Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
Membuat integrasi CI/CD pipeline khusus dengan Amazon Inspector Scan
Kami menyarankan Anda menggunakan plugin Amazon Inspector jika CI/CD plugin Amazon Inspector tersedia untuk solusi CI/CD Anda. CI/CD Jika CI/CD plugin Amazon Inspector tidak tersedia untuk CI/CD solusi Anda, Anda dapat menggunakan kombinasi Amazon Inspector SBOM Generator dan Amazon Inspector Scan API untuk membuat integrasi kustom. CI/CD Langkah-langkah berikut menjelaskan cara membuat integrasi CI/CD pipeline khusus dengan Amazon Inspector Scan.
Tip
Anda dapat menggunakan Amazon Inspector SBOM Generator (Sbomgen) untuk melewati Langkah 3 dan Langkah 4 jika Anda ingin menghasilkan dan memindai SBOM Anda dalam satu perintah.
Langkah 1. Mengkonfigurasi Akun AWS
Konfigurasikan Akun AWS yang menyediakan akses ke Amazon Inspector Scan API. Untuk informasi selengkapnya, lihat Menyiapkan AWS akun untuk menggunakan integrasi Amazon Inspector CI/CD .
Langkah 2. Menginstal Sbomgen biner
Instal dan konfigurasikan Sbomgen biner. Untuk informasi lebih lanjut, lihat Memasang Sbomgen.
Langkah 3. Menggunakan Sbomgen
Gunakan Sbomgen untuk membuat file SBOM untuk gambar kontainer yang ingin Anda pindai.
Anda dapat menggunakan contoh berikut. Ganti image:idsbom_path.json
Contoh
./inspector-sbomgen container --image
image:id -o sbom_path.json
Langkah 4. Memanggil Amazon Inspector Scan API
Panggil inspector-scan API untuk memindai SBOM yang dihasilkan dan memberikan laporan kerentanan.
Anda dapat menggunakan contoh berikut. Ganti sbom_path.json dengan lokasi file SBOM kompatibel CycloneDX yang valid. Ganti ENDPOINT dengan titik akhir API untuk Wilayah AWS tempat Anda saat ini diautentikasi. Ganti REGION dengan Wilayah yang sesuai.
Contoh
aws inspector-scan scan-sbom --sbom file://
sbom_path.json --endpoint ENDPOINT-URL --region REGION
Untuk daftar lengkap Wilayah AWS dan titik akhir, lihat Wilayah dan titik akhir.
(Opsional) Langkah 5. Menghasilkan dan memindai SBOM dalam satu perintah
catatan
Hanya selesaikan langkah ini jika Anda melewati Langkah 3 dan Langkah 4.
Hasilkan dan pindai SBOM Anda dalam satu perintah menggunakan --scan-bom bendera.
Anda dapat menggunakan contoh berikut. Ganti image:idprofile dengan profil yang sesuai. Ganti REGION dengan Wilayah yang sesuai. Ganti /tmp/scan.json dengan lokasi file scan.json di direktori tmp.
Contoh
./inspector-sbomgen container --image
image:id --scan-sbom --aws-profile profile --aws-region REGION -o /tmp/scan.json
Untuk daftar lengkap Wilayah AWS dan titik akhir, lihat Wilayah dan titik akhir.
Format keluaran API
Amazon Inspector Scan API dapat menampilkan laporan kerentanan dalam format CycloneDX 1.5 atau Amazon Inspector menemukan JSON. Default dapat diubah menggunakan --output-format bendera.
{ "status": "SBOM parsed successfully, 1 vulnerabilities found", "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1", "metadata": { "properties": [ { "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", "value": "1" }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" } ], "tools": [ { "name": "CycloneDX SBOM API", "vendor": "Amazon Inspector", "version": "empty:083c9b00:083c9b00:083c9b00" } ], "timestamp": "2023-06-28T14:15:53.760Z" }, "components": [ { "bom-ref": "comp-1", "type": "library", "name": "log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "properties": [ { "name": "amazon:inspector:sbom_scanner:path", "value": "/home/dev/foo.jar" } ] } ], "vulnerabilities": [ { "bom-ref": "vuln-1", "id": "CVE-2021-44228", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, "references": [ { "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" } }, { "id": "GHSA-jfh8-c2jp-5v3q", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" } } ], "ratings": [ { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v3-1/" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v2/" }, "score": 9.3, "severity": "critical", "method": "CVSSv2", "vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": { "name": "EPSS", "url": "https://www.first.org/epss/" }, "score": 0.97565, "severity": "none", "method": "other", "vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000" }, { "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "cwes": [ 400, 20, 502 ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "advisories": [ { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "url": "https://support.apple.com/kb/HT213189" }, { "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" }, { "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "url": "https://www.debian.org/security/2021/dsa-5020" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://twitter.com/kurtseifried/status/1469345530182455296" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html" }, { "url": "https://www.kb.cert.org/vuls/id/930724" } ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "affects": [ { "ref": "comp-1" } ], "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2023-03-06T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", "value": "2021-12-10T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", "value": "2021-12-24T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1", "value": "2.15.0" } ] } ] } }
{ "status": "SBOM parsed successfully, 1 vulnerability found", "inspector": { "messages": [ { "name": "foo", "purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom "info": "Component skipped: no rules found." } ], "vulnerability_count": { "critical": 1, "high": 0, "medium": 0, "low": 0 }, "vulnerabilities": [ { "id": "CVE-2021-44228", "severity": "critical", "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "related": [ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "GHSA-jfh8-c2jp-5v3q" ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "references": [ "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "https://support.apple.com/kb/HT213189", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "https://logging.apache.org/log4j/2.x/security.html", "https://www.debian.org/security/2021/dsa-5020", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://www.kb.cert.org/vuls/id/930724" ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "properties": { "cisa_kev_date_added": "2021-12-10T00:00:00Z", "cisa_kev_date_due": "2021-12-24T00:00:00Z", "cwes": [ 400, 20, 502 ], "cvss": [ { "source": "NVD", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss2_base_score": 9.3, "cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": "SNYK", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": "GITHUB", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "epss": 0.97565, "exploit_available": true, "exploit_last_seen_in_public": "2023-03-06T00:00:00Z" }, "affects": [ { "installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "fixed_version": "2.15.0", "path": "/home/dev/foo.jar" } ] } ] } }
