As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
# Criação de uma integração de CI/CD pipeline personalizada com o Amazon Inspector Scan
Recomendamos que você use os plug-ins do [Amazon Inspector se os CI/CD plug-ins](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) do Amazon CI/CD Inspector estiverem disponíveis para sua solução. CI/CD Se os CI/CD plug-ins do Amazon Inspector não estiverem disponíveis para sua CI/CD solução, você pode usar uma combinação do Amazon Inspector SBOM Generator e da API Amazon Inspector Scan para criar uma integração personalizada. CI/CD As etapas a seguir descrevem como criar uma integração de CI/CD pipeline personalizada com o Amazon Inspector Scan.
**dica**
Você pode usar o [Amazon Inspector SBOM Generator (Sbomgen)](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen) para pular as etapas 3 e 4 se quiser [gerar e verificar sua SBOM em um único comando](https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html#generate-scan-sbom.html).
## Etapa 1. Configurando Conta da AWS
Configure um Conta da AWS que forneça acesso à API Amazon Inspector Scan. Para obter mais informações, consulte [Configurando uma AWS conta para usar a integração com o Amazon Inspector CI/CD](configure-cicd-account.md).
## Etapa 2. Instalar o binário Sbomgen
Instale e configurar o binário Sbomgen. Para obter mais informações, consulte [Instalar o Sbomgen](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen).
## Etapa 3. Usar o Sbomgen
Use o Sbomgen para criar um arquivo SBOM para uma imagem de contêiner que você deseja verificar.
Você pode usar o seguinte exemplo. Substitua {{`image:id`}} pelo nome da imagem que você deseja verificar. Substitua {{`sbom_path.json`}} pelo local onde deseja salvar a saída da SBOM.
**Exemplo**
`./inspector-sbomgen container --image {{image:id}} -o sbom_path.json`
## Etapa 4: Chamar a API Amazon Inspector Scan
Considere usar a API `inspector-scan` para verificar o SBOM gerado e fornecer um relatório de vulnerabilidade.
Você pode usar o seguinte exemplo. {{sbom\_path.json}}Substitua pela localização de um arquivo SBOM válido compatível com o CycloneDX. {{ENDPOINT}}Substitua pelo endpoint da API do Região da AWS local em que você está autenticado no momento. {{REGION}}Substitua pela região correspondente.
**Exemplo**
`aws inspector-scan scan-sbom --sbom file://{{sbom_path.json}} --endpoint {{ENDPOINT-URL}} --region {{REGION}}`
Para obter uma lista completa de endpoints Regiões da AWS e endpoints, consulte [Regiões e endpoints](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## (Opcional) Etapa 5. Gerar e verificar a SBOM em um único comando
**nota**
Conclua esta etapa somente se você pulou as etapas 3 e 4.
Gerar e verificar a SBOM em um único comando usando o sinalizador `--scan-bom`.
Você pode usar o seguinte exemplo. Substitua {{`image:id`}} pelo nome da imagem que você quer verificar. {{profile}}Substitua pelo perfil correspondente. {{REGION}}Substitua pela região correspondente. {{/tmp/scan.json}}Substitua pela localização do arquivo scan.json no diretório tmp.
**Exemplo**
`./inspector-sbomgen container --image {{image:id}} --scan-sbom --aws-profile {{profile}} --aws-region {{REGION}} -o {{/tmp/scan.json}}`
Para obter uma lista completa de endpoints Regiões da AWS e endpoints, consulte [Regiões e endpoints](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## Formatos de saída da API
A API Amazon Inspector Scan pode gerar um relatório de vulnerabilidade no formato CycloneDX 1.5 ou no formato JSON de descobertas do Amazon Inspector. O padrão pode ser alterado usando o sinalizador `--output-format`.
### Exemplo de saída no formato CycloneDX 1.5 - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerabilities found",
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1",
"metadata": {
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
}
],
"tools": [
{
"name": "CycloneDX SBOM API",
"vendor": "Amazon Inspector",
"version": "empty:083c9b00:083c9b00:083c9b00"
}
],
"timestamp": "2023-06-28T14:15:53.760Z"
},
"components": [
{
"bom-ref": "comp-1",
"type": "library",
"name": "log4j-core",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "/home/dev/foo.jar"
}
]
}
],
"vulnerabilities": [
{
"bom-ref": "vuln-1",
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"references": [
{
"id": "GHSA-jfh8-c2jp-5v3q",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
}
}
],
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v3-1/"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v2/"
},
"score": 9.3,
"severity": "critical",
"method": "CVSSv2",
"vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": {
"name": "EPSS",
"url": "https://www.first.org/epss/"
},
"score": 0.97565,
"severity": "none",
"method": "other",
"vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000"
},
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes": [
400,
20,
502
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"advisories": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"url": "https://support.apple.com/kb/HT213189"
},
{
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/930724"
}
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"affects": [
{
"ref": "comp-1"
}
],
"properties": [
{
"name": "amazon:inspector:sbom_scanner:exploit_available",
"value": "true"
},
{
"name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
"value": "2023-03-06T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_added",
"value": "2021-12-10T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_due",
"value": "2021-12-24T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "2.15.0"
}
]
}
]
}
}
```
### Exemplo de saída no formato CycloneDX 1.5 - Windows
```
{
"sbom": {
"specVersion": "1.5",
"metadata": {
"tools": {
"services": [
{
"name": "Amazon Inspector Scan SBOM API",
"version": "d79c681c+d73b8663+5e50a5ab"
}
]
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:other_vulnerabilities",
"value": "0"
}
],
"timestamp": "2026-03-17T00:00:52.344Z"
},
"components": [
{
"bom-ref": "comp-1",
"name": "defender",
"purl": "pkg:generic/microsoft/defender@4.18.25110.5",
"type": "application",
"version": "4.18.25110.5",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:source_file_scanner",
"value": "windows-apps"
},
{
"name": "amazon:inspector:sbom_scanner:source_package_collector",
"value": "windows-app-defender"
},
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0"
}
]
}
],
"serialNumber": "urn:uuid:6bed582d-191e-4cb7-9875-950dd0b99700",
"bomFormat": "CycloneDX",
"vulnerabilities": [
{
"advisories": [
{
"url": "https://support.microsoft.com/help/5011487"
},
{
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
],
"bom-ref": "vuln-1",
"references": [
{
"id": "CVE-2022-23278",
"source": {
"name": "MICROSOFT",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278"
}
}
],
"ratings": [
{
"severity": "none",
"score": 0.02691,
"method": "other",
"vector": "model:v2025.03.14,date:2026-03-15T12:55:00Z",
"source": {
"name": "EPSS",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23278"
}
},
{
"severity": "medium",
"score": 5.9,
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
}
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"ref": "comp-1"
}
],
"id": "KB5011487",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
},
"published": "2022-03-08T08:00:00Z",
"analysis": {
"state": "in_triage"
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:priority",
"value": "standard"
},
{
"name": "amazon:inspector:sbom_scanner:priority_intelligence",
"value": "unverified"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "10.0.19042.1586"
}
]
}
]
}
}
```
### Exemplo de saída no formato Inspector - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerability found",
"inspector": {
"messages": [
{
"name": "foo",
"purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom
"info": "Component skipped: no rules found."
}
],
"vulnerability_count": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"severity": "critical",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"related": [
"GHSA-jfh8-c2jp-5v3q"
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"references": [
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"https://support.apple.com/kb/HT213189",
"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
"https://logging.apache.org/log4j/2.x/security.html",
"https://www.debian.org/security/2021/dsa-5020",
"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://twitter.com/kurtseifried/status/1469345530182455296",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
"https://www.kb.cert.org/vuls/id/930724"
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"properties": {
"cisa_kev_date_added": "2021-12-10T00:00:00Z",
"cisa_kev_date_due": "2021-12-24T00:00:00Z",
"cwes": [
400,
20,
502
],
"cvss": [
{
"source": "NVD",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss2_base_score": 9.3,
"cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": "GITHUB",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"epss": 0.97565,
"exploit_available": true,
"exploit_last_seen_in_public": "2023-03-06T00:00:00Z"
},
"affects": [
{
"installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"fixed_version": "2.15.0",
"path": "/home/dev/foo.jar"
}
]
}
]
}
}
```
### Exemplo de saída no formato Inspector - Windows
```
{
"sbom": {
"vulnerabilities": [
{
"severity": "medium",
"priority_intelligence": "unverified",
"related": [
"CVE-2022-23278"
],
"references": [
"https://support.microsoft.com/help/5011487",
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"path": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0",
"fixed_version": "10.0.19042.1586",
"installed_version": "pkg:generic/microsoft/defender@4.18.25110.5"
}
],
"id": "KB5011487",
"source": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487",
"published": "2022-03-08T08:00:00Z",
"priority": "standard",
"properties": {
"epss": 0.0269099995,
"cvss": [
{
"severity": "medium",
"cvss_3_base_score": 5.9000000954,
"cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
]
}
}
],
"vulnerability_count": {
"high": 0,
"other": 0,
"critical": 0,
"low": 0,
"medium": 1
}
}
}
```