手动扫描 Java 软件包

本快速入门介绍了如何拉取容器映像、使用按需扫描功能手动扫描该映像,以及检索系统和 Maven 软件包的已识别漏洞。在本快速入门中,您将使用 Cloud Shell 和一个 Alpine 映像示例。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Enable the API

    8.

下载并扫描图片

  1. 在项目中打开 Cloud Shell。

    打开 Cloud Shell

    系统会打开一个终端,其中包含遵循本指南所需的所有工具。

  2. 使用 Docker 拉取容器映像:

    docker pull jenkins:2.60.3-alpine

  3. 运行扫描:

    gcloud artifacts docker images scan jenkins:2.60.3-alpine --additional-package-types=MAVEN

    这会触发扫描过程,并在完成后返回扫描名称:

    ✓ Scanning container image 
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]
Done.

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-26T13:43:53.112123Z'
  resourceUri: jenkins:2.60.3-alpine
name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160

  4. 使用扫描名称(输出中的 scan 值)来提取扫描结果:

    gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160

    输出包含 Maven 和 Linux 软件包漏洞的列表。可通过 packageType:MAVEN 字段识别 Maven 软件包漏洞。

清理

为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。

如果您为此指南创建了一个新项目,现在可以删除该项目。

  • 在 Google Cloud 控制台中打开“设置”页面(可在“IAM 和管理”下找到)。

    打开“设置”页面

  • 点击选择项目

  • 选择要删除的项目,然后点击打开

  • 点击关停

  • 输入项目 ID,然后点击关停

后续步骤