Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Creazione di un'integrazione di pipeline CI/CD personalizzata con Amazon Inspector Scan
Ti consigliamo di utilizzare i plug-in CI/CD di Amazon Inspector se i plug-in CI/CD di Amazon Inspector sono disponibili per la tua soluzione CI/CD. Se i plug-in CI/CD di Amazon Inspector non sono disponibili per la tua soluzione CI/CD, puoi utilizzare una combinazione di Amazon Inspector Generator e SBOM Amazon Inspector Scan per creare un'integrazione CI/CD personalizzata. API I passaggi seguenti descrivono come creare un'integrazione di pipeline CI/CD personalizzata con Amazon Inspector Scan.
Suggerimento
Puoi utilizzare Amazon Inspector SBOM Generator (Sbomgen) per saltare i passaggi 3 e 4 se desideri generare e scansionare il tuo con un unico SBOM comando.
Fase 1: Configurazione Account AWS
Configura un Account AWS dispositivo che fornisca l'accesso ad Amazon Inspector Scan. API Per ulteriori informazioni, consulta Configurazione di un AWS account per utilizzare l'integrazione CI/CD di Amazon Inspector.
Fase 2: Installazione Sbomgen del binario
Installa e configura il Sbomgen file binario. Per ulteriori informazioni, consulta l'argomento relativo all'installazione di Sbomgen.
Fase 3. Uso di Sbomgen
Utilizzate il Sbomgen per creare un SBOM file per l'immagine di un contenitore che desiderate scansionare.
È possibile utilizzare l'esempio seguente. Replace (Sostituisci)
con il nome dell'immagine da scansionare. Replace (Sostituisci) image:id
con la posizione in cui si desidera salvare l'output. SBOM sbom_path.json
Esempio
./inspector-sbomgen container --image
image:id
-o sbom_path.json
Fase 4. Chiamata di Amazon Inspector Scan API
Chiama il file inspector-scan
API per scansionare il file generato SBOM e fornire un report di vulnerabilità.
È possibile utilizzare l'esempio seguente. Replace (Sostituisci) sbom_path.json
con la posizione di un file compatibile con CyclonedX valido. SBOM Replace (Sostituisci) ENDPOINT
con l'APIendpoint per il Regione AWS quale sei attualmente autenticato. Replace (Sostituisci) REGION
con la regione corrispondente.
Esempio
aws inspector-scan scan-sbom --sbom file://
sbom_path.json
--endpoint ENDPOINT-URL
--region REGION
Per un elenco completo degli endpoint Regioni AWS e, consulta Regioni ed endpoint.
(Facoltativo) Fase 5. Genera e scansiona SBOM con un solo comando
Nota
Completa questo passaggio solo se hai saltato i passaggi 3 e 4.
Genera e scansiona il tuo SBOM in un unico comando usando il --scan-bom
flag.
Puoi usare il seguente esempio. Replace (Sostituisci)
con il nome dell'immagine da scansionare. Replace (Sostituisci) image:id
profile
con il profilo corrispondente. Replace (Sostituisci) REGION
con la regione corrispondente. Replace (Sostituisci) /tmp/scan.json
con la posizione del file scan.json nella directory tmp.
Esempio
./inspector-sbomgen container --image
image:id
--scan-sbom --aws-profile profile
--aws-region REGION
-o /tmp/scan.json
Per un elenco completo degli endpoint, consulta Regioni AWS Regioni ed endpoint.
APIformati di output
Amazon Inspector Scan API può generare un report di vulnerabilità in formato CycloneDX 1.5 o un risultato di Amazon Inspector. JSON L'impostazione predefinita può essere modificata utilizzando il flag. --output-format
{ "status": "SBOM parsed successfully, 1 vulnerabilities found", "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1", "metadata": { "properties": [ { "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", "value": "1" }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" } ], "tools": [ { "name": "CycloneDX SBOM API", "vendor": "Amazon Inspector", "version": "empty:083c9b00:083c9b00:083c9b00" } ], "timestamp": "2023-06-28T14:15:53.760Z" }, "components": [ { "bom-ref": "comp-1", "type": "library", "name": "log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "properties": [ { "name": "amazon:inspector:sbom_scanner:path", "value": "/home/dev/foo.jar" } ] } ], "vulnerabilities": [ { "bom-ref": "vuln-1", "id": "CVE-2021-44228", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, "references": [ { "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" } }, { "id": "GHSA-jfh8-c2jp-5v3q", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" } } ], "ratings": [ { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v3-1/" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v2/" }, "score": 9.3, "severity": "critical", "method": "CVSSv2", "vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": { "name": "EPSS", "url": "https://www.first.org/epss/" }, "score": 0.97565, "severity": "none", "method": "other", "vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000" }, { "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "cwes": [ 400, 20, 502 ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "advisories": [ { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "url": "https://support.apple.com/kb/HT213189" }, { "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" }, { "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "url": "https://www.debian.org/security/2021/dsa-5020" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://twitter.com/kurtseifried/status/1469345530182455296" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html" }, { "url": "https://www.kb.cert.org/vuls/id/930724" } ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "affects": [ { "ref": "comp-1" } ], "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2023-03-06T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", "value": "2021-12-10T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", "value": "2021-12-24T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1", "value": "2.15.0" } ] } ] } }
{ "status": "SBOM parsed successfully, 1 vulnerability found", "inspector": { "messages": [ { "name": "foo", "purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom "info": "Component skipped: no rules found." } ], "vulnerability_count": { "critical": 1, "high": 0, "medium": 0, "low": 0 }, "vulnerabilities": [ { "id": "CVE-2021-44228", "severity": "critical", "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "related": [ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "GHSA-jfh8-c2jp-5v3q" ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "references": [ "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "https://support.apple.com/kb/HT213189", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "https://logging.apache.org/log4j/2.x/security.html", "https://www.debian.org/security/2021/dsa-5020", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://www.kb.cert.org/vuls/id/930724" ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "properties": { "cisa_kev_date_added": "2021-12-10T00:00:00Z", "cisa_kev_date_due": "2021-12-24T00:00:00Z", "cwes": [ 400, 20, 502 ], "cvss": [ { "source": "NVD", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss2_base_score": 9.3, "cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": "SNYK", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": "GITHUB", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "epss": 0.97565, "exploit_available": true, "exploit_last_seen_in_public": "2023-03-06T00:00:00Z" }, "affects": [ { "installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "fixed_version": "2.15.0", "path": "/home/dev/foo.jar" } ] } ] } }