一、基本介绍
Trivy是一个扫描容器镜像、文件系统和 Git 仓库中的漏洞以及配置问题的工具,非常简单易用且能快速上手。Trivy主要检测操作系统包如Alpine、RHEL、CentOS 等和特定语言包。如Bundler(ruby语言依赖管理工具)、Composer(php语言依赖管理工具)、npm(Node语言依赖管理工具)、yarn(Node语言依赖管理工具)等的漏洞。此外, Trivy扫描基础设施即代码 (IaC) 文件,例如 Terraform、Dockerfile 和 Kubernetes,可以检测检测部署后面临攻击风险的潜在配置问题。当然Trivy扫描出系统包漏洞问题并不意味着它可以修复该问题,具体解决修复方案还是需要 Red Hat 和 Debian 等供应商提供的官方包。
二、安装
1、RHEL/CentOS系统安装
添加Trivy的yum源,然后直接安装即可
$cd /etc/yum.repo.d
$sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
也可以RPM包直接安装
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.22.0/trivy_0.22.0_Linux-64bit.rpm
2、Homebrew方式安装
brew install aquasecurity/trivy/trivy
3、源码编译安装
mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch v0.22.0 https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install
三、简单使用
1、扫描镜像查找漏洞
直接使用trivy image [YOUR_IMAGE_NAME] 命令检测,例如
trivy image python:3.4-alpine
2、扫描目录查找错误配置
只需指定一个包含 IaC 文件的目录,例如 Terraform 和 Dockerfile。trivy config [YOUR_IAC_DIR],例如
$ ls build/
Dockerfile
$ trivy config ./build
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
3、扫描Git仓库
使用trivy repo 仓库地址命令来进行扫描,当然也可以扫描自己的私有仓库,例如扫描自己公司Gitlab仓库,可以使用GITLAB_TOKEN变量来进行授权
$trivy repo https://github.com/knqyf263/trivy-ci-test
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>
2021-03-09T15:04:19.003+0200 INFO Detecting cargo vulnerabilities...
2021-03-09T15:04:19.005+0200 INFO Detecting pipenv vulnerabilities...
Cargo.lock
==========
Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads |
| | | | | | to abort in HTML serialization |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulnerability |
| | | | | | due to insecure defaults |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| smallvec | RUSTSEC-2018-0018 | | 0.6.9 | >= 0.6.13 | smallvec creates uninitialized |
| | | | | | value of any type |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2019-0009 | | | >= 0.6.10 | Double-free and use-after-free |
| | | | | | in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
+ +-------------------+ + + +---------------------------------------------+
| | RUSTSEC-2019-0012 | | | | Memory corruption in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2021-0003 | | | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| tempdir | RUSTSEC-2018-0017 | | 0.3.7 | | `tempdir` crate has been |
| | | | | | deprecated; use `tempfile` instead |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
四、常见问题
1、超时错误 timeout
$ trivy image ...
...
analyze error: timeout: context deadline exceeded
扫描可能会超时,Java 需要特别长的时间来扫描。尝试增加 —timeout 选项的值,例如–timeout 15m.
2、认证错误 Certification
Error: x509: certificate signed by unknown authority
TRIVY_INSECURE 可用于在使用 SSL 时允许与容器registry的不安全连接。
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
3、Github速率限制 GitHub Rate limiting
指定 GITHUB_TOKEN 进行认证 https://developer.github.com/v3/#rate-limiting
$ trivy image ...
...
API rate limit exceeded for xxx.xxx.xxx.xxx.
4、Maven 速率限制 Maven rate limiting
Trivy 调用 Maven 的API 用以更好地检测 JAR 文件,但许多请求可能会超出速率限制。如果它经常发生,尝试使用 –offline-scan阻止 Trivy 发出 API 请求。此选项仅影响漏洞扫描。漏洞数据库和内置策略照常下载。如果你也想跳过它们,你可以尝试–skip-update和–skip-policy-update。注意,许多漏洞可能比没有–offline-scan选项时少。
$ trivy image ...
...
status 403 Forbidden from http://search.maven.org/solrsearch/select
5、并行与串行时间相同 Running in parallel takes same time as series run
当同时多进程运行trivy扫描多个镜像时,花费的时间是和单进程扫描时间相同,是因为boltdbd的限制。Boltdb是个文件型数据库,Bolt 获取数据文件的文件锁,因此多个进程无法同时打开同一个数据库。打开一个已经打开的 Bolt 数据库会导致它挂起,直到另一个进程关闭它。
6、下载漏洞数据库出错 Error downloading vulnerability DB
FATAL failed to download vulnerability DB
如果Trivy是运行在防火墙后面,需要对下面域名添加白名单
-
api.github.com -
github.com -
github-releases.githubusercontent.com
原文始发于微信公众号(洋洋自语):Trivy 初识
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/272970.html
