我们正在生成一个基于
mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine
docker 文件包含 Trivy 安全扫描。这是一个 docker 文件摘录:
# Build runtime image (Alpine)
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine
# Upgrade the Alpine Image
RUN apk update
RUN apk upgrade
RUN apk search -a|grep containerd|sort
RUN apk add --upgrade containerd
RUN apk add icu-libs
# https://www.abhith.net/blog/docker-sql-error-on-aspnet-core-alpine/
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
# Check Security with trivy
RUN apk add curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --skip-dirs /user/local/bin/trivy --severity MEDIUM,HIGH,CRITICAL --no-progress / \
&& rm -rf /root/.cache/ \
&& rm -rf /usr/local/bin/trivy \
&& apk del curl
dockerfile 包含一个“apk 升级”,用于在 Alpine 中获取最新的软件包版本。我们输出了 containerd 包的版本,它输出了 'containerd-1.4.8-r0' 这应该是没有漏洞的。但是,Trivy 仍然输出以下内容:
usr/local/bin/trivy (gobinary)
==============================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | v1.4.4 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
这表明 Trivy 检测到了 1.4.4 版本。我不确定下一步该尝试什么。