手动扫描 Go 软件包

借助 On-Demand Scanning API,您可以扫描存储在本地计算机上或 Artifact Registry 中的映像。您可以在 CI/CD 流水线中使用 On-Demand Scanning 扫描映像,以查找系统漏洞和 Go 软件包漏洞,然后再决定是否将其存储在注册数据库中。如需了解价格信息,请参阅 价格页面

本页面介绍了如何手动扫描容器映像,以查找系统漏洞和 Go 软件包漏洞。

准备工作

  1. 登录您的 Google Cloud 账号。如果您是 Google Cloud的新用户, 请创建账号,以评估我们的产品在 实际场景中的表现。新客户还可获享 $300 赠金,用于 运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. 安装 Google Cloud CLI。

  6. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  7. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  11. 安装 Google Cloud CLI。

  12. 如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI

  13. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  14. local-extract 组件添加到您的 Google Cloud CLI 安装

    使用 Google Cloud CLI 组件管理器

    首次运行扫描命令时,组件管理器会提示您安装所需的组件。

    使用系统软件包管理器

    • 对于 Debian/Ubuntu: 
      sudo apt install google-cloud-sdk-local-extract
    • 对于 Red Hat/Fedora/CentOS: 
      sudo dnf install google-cloud-sdk-local-extract

      或者,您也可以将上述命令中的 dnf 替换为 yum

  15. 向您将与 On-Demand Scanning 搭配使用的用户或服务帐号授予 IAM 角色 On-Demand Scanning Admin。如果您使用项目的所有者账号运行扫描,则可以跳过此步骤。

扫描容器映像

  • 本地扫描:

    gcloud artifacts docker images scan IMAGE_URI \
    [--location=(us,europe,asia)] [--async]

    对于本地映像,请使用以下 IMAGE_URI格式之一:

    • REPOSITORY:TAG
    • REPOSITORY

  • 远程扫描:

    gcloud artifacts docker images scan IMAGE_URI \
    --remote [--location=(us,europe,asia)] [--async]

    对于远程映像,请使用以下 IMAGE_URI格式之一:

    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID
    • HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID

    对于 Artifact Registry 中的映像,IMAGE_URI 必须包含 REPOSITORY_ID

对于本地扫描和远程扫描,您都可以使用以下可选标志:

  • --location 是一个可选标志,用于手动选择执行扫描的多区域。选择离您实际位置较近的多区域可以最大限度地缩短延迟时间。可用的位置包括:useuropeasia。默认位置为 us

  • --async 是一个可选标志,用于以异步方式运行扫描过程。 如果您省略此标志,终端将处于阻塞状态,直到扫描过程完成。

同步扫描

以下示例展示了同步扫描的输出,其中不包含 --async 标志:

$ gcloud artifacts docker images scan golang:1.17.6-alpine

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

使用扫描名称检索漏洞结果。 扫描名称是输出消息最后一行的 scan 值。

异步扫描

以下示例展示了执行异步扫描的输出:

$ gcloud artifacts docker images scan golang:1.17.6-alpine --async

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
Done.
Check operation [projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status.
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

这会启动一个长时间运行的操作并返回其 ID,而不会阻塞您的终端。使用操作 ID(name 在 输出消息最后一行的值)轮询该操作

轮询长时间运行的操作

使用异步扫描命令输出中的操作 ID 检查操作状态:

gcloud artifacts docker images get-operation LRO_ID

其中,LRO_ID 是长时间运行的操作 ID。

继续使用异步扫描部分中的示例, 检查操作的状态:

$ gcloud artifacts docker images get-operation \
  projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

如果输出包含 done: true 行,则表示扫描操作已完成。使用扫描名称检索漏洞结果。 名称是输出消息最后一行的 scan 值。

检索扫描结果

如需在扫描操作完成后检索扫描结果,请使用以下命令:

gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]

其中:

例如:

createTime: '2022-01-11T16:58:11.972043Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/0c607d9b-aff4-4cde-86b7-e2c0a865aadd
noteName: projects/goog-vulnz/notes/CVE-2021-38297
resourceUri: golang:1.16.13-alpine
updateTime: '2022-01-11T16:58:11.972043Z'
vulnerability:
  cvssScore: 7.5
  effectiveSeverity: CRITICAL
  longDescription: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow
    via large arguments in a function invocation from a WASM module, when GOARCH=wasm
    GOOS=js is used.
  packageIssue:
  - affectedCpeUri: cpe:/o:alpine:alpine_linux:3.15
    affectedPackage: go
    affectedVersion:
      fullName: 1.16.13
      kind: NORMAL
      name: 1.16.13
    effectiveSeverity: CRITICAL
    fixedCpeUri: cpe:/o:alpine:alpine_linux:3.15
    fixedPackage: go
    fixedVersion:
      fullName: 1.17.2
      kind: NORMAL
      name: 1.17.2
    packageType: GO_STDLIB
  relatedUrls:
  - label: More Info
    url: https://security-tracker.debian.org/tracker/CVE-2021-38297
  - label: More Info
    url: https://access.redhat.com/security/cve/CVE-2021-38297
  - label: More Info
    url: https://nvd.nist.gov/vuln/detail/CVE-2021-38297
  severity: HIGH
  shortDescription: CVE-2021-38297

此命令的输出是 Grafeas 格式的发生次数列表。 在本例中,它显示了在映像中发现的一个严重程度较高的漏洞。

On-Demand Scanning API 可识别两种类型的 Go 软件包漏洞:

  • packageType:GO_STDLIB。Go 标准库漏洞。这表示在用于构建二进制文件的 Go 工具链或与该工具链捆绑在一起的标准库中发现了漏洞。可能的修复方法是升级构建工具链。

  • packageType:GO。Go 软件包漏洞。这表示在第三方软件包中发现了漏洞。可能的修复方法是升级依赖模块。

扫描结果在扫描操作完成后 48 小时内可用。

后续步骤