手动扫描 Go 软件包

本快速入门介绍了如何拉取容器映像、使用按需扫描功能手动扫描该映像,以及检索系统和 Go 软件包的已识别漏洞。在本快速入门中,您将使用 Cloud Shell 和一个 Alpine 映像示例。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Enable the API

下载并扫描图片

  1. 在项目中打开 Cloud Shell。

    打开 Cloud Shell

    系统会打开一个终端,其中包含遵循本指南所需的所有工具。

  2. 使用 Docker 拉取容器映像:

    docker pull golang:1.17.6-alpine
    
  3. 运行扫描:

    gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO
    

    这会触发扫描过程,并在完成后返回扫描名称:

    ✓ Scanning container image
      ✓ Locally extracting packages and versions from local container image
      ✓ Remotely initiating analysis of packages and versions
      ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c]
    Done.
    done: true
    metadata:
      '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
      createTime: '2022-01-11T16:58:11.711487Z'
      resourceUri: golang:1.16.13-alpine
    name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c
    response:
      '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
      scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef
    
  4. 使用扫描名称(输出中的 scan 值)来提取扫描结果:

    gcloud artifacts docker images list-vulnerabilities \
    projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef
    

    输出包含 Go、Go 标准库和 Linux 软件包漏洞的列表。以下标签表示 Go 漏洞的类型:

    • packageType:GO_STDLIB. Go 标准库漏洞。这表示漏洞是在用于构建二进制文件的 Go 工具链中,还是在与该工具链捆绑的标准库中发现的。一种可能的解决方法是升级您的 build 工具链。

    • packageType:GO. Go 软件包漏洞。这表示在第三方软件包中发现了漏洞。一种可能的解决方法是升级相关模块。

清理

为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

后续步骤