手動掃描 Java 套件

本快速入門導覽課程說明如何提取容器映像檔、使用隨選掃描功能手動掃描,以及擷取系統和 Maven 套件的已識別安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Alpine 範例映像檔。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

下載及掃描圖片

  1. 在專案中開啟 Cloud Shell。

    開啟 Cloud Shell

    終端機隨即會開啟,其中包含依本指南操作所需的所有工具。

  2. 使用 Docker 提取容器映像檔:

    docker pull jenkins:2.60.3-alpine
    
  3. 執行掃描:

    gcloud artifacts docker images scan jenkins:2.60.3-alpine --additional-package-types=MAVEN
    

    這會觸發掃描程序,並在完成時傳回掃描名稱:

    ✓ Scanning container image 
      ✓ Locally extracting packages and versions from local container image
      ✓ Remotely initiating analysis of packages and versions
      ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]
    Done.
    
    done: true
    metadata:
      '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
      createTime: '2021-01-26T13:43:53.112123Z'
      resourceUri: jenkins:2.60.3-alpine
    name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad
    response:
      '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
      scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
    
  4. 使用掃描名稱和輸出內容中的 scan 值,擷取掃描結果:

    gcloud artifacts docker images list-vulnerabilities \
    projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
    

    輸出內容會列出 Maven 和 Linux 套件的安全漏洞。Maven 套件安全漏洞可透過 packageType:MAVEN 欄位識別。

清除所用資源

為了避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請按照下列步驟操作。

如果您是為了本指南建立新專案,現在可以刪除該專案。

  • 在 Google Cloud 控制台中,開啟「Settings」(設定) 頁面 (位於「IAM & Admin」(IAM 與管理) 下)。

    開啟「設定」頁面

  • 按一下 [Select a project] (選取專案)。

  • 選取要刪除的專案,然後點選 [Open] (開啟)。

  • 按一下 [Shut down] (關閉)

  • 輸入專案 ID,然後點選 [Shut down] (關閉)。

後續步驟