手動掃描 Java 套件

On-Demand Scanning API 可讓您掃描儲存在電腦本機或遠端 Artifact Registry 中的映像檔。您可以使用 On-Demand Scanning 掃描 CI/CD 管道中的映像檔,檢查系統安全漏洞和 Java (Maven) 套件安全漏洞,再決定是否要儲存在註冊資料庫中。如需價格資訊,請參閱定價頁面

本頁說明如何手動掃描容器映像檔,檢查是否有系統安全漏洞和 Maven 套件安全漏洞。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

  5. 安裝 Google Cloud CLI。

  6. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  7. 執行下列指令,初始化 gcloud CLI:

    gcloud init
  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

  11. 安裝 Google Cloud CLI。

  12. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  13. 執行下列指令,初始化 gcloud CLI:

    gcloud init
  14. local-extract 元件新增至 Google Cloud CLI 安裝項目

    使用 Google Cloud CLI 元件管理服務

    第一次執行掃描指令時,元件管理工具會提示您安裝必要元件。

    使用系統套件管理工具

    • Debian/Ubuntu:
      sudo apt install google-cloud-sdk-local-extract
          
    • Red Hat/Fedora/CentOS:
      sudo dnf install google-cloud-sdk-local-extract
          

      或者,您也可以在上一個指令中將 dnf 替換為 yum

  15. 授予 IAM 角色隨選掃描管理員角色授予要搭配隨選掃描功能使用的使用者或服務帳戶。如果您使用專案的擁有者帳戶執行掃描,可以略過這個步驟。

掃描容器映像檔

  • 掃描本機:

    gcloud artifacts docker images scan IMAGE_URI \
        [--location=(us,europe,asia)] [--async]
    

    如果是本機圖片,請使用下列其中一種格式:IMAGE_URI

    • REPOSITORY:TAG
    • REPOSITORY
  • 遠端掃描:

    gcloud artifacts docker images scan IMAGE_URI \
         --remote [--location=(us,europe,asia)] [--async]
    

    如果是遠端圖片,請使用下列其中一種格式:IMAGE_URI

    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID
    • HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID

    如果是 Artifact Registry 中的映像檔,IMAGE_URI 必須包含 REPOSITORY_ID

無論是本機或遠端掃描,您都可以使用下列選用旗標:

  • --location 是選用旗標,可手動選取掃描作業進行的多區域。選擇靠近您實際位置的多區域,可盡量縮短延遲時間。可用的位置包括:useuropeasia。預設位置為 us

  • --async 是選用旗標,可非同步執行掃描程序。如果省略這個旗標,終端機會封鎖,直到掃描程序完成為止。

同步掃描

以下範例顯示同步掃描的輸出內容,沒有 --async 標記:

$ gcloud artifacts docker images scan jenkins:2.60.3-alpine

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:03:04.185261Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

使用掃描名稱擷取安全漏洞結果。在本例中,掃描名稱是輸出訊息最後一行中的 scan 值。

非同步掃描

以下範例顯示執行非同步掃描的輸出內容:

$ gcloud artifacts docker images scan jenkins:2.60.3-alpine --async

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
Done.
Check operation [projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status.
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

這會啟動長時間執行的作業,並傳回其 ID,不會封鎖終端機。使用作業 ID (輸出訊息最後一行中的 name 值) 輪詢作業

輪詢長時間執行的作業

使用非同步掃描指令輸出內容中的作業 ID,檢查作業狀態:

gcloud artifacts docker images get-operation LRO_ID

其中 LRO_ID 是長時間執行的作業 ID。

繼續使用非同步掃描部分的範例,如要檢查作業狀態,請執行下列操作:

$ gcloud artifacts docker images get-operation \
  projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

如果輸出內容包含 done: true 這一行,表示掃描作業已完成。使用掃描名稱擷取安全漏洞結果。 掃描名稱是輸出訊息最後一行中的 scan 值。

擷取掃描結果

掃描作業完成後,如要擷取掃描結果,請使用下列指令:

gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]

其中:

  • SCAN_NAME 是掃描名稱。掃描完成後,您可以執行同步掃描輪詢長時間執行的作業,輸出內容的最後一行會顯示該值。

  • --limit=X 是選用旗標,可限制輸出內容中顯示的出現次數。X 是數值。

例如:

createTime: '2021-06-29T17:01:18.819477Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/06305977-f557-4772-8586-4260684291d3
noteName: projects/my-project/notes/CVE-2014-0114
resourceUri: jenkins:2.60.3-alpine
updateTime: '2021-06-29T17:01:18.819477Z'
vulnerability:
  cvssScore: 4.3
  effectiveSeverity: MEDIUM
  longDescription: http/conn/ssl/SSLConnectionSocketFactory.java in ...
  packageIssue:
  - affectedCpeUri: cpe:/o:alpine:alpine_linux:3.13
    affectedPackage: org.apache.httpcomponents:httpclient
    affectedVersion:
      fullName: 4.0.2
      kind: NORMAL
      name: 4.0.2
    effectiveSeverity: MEDIUM
    fixedCpeUri: cpe:/o:alpine:alpine_linux:3.13
    fixedPackage: org.apache.httpcomponents:httpclient
    fixedVersion:
      fullName: 4.3.6
      kind: NORMAL
      name: 4.3.6
    packageType: MAVEN
  relatedUrls:
  - label: More Info
    url: https://security-tracker.debian.org/tracker/CVE-2015-5262
  severity: MEDIUM
  shortDescription: CVE-2015-5262

這項指令的輸出內容是以 Grafeas 格式列出的發生項目。在本例中,系統在映像檔中發現一個中等嚴重程度的安全漏洞。Maven 套件安全漏洞含有 packageType:MAVEN 欄位。

掃描作業完成後,掃描結果會保留 48 小時。

後續步驟