借助 On-Demand Scanning API,您可以扫描本地计算机上存储的映像,也可以扫描 Artifact Registry 中远程存储的映像。您可以在 CI/CD 流水线中使用 On-Demand Scanning 扫描映像,以检查是否存在系统漏洞和 Java (Maven) 软件包漏洞,然后再决定是否将其存储在注册数据库中。如需了解价格信息,请参阅价格页面。
本页面介绍了如何手动扫描容器映像以查找系统漏洞和 Maven 软件包漏洞。
准备工作
- 登录您的 Google Cloud 账号。如果您是 Google Cloud新手,请 创建一个账号来评估我们的产品在实际场景中的表现。新客户还可获享 $300 赠金,用于运行、测试和部署工作负载。
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
安装 Google Cloud CLI。
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
安装 Google Cloud CLI。
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
将 local-extract 组件添加到您的 Google Cloud CLI 安装中
使用 Google Cloud CLI 组件管理器
首次运行扫描命令时,组件管理器会提示您安装所需组件。
使用系统软件包管理器
-
对于 Debian/Ubuntu:
sudo apt install google-cloud-sdk-local-extract
-
对于 Red Hat/Fedora/CentOS:
sudo dnf install google-cloud-sdk-local-extract
或者,您也可以将上一个命令中的
dnf替换为yum。
-
对于 Debian/Ubuntu:
- 向您将用于按需扫描的用户或服务账号授予 IAM 角色 按需扫描管理员。如果您使用项目的所有者账号运行扫描,可以跳过此步骤。
扫描容器映像
本地扫描:
gcloud artifacts docker images scan IMAGE_URI \ [--location=(us,europe,asia)] [--async]对于本地映像,请使用以下某种格式的 IMAGE_URI:
REPOSITORY:TAGREPOSITORY
远程扫描:
gcloud artifacts docker images scan IMAGE_URI \ --remote [--location=(us,europe,asia)] [--async]对于远程映像,请使用以下格式之一来表示 IMAGE_URI:
HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASHHOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASHHOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_IDHOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASHHOSTNAME/PROJECT_ID/IMAGE_ID:HASHHOSTNAME/PROJECT_ID/IMAGE_ID
对于 Artifact Registry 中的映像,IMAGE_URI 必须包含
REPOSITORY_ID。
对于本地扫描和远程扫描,您都可以使用以下可选标志:
--location是一个可选标志,用于手动选择扫描发生的多区域。选择离您实际位置较近的多区域可最大限度地缩短延迟时间。可用的位置包括:us、europe和asia。默认位置是us。--async是一个可选标志,用于异步运行扫描流程。如果您省略此标志,终端将一直处于阻塞状态,直到扫描过程完成。
同步扫描
以下示例展示了不含 --async 标志的同步扫描的输出:
$ gcloud artifacts docker images scan jenkins:2.60.3-alpine ✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:03:04.185261Z' resourceUri: jenkins:2.60.3-alpine name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7 response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a
使用扫描名称检索漏洞结果。在示例中,扫描名称是输出消息最后一行中 scan 的值。
异步扫描
以下示例显示了执行异步扫描的输出:
$ gcloud artifacts docker images scan jenkins:2.60.3-alpine --async ✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions Done. Check operation [projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status. metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:04:54.393510Z' resourceUri: jenkins:2.60.3-alpine name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
此命令会启动一个长时间运行的操作,并返回其 ID,而不会阻塞您的终端。使用输出消息最后一行的 name 值(即操作 ID)轮询操作。
轮询长时间运行的操作
使用异步扫描命令输出中的操作 ID 来检查操作状态:
gcloud artifacts docker images get-operation LRO_ID
其中,LRO_ID 是长时间运行的操作 ID。
继续使用异步扫描部分的示例,检查操作的状态:
$ gcloud artifacts docker images get-operation \ projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16 done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:04:54.393510Z' resourceUri: jenkins:2.60.3-alpine name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16 response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a
如果输出包含 done: true 行,则表示扫描操作已完成。使用扫描名称检索漏洞结果。
扫描名称是输出消息最后一行的 scan 值。
检索扫描结果
如需在扫描操作完成后检索扫描结果,请使用以下命令:
gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]
其中:
SCAN_NAME 是扫描名称。当您在扫描完成后运行同步扫描或轮询长时间运行的操作时,可以在输出的最后一行中找到该值。
--limit=X是一个可选标志,用于限制输出中显示的出现次数。X是一个数值。
例如:
createTime: '2021-06-29T17:01:18.819477Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/06305977-f557-4772-8586-4260684291d3
noteName: projects/my-project/notes/CVE-2014-0114
resourceUri: jenkins:2.60.3-alpine
updateTime: '2021-06-29T17:01:18.819477Z'
vulnerability:
cvssScore: 4.3
effectiveSeverity: MEDIUM
longDescription: http/conn/ssl/SSLConnectionSocketFactory.java in ...
packageIssue:
- affectedCpeUri: cpe:/o:alpine:alpine_linux:3.13
affectedPackage: org.apache.httpcomponents:httpclient
affectedVersion:
fullName: 4.0.2
kind: NORMAL
name: 4.0.2
effectiveSeverity: MEDIUM
fixedCpeUri: cpe:/o:alpine:alpine_linux:3.13
fixedPackage: org.apache.httpcomponents:httpclient
fixedVersion:
fullName: 4.3.6
kind: NORMAL
name: 4.3.6
packageType: MAVEN
relatedUrls:
- label: More Info
url: https://security-tracker.debian.org/tracker/CVE-2015-5262
severity: MEDIUM
shortDescription: CVE-2015-5262
此命令的输出是采用 Grafeas 格式的出现次数列表。在本例中,它显示了在映像中发现的一个中级严重程度的漏洞。Maven 软件包漏洞包含 packageType:MAVEN 字段。
扫描结果在扫描操作完成后可供查看 48 小时。
后续步骤
- 在 Cloud Build 流水线中使用 On-Demand Scanning API。
- 使用 Artifact Analysis 扫描并持续更新存储在 Artifact Registry 中的映像的漏洞信息。