Tanzu Application Platform 1.2で"Source Test Scan to URL"を試す
Tanzu Application Platform 1.2 (Full Profile) をAKSにインストールしAzure ADと連携するメモ - Self Signed編で作成した環境で"Source Test Scan to URL"を試します。
目次
Metadata StoreへのRead Onlyアクセストークン作成
Metadata Storeにアクセスするためのトークンを作成します。後にDeveloperが使用するので、Read Onlyなものを作成します。
cat <<EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metadata-store-ready-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metadata-store-read-only
subjects:
- kind: ServiceAccount
name: metadata-store-read-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-client
namespace: metadata-store
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
name: metadata-store-read-only-token
namespace: metadata-store
annotations:
kubernetes.io/service-account.name: metadata-store-read-client
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metadata-store-read-only-token-read
namespace: metadata-store
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
resourceNames: [ "metadata-store-read-only-token" ]
verbs: [ "get" ]
EOF
アクセストークンを次のコマンドで取得します。後に使用します。
AUTH_TOKEN=$(kubectl get secret -n metadata-store metadata-store-read-only-token -otemplate='{{.data.token | base64decode}}')
tap-values.ymlの更新
tap-values.ymlの以下の部分を
supply_chain: basic
ootb_supply_chain_basic:
# ...
次のように変更します。
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning:
# ...
次のコマンドで置換できます。
sed -i.bak 's/basic/testing_scanning/g' tap-values.yml
次に、TAP GUIに関する以下の設定を追加してください。
tap_gui:
# ...
app_config:
proxy:
/metadata-store:
target: https://metadata-store-app.metadata-store:8443/api/v1
changeOrigin: true
secure: false
headers:
Authorization: "Bearer ${AUTH_TOKEN}"
X-Custom-Source: project-star
また、Metadata Storeに関する以下の設定を追加してください。
metadata_store:
# ...
ns_for_export_app_cert: "*"
次のコマンドでtap-values.ymlの変更を反映します。
tanzu package installed update -n tap-install tap -f tap-values.yml
ClusterSupplyChain一覧が次のようになれば"Source Test Scan to URL"が利用可能です。
$ kubectl get clustersupplychain
NAME READY REASON AGE
scanning-image-scan-to-url True Ready 6s
source-test-scan-to-url True Ready 6s
Workloadを作成するための事前準備
RBACの設定
基本的な内容は前記事で設定済みです。
DeveloperがMetadata Storeのアクセストークンを取得できるようにRoleBindingを作成します。
kubectl create rolebinding metadata-store-read-only-token-read-${GROUP_ID} -n metadata-store --role metadata-store-read-only-token-read --group ${GROUP_ID}
Tekton Pipelineの作成
今回はテストは空実装にします。
cat <<'EOF' | kubectl -n demo apply -f -
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
labels:
apps.tanzu.vmware.com/pipeline: test
spec:
params:
- name: source-url
- name: source-revision
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: alpine
script: |-
echo "Skip Test :)"
EOF
ScanTemplateのインストール
cat <<EOF > grype-demo.yaml
namespace: demo
targetImagePullSecret: registry-credentials
EOF
tanzu package install grype-demo -p grype.scanning.apps.tanzu.vmware.com -v 1.2.2 -n tap-install -f grype-demo.yaml
Scan Tempalte一覧を確認します。
$ kubectl get scantemplate -n demo
NAME AGE
blob-source-scan-template 6s
private-image-scan-template 6s
public-image-scan-template 6s
public-source-scan-template 6s
また、次のコマンドを実行してReconcile succeededになっていることを確認してください。
$ kubectl get secretimports.secretgen.carvel.dev -n demo
NAME DESCRIPTION AGE
app-tls-cert Reconcile succeeded 23s
ScanPolicyの作成
kubectl apply -n demo -f - << EOF
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: scan-policy
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical","High","UnknownSeverity"]
ignoreCves := ["CVE-2016-1000027"]
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
EOF
CVE-2016-1000027はSpring Frameworkに関する脆弱性ですが、https://github.com/spring-projects/spring-framework/issues/24434 にて議論されているように妥当ではないです。
Grypeではこの脆弱性を検出してしまうため、Spring Frameworkを使用している場合は無視する必要があります。ScanPolicyで予め無視しておくのが良いです。
https://github.com/anchore/grype/issues/773
Workloadの作成
以下はDeveloperとして実行します。
az aks get-credentials --resource-group tap-rg --name tap-sandbox --overwrite-existing
次のコマンドでWorkloadを作成します。--label apps.tanzu.vmware.com/has-tests=trueが必要です。
tanzu apps workload apply spring-music \
--app spring-music \
--git-repo https://github.com/tanzu-japan/spring-music \
--git-branch tanzu \
--type web \
--label apps.tanzu.vmware.com/has-tests=true \
--annotation autoscaling.knative.dev/minScale=1 \
-n demo \
-y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music
次のコマンドで進捗をwatchします。
watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music
次のような出力になります。
$ kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music
NAME SOURCE SUPPLYCHAIN READY REASON AGE
workload.carto.run/spring-music https://github.com/tanzu-japan/spring-music source-test-scan-to-url True Ready 7m46s
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/scan-spring-music-njwjz-dst66 0/1 Completed 0 7m19s 10.244.2.25 aks-nodepool1-87250474-vmss000002 <none> <none>
pod/scan-spring-music-vgj8d-6l8ld 0/1 Completed 0 107s 10.244.2.27 aks-nodepool1-87250474-vmss000002 <none> <none>
pod/spring-music-00001-deployment-865d75d795-8c8m6 2/2 Running 0 34s 10.244.2.29 aks-nodepool1-87250474-vmss000002 <none> <none>
pod/spring-music-build-1-build-pod 0/1 Completed 0 6m4s 10.244.2.26 aks-nodepool1-87250474-vmss000002 <none> <none>
pod/spring-music-config-writer-4f4lh-pod 0/1 Completed 0 62s 10.244.2.28 aks-nodepool1-87250474-vmss000002 <none> <none>
pod/spring-music-crdww-test-pod 0/1 Completed 0 7m34s 10.244.2.24 aks-nodepool1-87250474-vmss000002 <none> <none>
NAME URL READY STATUS AGE
gitrepository.source.toolkit.fluxcd.io/spring-music https://github.com/tanzu-japan/spring-music True Fetched revision: tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f 7m44s
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
pipelinerun.tekton.dev/spring-music-crdww True Succeeded 7m35s 7m25s
NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
sourcescan.scanning.apps.tanzu.vmware.com/spring-music Completed tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz 7m20s
NAME LATESTIMAGE READY
image.kpack.io/spring-music tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 True
NAME IMAGE SUCCEEDED
build.kpack.io/spring-music-build-1 tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 True
NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
imagescan.scanning.apps.tanzu.vmware.com/spring-music Completed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 108s 1 0 9 12 0 22
NAME READY REASON AGE
podintent.conventions.apps.tanzu.vmware.com/spring-music True ConventionsApplied 69s
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
taskrun.tekton.dev/spring-music-config-writer-4f4lh True Succeeded 63s 56s
taskrun.tekton.dev/spring-music-crdww-test True Succeeded 7m35s 7m25s
NAME IMAGE URL READY REASON AGE
imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974 http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/b1f2ada575fe7790bac2dbdbf70d0170450f26906cb7b8930c693b4f9786a1a2.tar.gz True Ready 7m41s
NAME SOURCE DELIVERY READY REASON AGE
deliverable.carto.run/spring-music tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974 delivery-basic True Ready 7m44s
NAME DESCRIPTION SINCE-DEPLOY AGE
app.kappctrl.k14s.io/spring-music Reconcile succeeded 36s 36s
NAME URL LATESTCREATED LATESTREADY READY REASON
service.serving.knative.dev/spring-music https://spring-music-demo.20-89-141-216.sslip.io spring-music-00001 spring-music-00001 True
GrypeはGradleのSourceScanに対応していないようなので、次の通り、何も検出されません。
$ kubectl get sourcescan -n demo spring-music
NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
spring-music Completed tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz 8m53s
ImageScanは次の通り、Criticalが1件検出されますが、PHASEはCompletedになっています。
$ kubectl get imagescan -n demo spring-music
NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
spring-music Completed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 4m4s 1 0 9 12 0 22
tanzu insightコマンドでMetadata Storeにアクセスして、保存された情報を確認しましょう。
METADATA_STORE_DOMAIN=metadata-store.$(kubectl get ksvc -n demo spring-music -ojsonpath='{.status.url}' | sed 's|https://||' | sed 's|spring-music-demo.||')
openssl s_client -servername ${METADATA_STORE_DOMAIN} -connect ${METADATA_STORE_DOMAIN}:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > metadata-store.crt
AUTH_TOKEN=$(kubectl get secret -n metadata-store metadata-store-read-only-token -otemplate='{{.data.token | base64decode}}')
tanzu insight config set-target https://${METADATA_STORE_DOMAIN} --ca-cert metadata-store.crt --access-token=${AUTH_TOKEN}
以下のログが出力されます。
ℹ Using config file: /Users/toshiaki/.config/tanzu/insight/config.yaml
ℹ Setting trustedcacert in config
ℹ Setting accesstoken in config
ℹ Setting endpoint in config to: https://metadata-store.20-89-141-216.sslip.io
✔ Success: Set Metadata Store endpoint
次のコマンドで疎通チェックします。
$ tanzu insight health
Success: Reached Metadata Store!
tanzu insight imageでイメージスキャンの結果を確認します。
イメージに含まれるパッケージ一覧と検出された脆弱性を確認できます。
$ tanzu insight image get --digest sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163
ID: 1
Registry: tap28868.azurecr.io
Image Name: supply-chain/spring-music-demo
Digest: sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163
Packages:
1. helper@9.3.6
2. BellSoft Liberica JRE@11.0.15
3. helper@3.2.3
4. HdrHistogram@2.1.12
5. HikariCP@4.0.3
6. LatencyUtils@2.0.3
7. angular-ui@0.4.0-2
8. angular-ui-bootstrap@0.10.0-1
9. angularjs@1.2.16
10. antlr@2.7.7
11. aspectjweaver@1.9.7
12. bootstrap@3.1.1
13. bson@4.4.2
14. byte-buddy-dep@1.11.22
15. checker-qual@3.5.0
16. classmate@1.5.1
17. commons-pool2@2.11.1
18. h2@2.1.214
19. hibernate-commons-annotations@5.1.2.Final
20. hibernate-core@5.6.10.Final
21. hibernate-validator@6.2.3.Final
22. istack-commons-runtime@3.0.12
23. jackson-annotations@2.13.3
24. jackson-core@2.13.3
25. jackson-databind@2.13.3
26. jackson-datatype-jdk8@2.13.3
27. jackson-datatype-jsr310@2.13.3
28. jackson-module-parameter-names@2.13.3
29. jakarta.activation@1.2.2
30. jakarta.annotation-api@1.3.5
31. jakarta.persistence-api@2.2.3
32. jakarta.transaction-api@1.3.3
33. jakarta.validation-api@2.0.2
34. jakarta.xml.bind-api@2.3.3
35. jandex@2.4.2.Final
36. jaxb-runtime@2.3.6
37. jboss-logging@3.4.3.Final
38. jctools-core@3.1.0
39. jquery@2.1.0-2
CVEs:
1. CVE-2007-2379 (Medium)
2. CVE-2015-9251 (Medium)
3. CVE-2019-11358 (Medium)
4. CVE-2020-11022 (Medium)
5. CVE-2020-11023 (Medium)
40. jul-to-slf4j@1.7.36
41. lettuce-core@6.1.9.RELEASE
42. log4j-api@2.17.2
43. log4j-to-slf4j@2.17.2
44. logback-classic@1.2.11
45. logback-core@1.2.11
46. micrometer-core@1.8.8
47. mongodb-driver-core@4.4.2
48. mongodb-driver-sync@4.4.2
49. mssql-jdbc@9.4.1
50. mysql-connector-java@8.0.29
51. netty-buffer@4.1.79.Final
52. netty-codec@4.1.79.Final
53. netty-common@4.1.79.Final
54. netty-handler@4.1.79.Final
55. netty-resolver@4.1.79.Final
56. netty-transport@4.1.79.Final
57. netty-transport-native-unix-common@4.1.79.Final
58. postgresql@42.3.6
CVEs:
1. CVE-2017-8806 (Medium)
59. reactive-streams@1.0.4
60. reactor-core@3.4.21
61. slf4j-api@1.7.36
62. snakeyaml@1.29
63. spring-aop@5.3.22
64. spring-aspects@5.3.22
65. spring-beans@5.3.22
66. spring-boot@2.6.10
67. spring-boot-actuator@2.6.10
68. spring-boot-actuator-autoconfigure@2.6.10
69. spring-boot-autoconfigure@2.6.10
70. spring-boot-jarmode-layertools@2.6.10
71. spring-context@5.3.22
72. spring-context-support@5.3.22
73. spring-core@5.3.22
CVEs:
1. CVE-2016-1000027 (Critical)
74. spring-data-commons@2.6.6
75. spring-data-jpa@2.6.6
76. spring-data-keyvalue@2.6.6
77. spring-data-mongodb@3.3.6
78. spring-data-redis@2.6.6
79. spring-expression@5.3.22
80. spring-jcl@5.3.22
81. spring-jdbc@5.3.22
82. spring-orm@5.3.22
83. spring-oxm@5.3.22
84. spring-tx@5.3.22
85. spring-web@5.3.22
86. spring-webmvc@5.3.22
87. tomcat-embed-core@9.0.65
88. tomcat-embed-el@9.0.65
89. tomcat-embed-websocket@9.0.65
90. txw2@2.3.6
91. helper@5.11.0
92. Spring Cloud Bindings@1.9.0
93. adduser@3.116ubuntu1
94. apt@1.6.14
95. base-files@10.1ubuntu2.11
96. base-passwd@3.5.44
97. bash@4.4.18-2ubuntu1.3
98. bsdutils@1:2.31.1-0.4ubuntu3.7
99. bzip2@1.0.6-8.1ubuntu0.2
100. ca-certificates@20211016~18.04.1
101. coreutils@8.28-1ubuntu1
CVEs:
1. CVE-2016-2781 (Low)
102. dash@0.5.8-2.10
103. debconf@1.5.66ubuntu1
104. debianutils@4.8.4
105. diffutils@1:3.6-1
106. dpkg@1.19.0.5ubuntu2.4
107. e2fsprogs@1.44.1-1ubuntu1.4
108. fdisk@2.31.1-0.4ubuntu3.7
109. findutils@4.6.0+git+20170828-2
110. gcc-8-base@8.4.0-1ubuntu1~18.04
CVEs:
1. CVE-2020-13844 (Medium)
111. gpgv@2.2.4-1ubuntu1.6
112. grep@3.1-2build1
113. gzip@1.6-5ubuntu1.2
114. hostname@3.20
115. init-system-helpers@1.51
116. libacl1@2.2.52-3build1
117. libapt-pkg5.0@1.6.14
118. libattr1@1:2.4.47-2build1
119. libaudit-common@1:2.8.2-1ubuntu1.1
120. libaudit1@1:2.8.2-1ubuntu1.1
121. libblkid1@2.31.1-0.4ubuntu3.7
122. libbz2-1.0@1.0.6-8.1ubuntu0.2
123. libc-bin@2.27-3ubuntu1.6
CVEs:
1. CVE-2009-5155 (Low)
2. CVE-2015-8985 (Low)
3. CVE-2016-20013 (Low)
124. libc6@2.27-3ubuntu1.6
CVEs:
1. CVE-2009-5155 (Low)
2. CVE-2015-8985 (Low)
3. CVE-2016-20013 (Low)
125. libcap-ng0@0.7.7-3.1
126. libcom-err2@1.44.1-1ubuntu1.4
127. libdb5.3@5.3.28-13.1ubuntu1.1
128. libdebconfclient0@0.213ubuntu1
129. libexpat1@2.2.5-3ubuntu0.7
130. libext2fs2@1.44.1-1ubuntu1.4
131. libfdisk1@2.31.1-0.4ubuntu3.7
132. libffi6@3.2.1-8
133. libgcc1@1:8.4.0-1ubuntu1~18.04
CVEs:
1. CVE-2020-13844 (Medium)
134. libgcrypt20@1.8.1-4ubuntu1.3
135. libgmp10@2:6.1.2+dfsg-2
136. libgnutls30@3.5.18-1ubuntu1.5
CVEs:
1. CVE-2018-16868 (Low)
2. CVE-2021-4209 (Low)
3. CVE-2022-2509 (Medium)
137. libgpg-error0@1.27-6
138. libhogweed4@3.4.1-0ubuntu0.18.04.1
139. libidn2-0@2.0.4-1.1ubuntu0.2
140. liblz4-1@0.0~r131-2ubuntu3.1
141. liblzma5@5.2.2-1.3ubuntu0.1
142. libmount1@2.31.1-0.4ubuntu3.7
143. libncurses5@6.1-1ubuntu1.18.04
CVEs:
1. CVE-2019-17594 (Low)
2. CVE-2019-17595 (Low)
3. CVE-2021-39537 (Low)
4. CVE-2022-29458 (Low)
144. libncursesw5@6.1-1ubuntu1.18.04
CVEs:
1. CVE-2019-17594 (Low)
2. CVE-2019-17595 (Low)
3. CVE-2021-39537 (Low)
4. CVE-2022-29458 (Low)
145. libnettle6@3.4.1-0ubuntu0.18.04.1
146. libp11-kit0@0.23.9-2ubuntu0.1
147. libpam-modules@1.1.8-3.6ubuntu2.18.04.3
148. libpam-modules-bin@1.1.8-3.6ubuntu2.18.04.3
149. libpam-runtime@1.1.8-3.6ubuntu2.18.04.3
150. libpam0g@1.1.8-3.6ubuntu2.18.04.3
151. libpcre3@2:8.39-9ubuntu0.1
CVEs:
1. CVE-2017-11164 (Low)
152. libprocps6@2:3.3.12-3ubuntu1.2
153. libseccomp2@2.5.1-1ubuntu1~18.04.2
154. libselinux1@2.7-2build2
155. libsemanage-common@2.7-2build2
156. libsemanage1@2.7-2build2
157. libsepol1@2.7-1ubuntu0.1
158. libsmartcols1@2.31.1-0.4ubuntu3.7
159. libss2@1.44.1-1ubuntu1.4
160. libssl1.1@1.1.1-1ubuntu2.1~18.04.20
161. libstdc++6@8.4.0-1ubuntu1~18.04
CVEs:
1. CVE-2020-13844 (Medium)
162. libsystemd0@237-3ubuntu10.53
163. libtasn1-6@4.13-2
164. libtinfo5@6.1-1ubuntu1.18.04
CVEs:
1. CVE-2019-17594 (Low)
2. CVE-2019-17595 (Low)
3. CVE-2021-39537 (Low)
4. CVE-2022-29458 (Low)
165. libudev1@237-3ubuntu10.53
166. libunistring2@0.9.9-0ubuntu2
167. libuuid1@2.31.1-0.4ubuntu3.7
168. libyaml-0-2@0.1.7-2ubuntu3
169. libzstd1@1.3.3+dfsg-2ubuntu1.2
170. locales@2.27-3ubuntu1.6
CVEs:
1. CVE-2009-5155 (Low)
2. CVE-2015-8985 (Low)
3. CVE-2016-20013 (Low)
171. login@1:4.5-1ubuntu2.3
CVEs:
1. CVE-2013-4235 (Low)
172. lsb-base@9.20170808ubuntu1
173. mawk@1.3.3-17ubuntu3
174. mount@2.31.1-0.4ubuntu3.7
175. ncurses-base@6.1-1ubuntu1.18.04
CVEs:
1. CVE-2019-17594 (Low)
2. CVE-2019-17595 (Low)
3. CVE-2021-39537 (Low)
4. CVE-2022-29458 (Low)
176. ncurses-bin@6.1-1ubuntu1.18.04
CVEs:
1. CVE-2019-17594 (Low)
2. CVE-2019-17595 (Low)
3. CVE-2021-39537 (Low)
4. CVE-2022-29458 (Low)
177. netbase@5.4
178. openssl@1.1.1-1ubuntu2.1~18.04.20
179. passwd@1:4.5-1ubuntu2.3
CVEs:
1. CVE-2013-4235 (Low)
180. perl-base@5.26.1-6ubuntu0.5
CVEs:
1. CVE-2020-16156 (Medium)
181. procps@2:3.3.12-3ubuntu1.2
182. sed@4.4-2
183. sensible-utils@0.0.12
184. sysvinit-utils@2.88dsf-59.10ubuntu1
185. tar@1.29b-2ubuntu0.3
186. tzdata@2022a-0ubuntu0.18.04
187. ubuntu-keyring@2018.09.18.1~18.04.2
188. util-linux@2.31.1-0.4ubuntu3.7
189. zlib1g@1:1.2.11.dfsg-0ubuntu2.1
190. byte-buddy@1.11.22
191. github.com/BurntSushi/toml@v1.1.0
192. github.com/Masterminds/semver/v3@v3.1.1
193. github.com/apex/log@v1.9.0
194. github.com/buildpacks/libcnb@v1.26.0
195. github.com/buildpacks/lifecycle@(devel)
196. github.com/creack/pty@v1.1.18
197. github.com/h2non/filetype@v1.1.3
198. github.com/heroku/color@v0.0.6
199. github.com/imdario/mergo@v0.3.12
200. github.com/imdario/mergo@v0.3.13
201. github.com/magiconair/properties@v1.8.6
202. github.com/mattn/go-colorable@v0.1.12
203. github.com/mattn/go-isatty@v0.0.14
204. github.com/mattn/go-shellwords@v1.0.12
205. github.com/miekg/dns@v1.1.49
206. github.com/mitchellh/hashstructure/v2@v2.0.2
207. github.com/onsi/gomega@v1.19.0
208. github.com/paketo-buildpacks/ca-certificates/v3@(devel)
209. github.com/paketo-buildpacks/libjvm@v1.37.0
210. github.com/paketo-buildpacks/libpak@v1.60.1
211. github.com/paketo-buildpacks/spring-boot/v5@(devel)
212. github.com/pavel-v-chernykh/keystore-go/v4@v4.3.0
213. github.com/pelletier/go-toml@v1.9.5
214. github.com/pkg/errors@v0.9.1
215. github.com/xi2/xz@v0.0.0-20171230120015-48954b6210f8
216. golang.org/x/net@v0.0.0-20220225172249-27dd8689420f
217. golang.org/x/sys@v0.0.0-20220319134239-a9b59b0215f8
218. golang.org/x/sys@v0.0.0-20220520151302-bc2c85ada10a
219. jrt-fs@11.0.15.1
220. spring-cloud-bindings@1.9.0
Criticalな脆弱性は無視したCVE-2016-1000027であることがわかります。
なお、検出された脆弱性一覧は次の図のようにTAP GUIでも確認できます。(なぜかCVE-2016-1000027は"Unknown"になっていますが...)
grypeCLIで直接イメージをスキャンした場合は次のような結果が得られます。検出された脆弱性のうちFixされているもの(=改善の余地のあるもの)はほとんどないことが分かります。$ grype $(kubectl get imagescan -n demo spring-music -ojsonpath='{.spec.registry.image}') ✔ Vulnerability DB [updated] ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [241 packages] ✔ Scanned image [47 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY coreutils 8.28-1ubuntu1 deb CVE-2016-2781 Low gcc-8-base 8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium jquery 2.1.0-2 java-archive CVE-2007-2379 Medium jquery 2.1.0-2 java-archive CVE-2020-11022 Medium jquery 2.1.0-2 java-archive CVE-2020-11023 Medium jquery 2.1.0-2 java-archive CVE-2015-9251 Medium jquery 2.1.0-2 java-archive CVE-2019-11358 Medium libc-bin 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible libc-bin 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible libc-bin 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible libc6 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible libc6 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible libc6 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible libgcc1 1:8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium libgnutls30 3.5.18-1ubuntu1.5 3.5.18-1ubuntu1.6 deb CVE-2021-4209 Low libgnutls30 3.5.18-1ubuntu1.5 3.5.18-1ubuntu1.6 deb CVE-2022-2509 Medium libgnutls30 3.5.18-1ubuntu1.5 deb CVE-2018-16868 Low libncurses5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible libncurses5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible libncurses5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible libncurses5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible libpcre3 2:8.39-9ubuntu0.1 deb CVE-2017-11164 Negligible libstdc++6 8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible locales 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible locales 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible locales 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible login 1:4.5-1ubuntu2.3 deb CVE-2013-4235 Low ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible passwd 1:4.5-1ubuntu2.3 deb CVE-2013-4235 Low perl-base 5.26.1-6ubuntu0.5 deb CVE-2020-16156 Medium postgresql 42.3.6 java-archive CVE-2017-8806 Medium spring-core 5.3.22 java-archive CVE-2016-1000027 Critical
今回はScanにパスしたので、URLにアクセスできます。
脆弱性の検出
ソースコードにわざと脆弱なライブラリを追加してみます。Workloadのブランチを次のように変更してください。
tanzu apps workload apply spring-music \
--app spring-music \
--git-repo https://github.com/tanzu-japan/spring-music \
--git-branch vulnerability-demo \
--type web \
--label apps.tanzu.vmware.com/has-tests=true \
--annotation autoscaling.knative.dev/minScale=1 \
-n demo \
-y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music
次のコマンドで進捗をwatchします。
watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music
今回はImageScanがFaildになります。Highな脆弱性が1件追加されました。
$ kubectl get imagescan -n demo spring-music
NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
spring-music Failed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f 30m 1 1 9 12 0 23
tanzu insightコマンドで確認しましょう。
$ tanzu insight image get --digest sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f
ID: 2
Registry: tap28868.azurecr.io
Image Name: supply-chain/spring-music-demo
Digest: sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f
Packages:
1. helper@9.3.6
...
220. commons-collections4@4.0
CVEs:
1. GHSA-6hgm-866r-3cjv (High)
commons-collection4の脆弱性が検出されています。
TAP GUIでも確認できます。
ScanPolicyに抵触する場合は、赤くメッセージが表示されます。
脆弱性がFixされたcommons-collection4を使用したbranchはvulnerability-fixedです。次のコマンドでWorkloadを更新すれば、ImageScanがCompletedになります。
tanzu apps workload apply spring-music \
--app spring-music \
--git-repo https://github.com/tanzu-japan/spring-music \
--git-branch vulnerability-fixed \
--type web \
--label apps.tanzu.vmware.com/has-tests=true \
--annotation autoscaling.knative.dev/minScale=1 \
-n demo \
-y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music