らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

Rocky Linux8 に Trivy をインストールして Docker の検査を行う

Software Design 2021年12月号 で Docker 特集が組まれており、Trivy が紹介されていたので試してみました。 今回は Rocky Linux8 上で動作確認しています。 尚、Trivy の GitHub リポジトリはこちら です。

インストール

Trivy のインストール方法は Installation に記載されています。 インストール方法は幾つかあります。

リポジトリからインストールする

リポジトリからインストールする場合、まずリポジトリを定義します。

cat << 'EOF' > /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
EOF

あとはパッケージマネージャでインストールするだけです。

dnf -y check-update
dnf -y install trivy

インストールされました。

# trivy --version
Version: 0.21.1

シェルスクリプトでインストールする

シェルスクリプトでインストールする場合は以下を実行します。 以下では v0.21.1 を指定しており、このバージョンがインストールされます。

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.21.1

インストールされました。

# trivy --version
Version: 0.21.1

ローカル環境の Dockerfile に対して Trivy を実行する

Docker コンテナイメージはビルドせずに ローカル環境にある Dockerfile を検査してみます。 以下の内容で Dockerfile を新規作成します。

FROM ubuntu:20.04

RUN apt-get update
RUN apt-get install nginx

CMD ["nginx", "-g", "daemon off";]

trivy config に Dockerfile があるパスを指定すると検査することが可能です。 今回は以下のように表示されました。

# trivy config .
2021-11-28T12:11:19.621+0900  INFO    Detected config files: 1

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 20, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user                                |   HIGH   | Specify at least 1 USER                  |
|                           |            |                                          |          | command in Dockerfile with               |
|                           |            |                                          |          | non-root user as argument                |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds002       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS017    | 'RUN <package-manager> update'           |          | The instruction 'RUN <package-manager>   |
|                           |            | instruction alone                        |          | update' should always be followed        |
|                           |            |                                          |          | by '<package-manager> install'           |
|                           |            |                                          |          | in the same RUN statement.               |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds017       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS021    | 'apt-get' missing '-y' to avoid manual   |          | '-y' flag is missed:                     |
|                           |            | input                                    |          | 'apt-get install nginx'                  |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds021       |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+

修正した Dockerfile に対して Trivy を実行する

Trivy の検査結果を参考に、Dockerfile の内容を以下のように修正します。

FROM ubuntu:20.04

RUN apt-get update &&
    apt-get -y install nginx

CMD ["nginx", "-g", "daemon off";]

再度、Trivy を実行すると警告が表示されなくなりました。

# trivy config .
2021-11-28T12:59:03.502+0900  INFO    Detected config files: 0
#

コンテナイメージに対して検査を実行する

リポジトリ上に存在するコンテナイメージに対して Trivy を実行することも可能です。 以下では Docker Hub 上の nginx に対して Trivy を実行しています。

# trivy image nginx
2021-11-28T13:08:47.298+0900  INFO    Detected OS: debian
2021-11-28T13:08:47.298+0900  INFO    Detecting Debian vulnerabilities...
2021-11-28T13:08:47.317+0900  INFO    Number of language-specific files: 0

nginx (debian 11.1)
===================
Total: 99 (UNKNOWN: 0, LOW: 81, MEDIUM: 7, HIGH: 7, CRITICAL: 4)

+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt              | CVE-2011-3374    | LOW      | 2.2.4             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
    …snip…
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base        | CVE-2020-16156   | MEDIUM   | 5.32.1-4+deb11u2  |               | [Signature Verification Bypass]         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-16156   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2011-4116    | LOW      |                   |               | perl: File::Temp insecure               |
|                  |                  |          |                   |               | temporary file handling                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-4116    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| tar              | CVE-2005-2541    |          | 1.34+dfsg-1       |               | tar: does not properly warn the user    |
|                  |                  |          |                   |               | when extracting setuid or setgid...     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2005-2541    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+

参考

trivy のヘルプ

# trivy --help
NAME:
   trivy - A simple and comprehensive vulnerability scanner for containers

USAGE:
   trivy [global options] command [command options] target

VERSION:
   0.21.1

COMMANDS:
   image, i          scan an image
   filesystem, fs    scan local filesystem for language-specific dependencies and config files
   rootfs            scan rootfs
   repository, repo  scan remote repository
   client, c         client mode
   server, s         server mode
   config, conf      scan config files
   plugin, p         manage plugins
   help, h           Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
   --cache-dir value  cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
   --help, -h         show help (default: false)
   --version, -v      print the version (default: false)

インストールスクリプト

現時点の インストールスクリプト は以下の内容になっていました。

#!/bin/sh
set -e
# Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
#

usage() {
  this=$1
  cat <<EOF
$this: download go binaries for aquasecurity/trivy

Usage: $this [-b] bindir [-d] [tag]
  -b sets bindir or installation directory, Defaults to ./bin
  -d turns on debug logging
   [tag] is a tag from
   https://github.com/aquasecurity/trivy/releases
   If tag is missing, then the latest will be used.

 Generated by godownloader
  https://github.com/goreleaser/godownloader

EOF
  exit 2
}

parse_args() {
  #BINDIR is ./bin unless set be ENV
  # over-ridden by flag below

  BINDIR=${BINDIR:-./bin}
  while getopts "b:dh?x" arg; do
    case "$arg" in
      b) BINDIR="$OPTARG" ;;
      d) log_set_priority 10 ;;
      h | \?) usage "$0" ;;
      x) set -x ;;
    esac
  done
  shift $((OPTIND - 1))
  TAG=$1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute() {
  tmpdir=$(mktemp -d)
  log_debug "downloading files into ${tmpdir}"
  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
  http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
  srcdir="${tmpdir}"
  (cd "${tmpdir}" && untar "${TARBALL}")
  test ! -d "${BINDIR}" && install -d "${BINDIR}"
  for binexe in $BINARIES; do
    if [ "$OS" = "windows" ]; then
      binexe="${binexe}.exe"
    fi
    install "${srcdir}/${binexe}" "${BINDIR}/"
    log_info "installed ${BINDIR}/${binexe}"
  done
  rm -rf "${tmpdir}"
}
get_binaries() {
  case "$PLATFORM" in
    darwin/386) BINARIES="trivy" ;;
    darwin/amd64) BINARIES="trivy" ;;
    darwin/arm64) BINARIES="trivy" ;;
    darwin/armv7) BINARIES="trivy" ;;
    freebsd/386) BINARIES="trivy" ;;
    freebsd/amd64) BINARIES="trivy" ;;
    freebsd/arm64) BINARIES="trivy" ;;
    freebsd/armv7) BINARIES="trivy" ;;
    linux/386) BINARIES="trivy" ;;
    linux/amd64) BINARIES="trivy" ;;
    linux/ppc64le) BINARIES="trivy" ;;
    linux/arm64) BINARIES="trivy" ;;
    linux/armv7) BINARIES="trivy" ;;
    openbsd/386) BINARIES="trivy" ;;
    openbsd/amd64) BINARIES="trivy" ;;
    openbsd/arm64) BINARIES="trivy" ;;
    openbsd/armv7) BINARIES="trivy" ;;
    *)
      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
      exit 1
      ;;
  esac
}
tag_to_version() {
  if [ -z "${TAG}" ]; then
    log_info "checking GitHub for latest tag"
  else
    log_info "checking GitHub for tag '${TAG}'"
  fi
  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
  if test -z "$REALTAG"; then
    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
    exit 1
  fi
  # if version starts with 'v', remove it
  TAG="$REALTAG"
  VERSION=${TAG#v}
}
adjust_format() {
  # change format (tar.gz or zip) based on OS
  true
}
adjust_os() {
  # adjust archive name based on OS
  case ${OS} in
    386) OS=32bit ;;
    amd64) OS=64bit ;;
    arm) OS=ARM ;;
    arm64) OS=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) OS=macOS ;;
    dragonfly) OS=DragonFlyBSD ;;
    freebsd) OS=FreeBSD ;;
    linux) OS=Linux ;;
    netbsd) OS=NetBSD ;;
    openbsd) OS=OpenBSD ;;
  esac
  true
}
adjust_arch() {
  # adjust archive name based on ARCH
  case ${ARCH} in
    386) ARCH=32bit ;;
    amd64) ARCH=64bit ;;
    arm) ARCH=ARM ;;
    arm64) ARCH=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) ARCH=macOS ;;
    dragonfly) ARCH=DragonFlyBSD ;;
    freebsd) ARCH=FreeBSD ;;
    linux) ARCH=Linux ;;
    netbsd) ARCH=NetBSD ;;
    openbsd) ARCH=OpenBSD ;;
  esac
  true
}

cat /dev/null <<EOF
------------------------------------------------------------------------
https://github.com/client9/shlib - portable posix shell functions
Public domain - http://unlicense.org
https://github.com/client9/shlib/blob/master/LICENSE.md
but credit (and pull requests) appreciated.
------------------------------------------------------------------------
EOF
is_command() {
  command -v "$1" >/dev/null
}
echoerr() {
  echo "$@" 1>&2
}
log_prefix() {
  echo "$0"
}
_logp=6
log_set_priority() {
  _logp="$1"
}
log_priority() {
  if test -z "$1"; then
    echo "$_logp"
    return
  fi
  [ "$1" -le "$_logp" ]
}
log_tag() {
  case $1 in
    0) echo "emerg" ;;
    1) echo "alert" ;;
    2) echo "crit" ;;
    3) echo "err" ;;
    4) echo "warning" ;;
    5) echo "notice" ;;
    6) echo "info" ;;
    7) echo "debug" ;;
    *) echo "$1" ;;
  esac
}
log_debug() {
  log_priority 7 || return 0
  echo "$(log_prefix)" "$(log_tag 7)" "$@"
}
log_info() {
  log_priority 6 || return 0
  echo "$(log_prefix)" "$(log_tag 6)" "$@"
}
log_err() {
  log_priority 3 || return 0
  echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
}
log_crit() {
  log_priority 2 || return 0
  echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
}
uname_os() {
  os=$(uname -s | tr '[:upper:]' '[:lower:]')
  case "$os" in
    cygwin_nt*) os="windows" ;;
    mingw*) os="windows" ;;
    msys_nt*) os="windows" ;;
  esac
  echo "$os"
}
uname_arch() {
  arch=$(uname -m)
  case $arch in
    x86_64) arch="amd64" ;;
    x86) arch="386" ;;
    i686) arch="386" ;;
    i386) arch="386" ;;
    ppc64le) arch="ppc64le" ;;
    aarch64) arch="arm64" ;;
    armv5*) arch="armv5" ;;
    armv6*) arch="armv6" ;;
    armv7*) arch="armv7" ;;
  esac
  echo ${arch}
}
uname_os_check() {
  os=$(uname_os)
  case "$os" in
    darwin) return 0 ;;
    dragonfly) return 0 ;;
    freebsd) return 0 ;;
    linux) return 0 ;;
    android) return 0 ;;
    nacl) return 0 ;;
    netbsd) return 0 ;;
    openbsd) return 0 ;;
    plan9) return 0 ;;
    solaris) return 0 ;;
    windows) return 0 ;;
  esac
  log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
  return 1
}
uname_arch_check() {
  arch=$(uname_arch)
  case "$arch" in
    386) return 0 ;;
    amd64) return 0 ;;
    arm64) return 0 ;;
    armv5) return 0 ;;
    armv6) return 0 ;;
    armv7) return 0 ;;
    ppc64) return 0 ;;
    ppc64le) return 0 ;;
    mips) return 0 ;;
    mipsle) return 0 ;;
    mips64) return 0 ;;
    mips64le) return 0 ;;
    s390x) return 0 ;;
    amd64p32) return 0 ;;
  esac
  log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
  return 1
}
untar() {
  tarball=$1
  case "${tarball}" in
    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
    *.tar) tar --no-same-owner -xf "${tarball}" ;;
    *.zip) unzip "${tarball}" ;;
    *)
      log_err "untar unknown archive format for ${tarball}"
      return 1
      ;;
  esac
}
http_download_curl() {
  local_file=$1
  source_url=$2
  header=$3
  if [ -z "$header" ]; then
    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
  else
    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
  fi
  if [ "$code" != "200" ]; then
    log_debug "http_download_curl received HTTP status $code"
    return 1
  fi
  return 0
}
http_download_wget() {
  local_file=$1
  source_url=$2
  header=$3
  if [ -z "$header" ]; then
    wget -q -O "$local_file" "$source_url"
  else
    wget -q --header "$header" -O "$local_file" "$source_url"
  fi
}
http_download() {
  log_debug "http_download $2"
  if is_command curl; then
    http_download_curl "$@"
    return
  elif is_command wget; then
    http_download_wget "$@"
    return
  fi
  log_crit "http_download unable to find wget or curl"
  return 1
}
http_copy() {
  tmp=$(mktemp)
  http_download "${tmp}" "$1" "$2" || return 1
  body=$(cat "$tmp")
  rm -f "${tmp}"
  echo "$body"
}
github_release() {
  owner_repo=$1
  version=$2
  test -z "$version" && version="latest"
  giturl="https://github.com/${owner_repo}/releases/${version}"
  json=$(http_copy "$giturl" "Accept:application/json")
  test -z "$json" && return 1
  version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
  test -z "$version" && return 1
  echo "$version"
}
hash_sha256() {
  TARGET=${1:-/dev/stdin}
  if is_command gsha256sum; then
    hash=$(gsha256sum "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command sha256sum; then
    hash=$(sha256sum "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command shasum; then
    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command openssl; then
    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f a
  else
    log_crit "hash_sha256 unable to find command to compute sha-256 hash"
    return 1
  fi
}
hash_sha256_verify() {
  TARGET=$1
  checksums=$2
  if [ -z "$checksums" ]; then
    log_err "hash_sha256_verify checksum file not specified in arg2"
    return 1
  fi
  BASENAME=${TARGET##*/}
  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
  if [ -z "$want" ]; then
    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
    return 1
  fi
  got=$(hash_sha256 "$TARGET")
  if [ "$want" != "$got" ]; then
    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
    return 1
  fi
}
cat /dev/null <<EOF
------------------------------------------------------------------------
End of functions from https://github.com/client9/shlib
------------------------------------------------------------------------
EOF

PROJECT_NAME="trivy"
OWNER=aquasecurity
REPO="trivy"
BINARY=trivy
FORMAT=tar.gz
OS=$(uname_os)
ARCH=$(uname_arch)
PREFIX="$OWNER/$REPO"

# use in logging routines
log_prefix() {
    echo "$PREFIX"
}
PLATFORM="${OS}/${ARCH}"
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download

uname_os_check "$OS"
uname_arch_check "$ARCH"

parse_args "$@"

get_binaries

tag_to_version

adjust_format

adjust_os

adjust_arch

log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"

NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
TARBALL=${NAME}.${FORMAT}
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}


execute