手動掃描 Java 套件

您可以使用 On-Demand Scanning API 掃描儲存在電腦本機的映像檔,或 Artifact Registry 或 Container Registry 中的遠端映像檔。您可以在 CI/CD 管道中使用 On-Demand Scanning 掃描映像檔,找出系統安全漏洞和 Java (Maven) 套件安全漏洞,再決定是否將映像檔儲存在登錄檔中。如需價格資訊,請參閱定價頁面

本頁說明如何手動掃描容器映像檔,檢查是否有系統安全漏洞和 Maven 套件安全漏洞。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

  5. Install the Google Cloud CLI.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. To initialize the gcloud CLI, run the following command: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  9. Make sure that billing is enabled for your Google Cloud project.

  10. Enable the On-Demand Scanning API.

    Enable the API

  11. Install the Google Cloud CLI.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. To initialize the gcloud CLI, run the following command: 

    gcloud init

  14. local-extract 元件新增至 Google Cloud CLI 安裝作業

    使用 Google Cloud CLI 元件管理員

    第一次執行掃描指令時,元件管理工具會提示您安裝必要元件。

    使用系統套件管理工具

    • Debian/Ubuntu: 
      sudo apt install google-cloud-sdk-local-extract
    • 如果是 Red Hat/Fedora/CentOS: 
      sudo dnf install google-cloud-sdk-local-extract

      或者,您也可以在上一個指令中將 dnf 替換為 yum

  15. 授予 IAM 角色「隨選掃描管理員」給要搭配隨選掃描功能使用的使用者或服務帳戶。如果您使用專案的擁有者帳戶執行掃描,可以略過這個步驟。

    16. 掃描容器映像檔

    • 掃描當地電視頻道:

      gcloud artifacts docker images scan IMAGE_URI \
    [--location=(us,europe,asia)] [--async]

      如果是本機圖片,請使用下列其中一種格式:IMAGE_URI

      • REPOSITORY:TAG
      • REPOSITORY

    • 遠端掃描:

      gcloud artifacts docker images scan IMAGE_URI \
     --remote [--location=(us,europe,asia)] [--async]

      如果是遠端圖片,請使用下列其中一種格式:IMAGE_URI

      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASH
      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASH
      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID
      • HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH
      • HOSTNAME/PROJECT_ID/IMAGE_ID:HASH
      • HOSTNAME/PROJECT_ID/IMAGE_ID

      如果是 Artifact Registry 中的映像檔,IMAGE_URI 必須包含 REPOSITORY_ID

    無論是本機或遠端掃描,您都可以使用下列選用旗標:

    • --location 是選用旗標,可手動選取掃描作業執行的多地區。選擇距離您實際位置較近的多區域,可盡量縮短延遲時間。可用的位置包括:useuropeasia。預設位置為 us

    • --async 是選用旗標,可非同步執行掃描程序。如果省略這個旗標,終端機就會封鎖,直到掃描程序完成為止。

    同步掃描

    以下範例顯示同步掃描的輸出內容,沒有 --async 標記:

    $ gcloud artifacts docker images scan jenkins:2.60.3-alpine

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:03:04.185261Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

    使用掃描名稱擷取安全漏洞結果。在本例中,掃描名稱是輸出訊息最後一行中的 scan 值。

    非同步掃描

    以下範例顯示執行非同步掃描的輸出內容:

    $ gcloud artifacts docker images scan jenkins:2.60.3-alpine --async

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
Done.
Check operation [projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status.
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

    這會啟動長期執行作業並傳回其 ID,不會封鎖終端機。使用作業 ID (輸出訊息最後一行中的 name 值) 輪詢作業

    輪詢長時間執行的作業

    使用非同步掃描指令輸出內容中的作業 ID,檢查作業狀態:

    gcloud artifacts docker images get-operation LRO_ID

    其中 LRO_ID 是長時間執行的作業 ID。

    繼續使用非同步掃描部分的範例,檢查作業狀態:

    $ gcloud artifacts docker images get-operation \
  projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

    如果輸出內容包含 done: true 這一行,表示掃描作業已完成。使用掃描名稱擷取安全漏洞結果。 掃描名稱是輸出訊息最後一行中的 scan 值。

    擷取掃描結果

    掃描作業完成後,請使用下列指令擷取掃描結果:

    gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]

    其中:

    • SCAN_NAME 是掃描名稱。掃描完成後,您可以執行同步掃描輪詢長時間執行的作業,輸出內容的最後一行會顯示該值。

    • --limit=X 是選用旗標,可限制輸出中顯示的出現次數。X 是數值。

    例如:

    createTime: '2021-06-29T17:01:18.819477Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/06305977-f557-4772-8586-4260684291d3
noteName: projects/my-project/notes/CVE-2014-0114
resourceUri: jenkins:2.60.3-alpine
updateTime: '2021-06-29T17:01:18.819477Z'
vulnerability:
  cvssScore: 4.3
  effectiveSeverity: MEDIUM
  longDescription: http/conn/ssl/SSLConnectionSocketFactory.java in ...
  packageIssue:
  - affectedCpeUri: cpe:/o:alpine:alpine_linux:3.13
    affectedPackage: org.apache.httpcomponents:httpclient
    affectedVersion:
      fullName: 4.0.2
      kind: NORMAL
      name: 4.0.2
    effectiveSeverity: MEDIUM
    fixedCpeUri: cpe:/o:alpine:alpine_linux:3.13
    fixedPackage: org.apache.httpcomponents:httpclient
    fixedVersion:
      fullName: 4.3.6
      kind: NORMAL
      name: 4.3.6
    packageType: MAVEN
  relatedUrls:
  - label: More Info
    url: https://security-tracker.debian.org/tracker/CVE-2015-5262
  severity: MEDIUM
  shortDescription: CVE-2015-5262

    這個指令的輸出內容是以 Grafeas 格式列出的發生項目。在本例中,系統在映像檔中發現一個中等嚴重程度的安全漏洞。Maven 套件安全漏洞含有 packageType:MAVEN 欄位。

    掃描作業完成後,掃描結果會保留 48 小時。

    後續步驟