手动扫描 Go 软件包

借助 On-Demand Scanning API,您可以扫描本地计算机上存储的映像,也可以扫描 Artifact Registry 或 Container Registry 中远程存储的映像。您可以使用 On-Demand Scanning 在 CI/CD 流水线中扫描映像,以检查系统漏洞和 Go 软件包漏洞,然后再决定是否将映像存储在注册表中。如需了解价格信息,请参阅价格页面

本页面介绍如何手动扫描容器映像以查找系统漏洞和 Go 软件包漏洞。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

  5. Install the Google Cloud CLI.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. To initialize the gcloud CLI, run the following command: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  9. Make sure that billing is enabled for your Google Cloud project.

  10. Enable the On-Demand Scanning API.

    Enable the API

  11. Install the Google Cloud CLI.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. To initialize the gcloud CLI, run the following command: 

    gcloud init

  14. local-extract 组件添加到您的 Google Cloud CLI 安装中

    使用 Google Cloud CLI 组件管理器

    首次运行扫描命令时,组件管理器会提示您安装所需组件。

    使用系统软件包管理器

    • 对于 Debian/Ubuntu: 
      sudo apt install google-cloud-sdk-local-extract
    • 对于 Red Hat/Fedora/CentOS: 
      sudo dnf install google-cloud-sdk-local-extract

      或者,您也可以将上一个命令中的 dnf 替换为 yum

  15. 向您将用于按需扫描的用户或服务账号授予 IAM 角色 按需扫描管理员。如果您使用项目的所有者账号运行扫描,可以跳过此步骤。

    16. 扫描容器映像

    • 本地扫描:

      gcloud artifacts docker images scan IMAGE_URI \
    [--location=(us,europe,asia)] [--async]

      对于本地映像,请使用以下某种格式的 IMAGE_URI

      • REPOSITORY:TAG
      • REPOSITORY

    • 远程扫描:

      gcloud artifacts docker images scan IMAGE_URI \
    --remote [--location=(us,europe,asia)] [--async]

      对于远程图片,请使用以下格式之一来表示 IMAGE_URI

      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASH
      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASH
      • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID
      • HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH
      • HOSTNAME/PROJECT_ID/IMAGE_ID:HASH
      • HOSTNAME/PROJECT_ID/IMAGE_ID

      对于 Artifact Registry 中的映像,IMAGE_URI 必须包含 REPOSITORY_ID

    对于本地扫描和远程扫描,您都可以使用以下可选标志:

    • --location 是一个可选标志,用于手动选择扫描发生的多区域。选择离您实际位置更近的多区域可最大限度地缩短延迟时间。可用的位置包括:useuropeasia。默认位置是 us

    • --async 是一个可选标志,用于异步运行扫描流程。如果您省略此标志,终端将一直处于阻塞状态,直到扫描过程完成。

    同步扫描

    以下示例展示了不含 --async 标志的同步扫描的输出:

    $ gcloud artifacts docker images scan golang:1.17.6-alpine

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

    使用扫描名称检索漏洞结果。 扫描名称是输出消息最后一行的 scan 值。

    异步扫描

    以下示例显示了执行异步扫描的输出:

    $ gcloud artifacts docker images scan golang:1.17.6-alpine --async

✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
Done.
Check operation [projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status.
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

    此命令会启动一个长时间运行的操作,并返回其 ID,而不会阻塞您的终端。使用输出消息最后一行的 name 值(即操作 ID)轮询操作

    轮询长时间运行的操作

    使用异步扫描命令输出中的操作 ID 来检查操作状态:

    gcloud artifacts docker images get-operation LRO_ID

    其中,LRO_ID 是长时间运行的操作 ID。

    继续使用异步扫描部分的示例,检查操作的状态:

    $ gcloud artifacts docker images get-operation \
  projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

    如果输出包含 done: true 行,则表示扫描操作已完成。使用扫描名称检索漏洞结果。 该名称是输出消息最后一行的 scan 值。

    检索扫描结果

    如需在扫描操作完成后检索扫描结果,请使用以下命令:

    gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]

    其中:

    • SCAN_NAME 是扫描名称。当您运行同步扫描轮询长时间运行的操作时,扫描完成后,您可以在输出的最后一行中找到该值。

    • --limit=X 是一个可选标志,用于限制输出中显示的次数。X 是一个数值。

    例如:

    createTime: '2022-01-11T16:58:11.972043Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/0c607d9b-aff4-4cde-86b7-e2c0a865aadd
noteName: projects/goog-vulnz/notes/CVE-2021-38297
resourceUri: golang:1.16.13-alpine
updateTime: '2022-01-11T16:58:11.972043Z'
vulnerability:
  cvssScore: 7.5
  effectiveSeverity: CRITICAL
  longDescription: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow
    via large arguments in a function invocation from a WASM module, when GOARCH=wasm
    GOOS=js is used.
  packageIssue:
  - affectedCpeUri: cpe:/o:alpine:alpine_linux:3.15
    affectedPackage: go
    affectedVersion:
      fullName: 1.16.13
      kind: NORMAL
      name: 1.16.13
    effectiveSeverity: CRITICAL
    fixedCpeUri: cpe:/o:alpine:alpine_linux:3.15
    fixedPackage: go
    fixedVersion:
      fullName: 1.17.2
      kind: NORMAL
      name: 1.17.2
    packageType: GO_STDLIB
  relatedUrls:
  - label: More Info
    url: https://security-tracker.debian.org/tracker/CVE-2021-38297
  - label: More Info
    url: https://access.redhat.com/security/cve/CVE-2021-38297
  - label: More Info
    url: https://nvd.nist.gov/vuln/detail/CVE-2021-38297
  severity: HIGH
  shortDescription: CVE-2021-38297

    此命令的输出是 Grafeas 格式的出现次数列表。在本例中,它显示了在映像中发现的一个高严重级别漏洞。

    按需扫描可识别两种类型的 Go 软件包漏洞:

    • packageType:GO_STDLIB. Go 标准库漏洞。这表示漏洞是在用于构建二进制文件的 Go 工具链中,还是在与该工具链捆绑的标准库中发现的。一种可能的解决方法是升级您的 build 工具链。

    • packageType:GO. Go 软件包漏洞。这表示在第三方软件包中发现了漏洞。一种可能的解决方法是升级相关模块。

    扫描操作完成后,扫描结果会保留 48 小时。

    后续步骤