As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
Criação de uma integração de CI/CD pipeline personalizada com o Amazon Inspector Scan
Recomendamos que você use os plug-ins do Amazon Inspector se os CI/CD plug-ins do Amazon CI/CD Inspector estiverem disponíveis para sua solução. CI/CD Se os CI/CD plug-ins do Amazon Inspector não estiverem disponíveis para sua CI/CD solução, você pode usar uma combinação do Amazon Inspector SBOM Generator e da API Amazon Inspector Scan para criar uma integração personalizada. CI/CD As etapas a seguir descrevem como criar uma integração de CI/CD pipeline personalizada com o Amazon Inspector Scan.
dica
Você pode usar o Amazon Inspector SBOM Generator (Sbomgen) para pular as etapas 3 e 4 se quiser gerar e verificar sua SBOM em um único comando.
Etapa 1. Configurando Conta da AWS
Configure um Conta da AWS que forneça acesso à API Amazon Inspector Scan. Para obter mais informações, consulte Configurando uma AWS conta para usar a integração com o Amazon Inspector CI/CD .
Etapa 2. Instalar o binário Sbomgen
Instale e configurar o binário Sbomgen. Para obter mais informações, consulte Instalar o Sbomgen.
Etapa 3. Usar o Sbomgen
Use o Sbomgen para criar um arquivo SBOM para uma imagem de contêiner que você deseja verificar.
Você pode usar o seguinte exemplo. Substitua image:idsbom_path.json
Exemplo
./inspector-sbomgen container --image
image:id -o sbom_path.json
Etapa 4. Chamar a API Amazon Inspector Scan
Considere usar a API inspector-scan para verificar o SBOM gerado e fornecer um relatório de vulnerabilidade.
Você pode usar o seguinte exemplo. sbom_path.jsonSubstitua pela localização de um arquivo SBOM válido compatível com o CycloneDX. ENDPOINTSubstitua pelo endpoint da API do Região da AWS local em que você está autenticado no momento. REGIONSubstitua pela região correspondente.
Exemplo
aws inspector-scan scan-sbom --sbom file://
sbom_path.json --endpoint ENDPOINT-URL --region REGION
Para obter uma lista completa de endpoints Regiões da AWS e endpoints, consulte Regiões e endpoints.
(Opcional) Etapa 5. Gerar e verificar a SBOM em um único comando
nota
Conclua esta etapa somente se você pulou as etapas 3 e 4.
Gerar e verificar a SBOM em um único comando usando o sinalizador --scan-bom.
Você pode usar o seguinte exemplo. Substitua image:idprofileSubstitua pelo perfil correspondente. REGIONSubstitua pela região correspondente. /tmp/scan.jsonSubstitua pela localização do arquivo scan.json no diretório tmp.
Exemplo
./inspector-sbomgen container --image
image:id --scan-sbom --aws-profile profile --aws-region REGION -o /tmp/scan.json
Para obter uma lista completa de endpoints Regiões da AWS e endpoints, consulte Regiões e endpoints.
Formatos de saída da API
A API Amazon Inspector Scan pode gerar um relatório de vulnerabilidade no formato CycloneDX 1.5 ou no formato JSON de descobertas do Amazon Inspector. O padrão pode ser alterado usando o sinalizador --output-format.
{ "status": "SBOM parsed successfully, 1 vulnerabilities found", "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1", "metadata": { "properties": [ { "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", "value": "1" }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" } ], "tools": [ { "name": "CycloneDX SBOM API", "vendor": "Amazon Inspector", "version": "empty:083c9b00:083c9b00:083c9b00" } ], "timestamp": "2023-06-28T14:15:53.760Z" }, "components": [ { "bom-ref": "comp-1", "type": "library", "name": "log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "properties": [ { "name": "amazon:inspector:sbom_scanner:path", "value": "/home/dev/foo.jar" } ] } ], "vulnerabilities": [ { "bom-ref": "vuln-1", "id": "CVE-2021-44228", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, "references": [ { "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" } }, { "id": "GHSA-jfh8-c2jp-5v3q", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" } } ], "ratings": [ { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v3-1/" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v2/" }, "score": 9.3, "severity": "critical", "method": "CVSSv2", "vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": { "name": "EPSS", "url": "https://www.first.org/epss/" }, "score": 0.97565, "severity": "none", "method": "other", "vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000" }, { "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "cwes": [ 400, 20, 502 ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "advisories": [ { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "url": "https://support.apple.com/kb/HT213189" }, { "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" }, { "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "url": "https://www.debian.org/security/2021/dsa-5020" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://twitter.com/kurtseifried/status/1469345530182455296" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html" }, { "url": "https://www.kb.cert.org/vuls/id/930724" } ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "affects": [ { "ref": "comp-1" } ], "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2023-03-06T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", "value": "2021-12-10T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", "value": "2021-12-24T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1", "value": "2.15.0" } ] } ] } }
{ "status": "SBOM parsed successfully, 1 vulnerability found", "inspector": { "messages": [ { "name": "foo", "purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom "info": "Component skipped: no rules found." } ], "vulnerability_count": { "critical": 1, "high": 0, "medium": 0, "low": 0 }, "vulnerabilities": [ { "id": "CVE-2021-44228", "severity": "critical", "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "related": [ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "GHSA-jfh8-c2jp-5v3q" ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "references": [ "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "https://support.apple.com/kb/HT213189", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "https://logging.apache.org/log4j/2.x/security.html", "https://www.debian.org/security/2021/dsa-5020", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://www.kb.cert.org/vuls/id/930724" ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "properties": { "cisa_kev_date_added": "2021-12-10T00:00:00Z", "cisa_kev_date_due": "2021-12-24T00:00:00Z", "cwes": [ 400, 20, 502 ], "cvss": [ { "source": "NVD", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss2_base_score": 9.3, "cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": "SNYK", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": "GITHUB", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "epss": 0.97565, "exploit_available": true, "exploit_last_seen_in_public": "2023-03-06T00:00:00Z" }, "affects": [ { "installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "fixed_version": "2.15.0", "path": "/home/dev/foo.jar" } ] } ] } }
