Unknown                                                                                                                                                                                                                           
libpam0g                      1.1.3-7.1                    Unknown                                                                                                                                                                                                                           
libreadline6                  6.2+dfsg-0.1                 Unknown                                                                                                                                                                                                                           
libselinux1                   2.1.9-5                      Unknown                                                                                                                                                                                                                           
libsemanage-common            2.1.6-6                      Unknown                                                                                                                                                                                                                           
libsemanage1                  2.1.6-6                      Unknown                                                                                                                                                                                                                           
libsepol1                     2.1.4-3                      Unknown                                                                                                                                                                                                                           
libslang2                     2.2.4-15                     GPL-2+                                                                                                                                                                                                                            
libss2                        1.42.5-1.1+deb7u1            Unknown                                                                                                                                                                                                                           
libssl1.0.0                   1.0.1t-1+deb7u4              Unknown                                                                                                                                                                                                                           
libstdc++6                    4.7.2-5                      Unknown                                                                                                                                                                                                                           
libtext-charwidth-perl        0.04-7+b1                    Unknown                                                                                                                                                                                                                           
libtext-iconv-perl            1.7-5                        Unknown                                                                                                                                                                                                                           
libtext-wrapi18n-perl         0.06-7                       Unknown                                                                                                                                                                                                                           
libtinfo5                     5.9-10                       Unknown                                                                                                                                                                                                                           
libusb-0.1-4                  2:0.1.12-20+nmu1             Unknown                                                                                                                                                                                                                           
libustr-1.0-1                 1.0.4-3                      LGPL-2+ GPL-2+ BSD-2-clause MIT                                                                                                                                                                                                   
libuuid1                      2.20.1-5.3                   Unknown                                                                                                                                                                                                                           
login                         1:4.1.5.1-1+deb7u1           Unknown                                                                                                                                                                                                                           
lsb-base                      4.1+Debian8+deb7u1           GPL-2 BSD-3-clause                                                                                                                                                                                                                
mawk                          1.3.3-17                     Unknown                                                                                                                                                                                                                           
mount                         2.20.1-5.3                   Unknown                                                                                                                                                                                                                           
multiarch-support             2.13-38+deb7u12              Unknown                                                                                                                                                                                                                           
ncurses-base                  5.9-10                       Unknown                                                                                                                                                                                                                           
ncurses-bin                   5.9-10                       Unknown                                                                                                                                                                                                                           
passwd                        1:4.1.5.1-1+deb7u1           Unknown                                                                                                                                                                                                                           
perl-base                     5.14.2-21+deb7u6             GPL-1+ Expat REGCOMP, Unicode Artistic S2P BZIP ZLIB GPL-2+ BSD-4-clause TEXT-SOUNDEX TEXT-TABS BSD-3-clause SDBM-PUBLIC-DOMAIN PERLDOCS DONT-CHANGE-THE-GPL Artistic-2 BSD-4-clause-POWERDOG BSD-3-clause-GENERIC REGCOMP        
readline-common               6.2+dfsg-0.1                 Unknown                                                                                                                                                                                                                           
sed                           4.2.1-10                     Unknown                                                                                                                                                                                                                           
sensible-utils                0.0.7+deb7u1                 Unknown                                                                                                                                                                                                                           
sysv-rc                       2.88dsf-41+deb7u1            Unknown                                                                                                                                                                                                                           
sysvinit                      2.88dsf-41+deb7u1            Unknown                                                                                                                                                                                                                           
sysvinit-utils                2.88dsf-41+deb7u1            Unknown                                                                                                                                                                                                                           
tar                           1.26+dfsg-0.1+deb7u1         Unknown                                                                                                                                                                                                                           
tzdata                        2018e-0+deb7u1               Unknown                                                                                                                                                                                                                           
util-linux                    2.20.1-5.3                   Unknown                                                                                                                                                                                                                           
xz-utils                      5.1.1alpha+20120614-2        PD probably-PD GPL-2+ LGPL-2.1+ permissive-fsf Autoconf GPL-2 none permissive-nowarranty config-h noderivs PD-debian                                                                                                              
zlib1g                        1:1.2.7.dfsg-13              Unknown                                                                                                                                                                                                                           
[root@ciserver anchoredir]# anchore-cli image vuln docker.io/library/debian:7 all
Vulnerability ID        Package                                  Severity          Fix         CVE Refs              Vulnerability URL                                                 Type        Feed Group        Package Path        
CVE-2005-2541           tar-1.26+dfsg-0.1+deb7u1                 Negligible        None        CVE-2005-2541         https://security-tracker.debian.org/tracker/CVE-2005-2541         dpkg        debian:7          None                
CVE-2007-5686           login-1:4.1.5.1-1+deb7u1                 Negligible        None        CVE-2007-5686         https://security-tracker.debian.org/tracker/CVE-2007-5686         dpkg        debian:7          None                
CVE-2007-5686           passwd-1:4.1.5.1-1+deb7u1                Negligible        None        CVE-2007-5686         https://security-tracker.debian.org/tracker/CVE-2007-5686         dpkg        debian:7          None                
CVE-2007-6755           libssl1.0.0-1.0.1t-1+deb7u4              Negligible        None        CVE-2007-6755         https://security-tracker.debian.org/tracker/CVE-2007-6755         dpkg        debian:7          None                
CVE-2010-0928           libssl1.0.0-1.0.1t-1+deb7u4              Negligible        None        CVE-2010-0928         https://security-tracker.debian.org/tracker/CVE-2010-0928         dpkg        debian:7          None                
CVE-2010-3192           libc-bin-2.13-38+deb7u12                 Negligible        None        CVE-2010-3192         https://security-tracker.debian.org/tracker/CVE-2010-3192         dpkg        debian:7          None                
CVE-2010-3192           libc6-2.13-38+deb7u12                    Negligible        None        CVE-2010-3192         https://security-tracker.debian.org/tracker/CVE-2010-3192         dpkg        debian:7          None                
CVE-2010-3192           multiarch-support-2.13-38+deb7u12        Negligible        None        CVE-2010-3192         https://security-tracker.debian.org/tracker/CVE-2010-3192         dpkg        debian:7          None                
CVE-2010-4051           libc-bin-2.13-38+deb7u12                 Negligible        None        CVE-2010-4051         https://security-tracker.debian.org/tracker/CVE-2010-4051         dpkg        debian:7          None                
CVE-2010-4051           libc6-2.13-38+deb7u12                    Negligible        None        CVE-2010-4051         https://security-tracker.debian.org/tracker/CVE-2010-4051         dpkg        debian:7          None                
CVE-2010-4051           multiarch-support-2.13-38+deb7u12        Negligible        None        CVE-2010-4051         https://security-tracker.debian.org/tracker/CVE-2010-4051         dpkg        debian:7          None                
CVE-2010-4052           libc-bin-2.13-38+deb7u12                 Negligible        None        CVE-2010-4052         https://security-tracker.debian.org/tracker/CVE-2010-4052         dpkg        debian:7          None                
CVE-2010-4052           libc6-2.13-38+deb7u12                    Negligible        None        CVE-2010-4052         https://security-tracker.debian.org/tracker/CVE-2010-4052         dpkg        debian:7          None                
CVE-2010-4052           multiarch-support-2.13-38+deb7u12        Negligible        None        CVE-2010-4052         https://security-tracker.debian.org/tracker/CVE-2010-4052         dpkg        debian:7          None                
CVE-2010-4756           libc-bin-2.13-38+deb7u12                 Negligible        None        CVE-2010-4756         https://security-tracker.debian.org/tracker/CVE-2010-4756         dpkg        debian:7          None                
CVE-2010-4756           libc6-2.13-38+deb7u12                    Negligible        None        CVE-2010-4756         https://security-tracker.debian.org/tracker/CVE-2010-4756         dpkg        debian:7          None                
CVE-2010-4756           multiarch-support-2.13-38+deb7u12        Negligible        None        CVE-2010-4756         https://security-tracker.debian.org/tracker/CVE-2010-4756         dpkg        debian:7          None                
CVE-2010-4777           perl-base-5.14.2-21+deb7u6               Negligible        None        CVE-2010-4777         https://security-tracker.debian.org/tracker/CVE-2010-4777         dpkg        debian:7          None                
CVE-2011-3374           apt-0.9.7.9+deb7u7                       Negligible        None        CVE-2011-3374         https://security-tracker.debian.org/tracker/CVE-2011-3374         dpkg        debian:7          None                
CVE-2011-3374           libapt-pkg4.12-0.9.7.9+deb7u7            Negligible        None        CVE-2011-3374         https://security-tracker.debian.org/tracker/CVE-2011-3374         dpkg        debian:7          None                
CVE-2011-4116           perl-base-5.14.2-21+deb7u6               Negligible        None        CVE-2011-4116         https://security-tracker.debian.org/tracker/CVE-2011-4116         dpkg        debian:7          None                
CVE-2013-4235           login-1:4.1.5.1-1+deb7u1                 Negligible        None        CVE-2013-4235         https://security-tracker.debian.org/tracker/CVE-2013-4235         dpkg        debian:7          None                
CVE-2013-4235           passwd-1:4.1.5.1-1+deb7u1                Negligible        None        CVE-2013-4235         https://security-tracker.debian.org/tracker/CVE-2013-4235         dpkg        debian:7          None                
CVE-2015-5218           libblkid1-2.20.1-5.3                     Negligible        None        CVE-2015-5218         https://security-tracker.debian.org/tracker/CVE-2015-5218         dpkg        debian:7          None                
CVE-2015-5218           libmount1-2.20.1-5.3                     Negligible        None        CVE-2015-5218         https://security-tracker.debian.org/tracker/CVE-2015-5218         dpkg        debian:7          None                
CVE-2015-5218           libuuid1-2.20.1-5.3                      Negligible        None        CVE-2015-5218         https://security-tracker.debian.org/tracker/CVE-2015-5218         dpkg        debian:7          None                
CVE-2015-5218           mount-2.20.1-5.3                         Negligible        None        CVE-2015-5218         https://security-tracker.debian.org/tracker/CVE-2015-5218         dpkg        debian:7          None                
CVE-2015-5218           util-linux-2.20.1-5.3                    Negligible        None        CVE-2015-5218         https://security-tracker.debian.org/tracker/CVE-2015-5218         dpkg        debian:7          None                
CVE-2015-5224           libblkid1-2.20.1-5.3                     Negligible        None        CVE-2015-5224         https://security-tracker.debian.org/tracker/CVE-2015-5224         dpkg        debian:7          None                
CVE-2015-5224           libmount1-2.20.1-5.3                     Negligible        None        CVE-2015-5224         https://security-tracker.debian.org/tracker/CVE-2015-5224         dpkg        debian:7          None                
CVE-2015-5224           libuuid1-2.20.1-5.3                      Negligible        None        CVE-2015-5224         https://security-tracker.debian.org/tracker/CVE-2015-5224         dpkg        debian:7          None                
CVE-2015-5224           mount-2.20.1-5.3                         Negligible        None        CVE-2015-5224         https://security-tracker.debian.org/tracker/CVE-2015-5224         dpkg        debian:7          None                
CVE-2015-5224           util-linux-2.20.1-5.3                    Negligible        None        CVE-2015-5224         https://security-tracker.debian.org/tracker/CVE-2015-5224         dpkg        debian:7          None                
CVE-2016-0634           bash-4.2+dfsg-0.1+deb7u4                 Negligible        None        CVE-2016-0634         https://security-tracker.debian.org/tracker/CVE-2016-0634         dpkg        debian:7          None                
CVE-2017-18018          coreutils-8.13-3.5                       Negligible        None        CVE-2017-18018        https://security-tracker.debian.org/tracker/CVE-2017-18018        dpkg        debian:7          None                
CVE-2017-2616           coreutils-8.13-3.5                       Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-2616           libblkid1-2.20.1-5.3                     Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-2616           libmount1-2.20.1-5.3                     Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-2616           libuuid1-2.20.1-5.3                      Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-2616           mount-2.20.1-5.3                         Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-2616           util-linux-2.20.1-5.3                    Negligible        None        CVE-2017-2616         https://security-tracker.debian.org/tracker/CVE-2017-2616         dpkg        debian:7          None                
CVE-2017-8283           dpkg-1.16.18                             Negligible        None        CVE-2017-8283         https://security-tracker.debian.org/tracker/CVE-2017-8283         dpkg        debian:7          None                
CVE-2018-6829           gnupg-1.4.12-7+deb7u9                    Negligible        None        CVE-2018-6829         https://security-tracker.debian.org/tracker/CVE-2018-6829         dpkg        debian:7          None                
CVE-2018-6829           gpgv-1.4.12-7+deb7u9                     Negligible        None        CVE-2018-6829         https://security-tracker.debian.org/tracker/CVE-2018-6829         dpkg        debian:7          None                
CVE-2018-11236          libc-bin-2.13-38+deb7u12                 Unknown           None        CVE-2018-11236        https://security-tracker.debian.org/tracker/CVE-2018-11236        dpkg        debian:7          None                
CVE-2018-11236          libc6-2.13-38+deb7u12                    Unknown           None        CVE-2018-11236        https://security-tracker.debian.org/tracker/CVE-2018-11236        dpkg        debian:7          None                
CVE-2018-11236          multiarch-support-2.13-38+deb7u12        Unknown           None        CVE-2018-11236        https://security-tracker.debian.org/tracker/CVE-2018-11236        dpkg        debian:7          None                
CVE-2018-11237          libc-bin-2.13-38+deb7u12                 Unknown           None        CVE-2018-11237        https://security-tracker.debian.org/tracker/CVE-2018-11237        dpkg        debian:7          None                
CVE-2018-11237          libc6-2.13-38+deb7u12                    Unknown           None        CVE-2018-11237        https://security-tracker.debian.org/tracker/CVE-2018-11237        dpkg        debian:7          None                
CVE-2018-11237          multiarch-support-2.13-38+deb7u12        Unknown           None        CVE-2018-11237        https://security-tracker.debian.org/tracker/CVE-2018-11237        dpkg        debian:7          None                
[root@ciserver anchoredir]# anchore-cli evaluate check docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Full Tag: docker.io/library/debian:7
Status: pass
Last Eval: 2020-05-30T14:07:38Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

[root@ciserver anchoredir]#

# 주요 명령어


- anchore-cli image add docker.io/library/debian:7

취약점을 점검 할 이미지를 추가한다.

- anchore-cli image content docker.io/library/debian:7

해당 이미지가 포함하고 있는 컨텐츠를 확인한다.

- anchore-cli image content docker.io/library/debian:7 os

컨텐츠의 상세 정보를 확인한다.

- anchore-cli image vuln docker.io/library/debian:7 all

취약점 결과를 확인한다. CVE-xxx가 실제 취약점 검사 결과에 나타난 취약 항목이며, Vulnerability URL에서 상세 정보를 확인할 수 있다.

- anchore-cli evaluate check docker.io/library/debian:7

이미지 검사 결과를 평가한다.


위와 같은 과정을 통해 이미지의 취약점을 점검할 수 있다.

위 이미지는 dockerhub official 이미지로 Negligible과 Unknown만 존재하며 Status를 pass 할 수 있었다.

다음 검사 결과는 신규로 생성한 Custom Image인 tomcat:tomcat8jdk8 이미지를 동일하게 검사해 보았다.

[root@ciserver anchoredir]# anchore-cli image add docker.io/nara0617/tomcat:tomcat8jdk8                      
Image Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Parent Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2020-05-30T09:14:55Z
Image ID: c166235e31c775f66da0fcd0dd24317d3790a2c5b7033af2f2282b1604619e91
Dockerfile Mode: Guessed
Distro: centos
Distro Version: 7
Size: 826429440
Architecture: amd64
Layer Count: 9

Full Tag: docker.io/nara0617/tomcat:tomcat8jdk8
Tag Detected At: 2020-05-30T09:11:02Z


[root@ciserver anchoredir]# anchore-cli image content docker.io/nara0617/tomcat:tomcat8jdk8
os: available
files: available
npm: available
gem: available
python: available
java: available


[root@ciserver anchoredir]# anchore-cli image vuln docker.io/nara0617/tomcat:tomcat8jdk8 all
Vulnerability ID        Package                                   Severity        Fix                         CVE Refs                Vulnerability URL                                            Type          Feed Group        Package Path                                   
CVE-2014-4650           Python-2.7.5                              Critical        None                        CVE-2014-4650           https://nvd.nist.gov/vuln/detail/CVE-2014-4650               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2016-5636           Python-2.7.5                              Critical        None                        CVE-2016-5636           https://nvd.nist.gov/vuln/detail/CVE-2016-5636               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2017-1000158        Python-2.7.5                              Critical        None                        CVE-2017-1000158        https://nvd.nist.gov/vuln/detail/CVE-2017-1000158            python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2019-9636           Python-2.7.5                              Critical        None                        CVE-2019-9636           https://nvd.nist.gov/vuln/detail/CVE-2019-9636               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/bin/tomcat-juli.jar                
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-api.jar                 
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-coyote.jar              
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-dbcp.jar                
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-es.jar             
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-fr.jar             
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ja.jar             
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ru.jar             
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-jni.jar                 
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util-scan.jar           
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util.jar                
CVE-2020-1938           tomcat-8.5.45                             Critical        None                        CVE-2020-1938           https://nvd.nist.gov/vuln/detail/CVE-2020-1938               java          nvdv2:cves        /opt/tomcat/lib/tomcat-websocket.jar           
CVE-2013-1753           Python-2.7.5                              High            None                        CVE-2013-1753           https://nvd.nist.gov/vuln/detail/CVE-2013-1753               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2014-1912           Python-2.7.5                              High            None                        CVE-2014-1912           https://nvd.nist.gov/vuln/detail/CVE-2014-1912               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2015-5652           Python-2.7.5                              High            None                        CVE-2015-5652           https://nvd.nist.gov/vuln/detail/CVE-2015-5652               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2017-17522          Python-2.7.5                              High            None                        CVE-2017-17522          https://nvd.nist.gov/vuln/detail/CVE-2017-17522              python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2018-1060           Python-2.7.5                              High            None                        CVE-2018-1060           https://nvd.nist.gov/vuln/detail/CVE-2018-1060               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2018-1061           Python-2.7.5                              High            None                        CVE-2018-1061           https://nvd.nist.gov/vuln/detail/CVE-2018-1061               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/bin/tomcat-juli.jar                
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-api.jar                 
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-coyote.jar              
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-dbcp.jar                
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-es.jar             
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-fr.jar             
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ja.jar             
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ru.jar             
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-jni.jar                 
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-util-scan.jar           
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-util.jar                
CVE-2019-12418          tomcat-8.5.45                             High            None                        CVE-2019-12418          https://nvd.nist.gov/vuln/detail/CVE-2019-12418              java          nvdv2:cves        /opt/tomcat/lib/tomcat-websocket.jar           
CVE-2019-13404          Python-2.7.5                              High            None                        CVE-2019-13404          https://nvd.nist.gov/vuln/detail/CVE-2019-13404              python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/bin/tomcat-juli.jar                
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-api.jar                 
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-coyote.jar              
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-dbcp.jar                
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-es.jar             
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-fr.jar             
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ja.jar             
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ru.jar             
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-jni.jar                 
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-util-scan.jar           
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-util.jar                
CVE-2019-17563          tomcat-8.5.45                             High            None                        CVE-2019-17563          https://nvd.nist.gov/vuln/detail/CVE-2019-17563              java          nvdv2:cves        /opt/tomcat/lib/tomcat-websocket.jar           
CVE-2019-9674           Python-2.7.5                              High            None                        CVE-2019-9674           https://nvd.nist.gov/vuln/detail/CVE-2019-9674               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/bin/tomcat-juli.jar                
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-api.jar                 
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-coyote.jar              
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-dbcp.jar                
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-es.jar             
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-fr.jar             
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ja.jar             
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ru.jar             
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-jni.jar                 
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util-scan.jar           
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util.jar                
CVE-2020-1745           tomcat-8.5.45                             High            None                        CVE-2020-1745           https://nvd.nist.gov/vuln/detail/CVE-2020-1745               java          nvdv2:cves        /opt/tomcat/lib/tomcat-websocket.jar           
CVE-2018-1000030        Python-2.7.5                              Low             None                        CVE-2018-1000030        https://nvd.nist.gov/vuln/detail/CVE-2018-1000030            python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2013-7040           Python-2.7.5                              Medium          None                        CVE-2013-7040           https://nvd.nist.gov/vuln/detail/CVE-2013-7040               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2013-7440           Python-2.7.5                              Medium          None                        CVE-2013-7440           https://nvd.nist.gov/vuln/detail/CVE-2013-7440               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2014-4616           Python-2.7.5                              Medium          None                        CVE-2014-4616           https://nvd.nist.gov/vuln/detail/CVE-2014-4616               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2014-7185           Python-2.7.5                              Medium          None                        CVE-2014-7185           https://nvd.nist.gov/vuln/detail/CVE-2014-7185               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2014-9365           Python-2.7.5                              Medium          None                        CVE-2014-9365           https://nvd.nist.gov/vuln/detail/CVE-2014-9365               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2016-0772           Python-2.7.5                              Medium          None                        CVE-2016-0772           https://nvd.nist.gov/vuln/detail/CVE-2016-0772               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2016-1000110        Python-2.7.5                              Medium          None                        CVE-2016-1000110        https://nvd.nist.gov/vuln/detail/CVE-2016-1000110            python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2016-5699           Python-2.7.5                              Medium          None                        CVE-2016-5699           https://nvd.nist.gov/vuln/detail/CVE-2016-5699               python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2017-18207          Python-2.7.5                              Medium          None                        CVE-2017-18207          https://nvd.nist.gov/vuln/detail/CVE-2017-18207              python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2018-20852          Python-2.7.5                              Medium          None                        CVE-2018-20852          https://nvd.nist.gov/vuln/detail/CVE-2018-20852              python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2019-17006          nss-3.36.0-7.1.el7_6                      Medium          None                                                https://access.redhat.com/security/cve/CVE-2019-17006        rpm           rhel:7            None                                           
CVE-2019-17006          nss-sysinit-3.36.0-7.1.el7_6              Medium          None                                                https://access.redhat.com/security/cve/CVE-2019-17006        rpm           rhel:7            None                                           
CVE-2019-17006          nss-tools-3.36.0-7.1.el7_6                Medium          None                                                https://access.redhat.com/security/cve/CVE-2019-17006        rpm           rhel:7            None                                           
CVE-2019-18348          Python-2.7.5                              Medium          None                        CVE-2019-18348          https://nvd.nist.gov/vuln/detail/CVE-2019-18348              python        nvdv2:cves        /usr/lib64/python2.7/lib-dynload/Python        
CVE-2019-19338          kernel-headers-3.10.0-957.27.2.el7        Medium          3.10.0-1062.18.1.el7                                https://access.redhat.com/security/cve/CVE-2019-19338        rpm           rhel:7            None                                           
CVE-2020-10708          kernel-headers-3.10.0-957.27.2.el7        Medium          None                                                https://access.redhat.com/security/cve/CVE-2020-10708        rpm           rhel:7            None                                           
CVE-2020-12399          nss-3.36.0-7.1.el7_6                      Medium          None                                                https://access.redhat.com/security/cve/CVE-2020-12399        rpm           rhel:7            None                                           
CVE-2020-12399          nss-sysinit-3.36.0-7.1.el7_6              Medium          None                                                https://access.redhat.com/security/cve/CVE-2020-12399        rpm           rhel:7            None                                           
CVE-2020-12399          nss-tools-3.36.0-7.1.el7_6                Medium          None                                                https://access.redhat.com/security/cve/CVE-2020-12399        rpm           rhel:7            None                                           
CVE-2020-1749           kernel-headers-3.10.0-957.27.2.el7        Medium          None                                                https://access.redhat.com/security/cve/CVE-2020-1749         rpm           rhel:7            None                                           
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/bin/tomcat-juli.jar                
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-api.jar                 
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-coyote.jar              
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-dbcp.jar                
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-es.jar             
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-fr.jar             
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ja.jar             
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-i18n-ru.jar             
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-jni.jar                 
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util-scan.jar           
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-util.jar                
CVE-2020-1935           tomcat-8.5.45                             Medium          None                        CVE-2020-1935           https://nvd.nist.gov/vuln/detail/CVE-2020-1935               java          nvdv2:cves        /opt/tomcat/lib/tomcat-websocket.jar           
[root@ciserver anchoredir]# anchore-cli evaluate check docker.io/nara0617/tomcat:tomcat8jdk8
Image Digest: sha256:6a788c1f53affee24683006dd621359c2a7e7bdb7c120657840795ccd6b06dd1
Full Tag: docker.io/nara0617/tomcat:tomcat8jdk8
Status: fail
Last Eval: 2020-05-30T14:23:54Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

[root@ciserver anchoredir]# 

위 이미지는 Critical, High, Mideum 등 다양한 취약점이 검사되었다. 이로 인해 Status가 fail 상태를 나타낸다.

그 밖에 Anchore의 큰 특징 중 하나가 Jenkins와의 연동 플러그인을 지원한다는 점이다.

https://plugins.jenkins.io/anchore-container-scanner/

이를 통해 보다 고도화 된 CI/CD Flow를 정립할 수 있으며, 보안이 강화된 이미지를 사용할 경우에만 이후 테스팅 또는 배포 단계로 넘어 갈 수 있도록 Stage를 설계할 수 있다.

 

 

 

위 이미지는 Jenkins.io에 게시된 Jenkins와 Anchore의 통합 프로세스이다. FAIL Status를 받을 경우 Jenkins로 Retry 또는 Exception 처리, PASS 또는 WARNING Status를 받을 경우 이후 과정이 진행되는 과정으로 앞서 tomcat8jdk8 이미지를 사용했다면, 빌드가 진행되지 않을 것이다.

자세한 사항은 위 URL을 참고하시 바란다.

결과

실제 이를 기반으로 도커 이미지의 취약점을 검사할 수 있지만, Custom Image를 생성하고 매번 이미지의 취약점을 검사하는 것은 대단히 힘든 과정이 될 수 있다. 또한 각 과정에 대한 결과를 파악하기 위해 하나하나 결과 페이지를 살펴보는 것도 어려운 과정이 될 것이다.

현재 기준 취약점 점검 리스트는 총 50만여개이다. 이 모든 리스트를 누군가 관리하는 것 자체도 또는 지금 이순간 생성되고 있는 취약점 점검 리스트를 관리하는 것부터 파악하는 것까지 사실상 불가능에 가깝다고 볼 수 있다.

그렇다고 손놓고 취약한 이미지를 사용할 수도 없는 노릇이다. 따라서 최소한으로 관리되어야 할 리스트를 Critical 또는 High 이상으로 포함하거나, 이미지 점검 이전 OS 취약점 점검을 수행하듯 사전에 이미지에 접속하여 점검을 진행하고 이미지 점검을 확인하는 방법 등을 충분히 검토해 봐야 할 것이다.

728x90
반응형