手動掃描 Java 套件
本快速入門導覽課程說明如何提取容器映像檔、使用隨選掃描功能手動掃描,以及擷取系統和 Maven 套件的已識別安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Alpine 範例映像檔。
事前準備
- 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.
下載及掃描圖片
在專案中開啟 Cloud Shell。
終端機隨即會開啟,其中包含依本指南操作所需的所有工具。
使用 Docker 提取容器映像檔:
docker pull jenkins:2.60.3-alpine執行掃描:
gcloud artifacts docker images scan jenkins:2.60.3-alpine --additional-package-types=MAVEN這會觸發掃描程序,並在完成時傳回掃描名稱:
✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-26T13:43:53.112123Z' resourceUri: jenkins:2.60.3-alpine name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
使用掃描名稱和輸出內容中的
scan值,擷取掃描結果:gcloud artifacts docker images list-vulnerabilities \ projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160輸出內容會列出 Maven 和 Linux 套件的安全漏洞。Maven 套件安全漏洞可透過
packageType:MAVEN欄位識別。
清除所用資源
為了避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請按照下列步驟操作。
如果您是為了本指南建立新專案,現在可以刪除該專案。在 Google Cloud 控制台中,開啟「Settings」(設定) 頁面 (位於「IAM & Admin」(IAM 與管理) 下)。
按一下 [Select a project] (選取專案)。
選取要刪除的專案,然後點選 [Open] (開啟)。
按一下 [Shut down] (關閉)。
輸入專案 ID,然後點選 [Shut down] (關閉)。