手動掃描 Java 套件

本快速入門導覽課程說明如何提取容器映像檔、使用隨選掃描功能手動掃描,以及擷取系統和 Maven 套件的已識別安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Alpine 範例映像檔。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    8.

下載及掃描圖片

  1. 在專案中開啟 Cloud Shell。

    開啟 Cloud Shell

    終端機隨即會開啟,其中包含依本指南操作所需的所有工具。

  2. 使用 Docker 提取容器映像檔:

    docker pull jenkins:2.60.3-alpine

  3. 執行掃描:

    gcloud artifacts docker images scan jenkins:2.60.3-alpine --additional-package-types=MAVEN

    這會觸發掃描程序,並在完成時傳回掃描名稱:

    ✓ Scanning container image 
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]
Done.

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-26T13:43:53.112123Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160

  4. 使用掃描名稱和輸出內容中的 scan 值,擷取掃描結果:

    gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160

    輸出內容會列出 Maven 和 Linux 套件的安全漏洞。Maven 套件安全漏洞可透過 packageType:MAVEN 欄位識別。

清除所用資源

為了避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請按照下列步驟操作。

如果您是為了本指南建立新專案,現在可以刪除該專案。

  • 在 Google Cloud 控制台中,開啟「Settings」(設定) 頁面 (位於「IAM & Admin」(IAM 與管理) 下)。

    開啟「設定」頁面

  • 按一下 [Select a project] (選取專案)。

  • 選取要刪除的專案,然後點選 [Open] (開啟)。

  • 按一下 [Shut down] (關閉)

  • 輸入專案 ID,然後點選 [Shut down] (關閉)。

後續步驟