手动扫描 Go 软件包

本快速入门介绍了如何拉取容器映像、使用按需扫描功能手动扫描该映像,以及检索系统和 Go 软件包的已识别漏洞。在本快速入门中,您将使用 Cloud Shell 和一个 Alpine 示例映像。

准备工作

  1. 登录您的 Google Cloud 账号。如果您是 Google Cloud新手,请 创建一个账号来评估我们的产品在实际场景中的表现。新客户还可获享 $300 赠金,用于运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    8.

下载并扫描图片

  1. 在项目中打开 Cloud Shell。

    打开 Cloud Shell

    系统会打开一个终端,其中包含遵循本指南所需的所有工具。

  2. 使用 Docker 拉取容器映像:

    docker pull golang:1.17.6-alpine

  3. 运行扫描:

    gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO

    这会触发扫描流程,并在完成后返回扫描名称:

    ✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

  4. 使用扫描名称(即输出中的 scan 值)来提取扫描结果:

    gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

    输出包含 Go、Go 标准库和 Linux 软件包漏洞的列表。以下标签表示 Go 漏洞的类型:

    • packageType:GO_STDLIB. Go 标准库漏洞。这表示漏洞是在用于构建二进制文件的 Go 工具链中,还是在与该工具链捆绑的标准库中发现的。一种可能的修复方法是升级您的 build 工具链。

    • packageType:GO. Go 软件包漏洞。这表示在第三方软件包中发现了漏洞。一种可能的解决方法是升级相关模块。

清理

为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。

  1. 在 Google Cloud 控制台中,前往管理资源页面。

    转到“管理资源”

  2. 在项目列表中,选择要删除的项目,然后点击删除
  3. 在对话框中输入项目 ID,然后点击关闭以删除项目。

后续步骤