缘起

话说还是第一次使用docker scan命令，记录一下。

原因还是上个月的log4j漏洞问题，当时项目上有java容器，当天都修了。

这几天有同事好奇看了下docker 官方  registry:latest ，上面描述多了一行 “Couldn't retrieve Log4Shell status“ ，“An error occurred when checking if this image has been scanned for CVE-2021-44228 (a.k.a. Log4Shell). Please try again later. For more information about Log4Shell, see our blog post“

于是测试一下docker scan命令

安装

如果是老版本docker，没有安装过插件，直接运行 docker scan 是会报如下提示的.  docker: 'scan' is not a docker command.

解决方法：安装介绍在这里

https://github.com/docker/scan-cli-plugin#on-linux

安装命令如下

mkdir -p ~/.docker/cli-plugins && \
curl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 -L -s -S -o ~/.docker/cli-plugins/docker-scan &&\
chmod +x ~/.docker/cli-plugins/docker-scan

扫描举例

1，镜像过老，有些低危风险

拿自己的老版本镜像扫描测试一下吧，日志输出结果如下，有一些老的问题。

docker scan cnrock/2048
failed to get DockerScanID: You need to be logged in to Docker Hub to use scan feature.
please login to Docker Hub using the Docker Login command
[root@instance-20211230-2316-cc ~]# docker scan cnrock/2048^C
[root@instance-20211230-2316-cc ~]# vi ~/.docker/config.json
[root@instance-20211230-2316-cc ~]# docker --version
Docker version 20.10.11, build dea9396
[root@instance-20211230-2316-cc ~]# vi ~/.docker/config.json
[root@instance-20211230-2316-cc ~]# docker scan cnrock/2048
...
Testing cnrock/2048...
...
✗ Low severity vulnerability found in curl/libcurl
Description: Use of Incorrectly-Resolved Name or Reference
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1533456
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.78.0-r0
...
✗ Medium severity vulnerability found in libxml2/libxml2
Description: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Info: https://snyk.io/vuln/SNYK-ALPINE313-LIBXML2-1325533
Introduced through: libxml2/[email protected], nginx-module-xslt/[email protected], libxslt/[email protected]
From: libxml2/[email protected]
From: nginx-module-xslt/[email protected] > libxml2/[email protected]
From: libxslt/[email protected] > libxml2/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 2.9.11-r0
...
✗ Medium severity vulnerability found in libgcrypt/libgcrypt
Description: Use of a Broken or Risky Cryptographic Algorithm
Info: https://snyk.io/vuln/SNYK-ALPINE313-LIBGCRYPT-1585259
Introduced through: libgcrypt/[email protected], libxslt/[email protected]
From: libgcrypt/[email protected]
From: libxslt/[email protected] > libgcrypt/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.8.8-r1
...
✗ Medium severity vulnerability found in curl/libcurl
Description: Use of Uninitialized Resource
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1533453
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.78.0-r0
...
✗ Medium severity vulnerability found in curl/libcurl
Description: Insufficiently Protected Credentials
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1533454
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.78.0-r0
...
✗ Medium severity vulnerability found in curl/libcurl
Description: Improper Validation of Integrity Check Value
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1533455
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.78.0-r0
...
✗ Medium severity vulnerability found in curl/libcurl
Description: Insufficient Verification of Data Authenticity
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1585257
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.79.0-r0
...
✗ Medium severity vulnerability found in busybox/busybox
Description: CVE-2021-42375
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920715
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ Medium severity vulnerability found in busybox/busybox
Description: CVE-2021-42374
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920750
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1569446
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r5, curl/[email protected], nginx/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 9 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.1.1l-r0
...
✗ High severity vulnerability found in libgcrypt/libgcrypt
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-ALPINE313-LIBGCRYPT-1315676
Introduced through: libgcrypt/[email protected], libxslt/[email protected]
From: libgcrypt/[email protected]
From: libxslt/[email protected] > libgcrypt/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.8.8-r0
...
✗ High severity vulnerability found in curl/libcurl
Description: Cleartext Transmission of Sensitive Information
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1585248
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.79.0-r0
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42383
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920735
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42381
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920736
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42380
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920742
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42386
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920743
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42379
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920746
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42382
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920751
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42378
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920752
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42384
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920759
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ High severity vulnerability found in busybox/busybox
Description: CVE-2021-42385
Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1920760
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], bash/[email protected], ca-certificates/ca-certificates@20191127-r5, nginx/[email protected], nginx-module-geoip/[email protected], nginx-module-image-filter/[email protected], nginx-module-njs/[email protected], nginx-module-xslt/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: bash/[email protected] > busybox/[email protected]
and 7 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.32.1-r7
...
✗ Critical severity vulnerability found in openssl/libcrypto1.1
Description: Buffer Overflow
Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1569448
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r5, curl/[email protected], nginx/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 9 more...
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 1.1.1l-r0
...
✗ Critical severity vulnerability found in curl/libcurl
Description: Double Free
Info: https://snyk.io/vuln/SNYK-ALPINE313-CURL-1585246
Introduced through: curl/[email protected], curl/[email protected]
From: curl/[email protected]
From: curl/[email protected] > curl/[email protected]
From: curl/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 7.79.0-r0
...
✗ Critical severity vulnerability found in apk-tools/apk-tools
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE313-APKTOOLS-1533754
Introduced through: apk-tools/[email protected]
From: apk-tools/[email protected]
Image layer: Introduced by your base image (nginx:1.20-alpine)
Fixed in: 2.12.6-r0
...
Package manager: apk
Project name: docker-image|cnrock/2048
Docker image: cnrock/2048
Platform: linux/amd64
Base image: nginx:1.20-alpine
...
Tested 44 dependencies for known vulnerabilities, found 24 vulnerabilities.
...
Your base image is out of date
1) Pull the latest version of your base image by running 'docker pull nginx:1.20-alpine'
2) Rebuild your local image
...
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

2，镜像过老，有log4j漏洞风险

elastic/logstash:7.13.3

上面这个版本有漏洞， 扫描最后结果当中有  WARNING: Critical severity vulnerabilities were found with Log4j! 提示


✔ Tested elastic/logstash:7.13.3 for known issues, no vulnerable paths found.
Tested 88 projects, 9 contained vulnerable paths.
⚠ WARNING: Critical severity vulnerabilities were found with Log4j!
- SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720 (See https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720)
We highly recommend fixing this vulnerability. If it cannot be fixed by upgrading, see mitigation information here:
- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720
- https://snyk.io/blog/log4shell-remediation-cheat-sheet/

3，镜像完全没问题提示

Testing docker.io/cnrock/2048:v3...
Organization: cnrock
Package manager: apk
Project name: docker-image|docker.io/cnrock/2048
Docker image: docker.io/cnrock/2048:v3
Platform: linux/amd64
Base image: alpine:3.15.0
Licenses: enabled
✔ Tested 26 dependencies for known issues, no vulnerable paths found.
According to our scan, you are currently using the most secure version of the selected base image

其他问题

扫描次数超限提示

docker scan elastic/logstash:7.13.3
You have reached the scan limit of 10 monthly scans without authentication.
For additional monthly scans, sign into or sign up for Snyk for free with the following command:
docker scan --login

使用token绑定即可。

其他

如果前面直接token绑定失败

Console prints out: "Authentication failed. Please check the API token on https://snyk.io"

可以去 https://app.snyk.io/account 这个地址，拿到token，手动跑一下命令 docker scan --login --token "YOUR_SNYK_API_TOKEN"

有空研究下 https://snyk.io/

Develop fast. Stay secure.
Find and automatically fix vulnerabilities in your code, open source dependencies, containers, and infrastructure as code — all powered by Snyk’s industry-leading security intelligence.