Como criar uma integração personalizada de pipeline de CI/CD com o Amazon Inspector Scan
Recomendamos que você use os plug-ins de CI/CD do Amazon Inspector se eles estiverem disponíveis para sua solução de CI/CD. Se os plug-ins de CI/CD do Amazon Inspector não estiverem disponíveis para a solução de CI/CD, você pode usar uma combinação do Amazon Inspector SBOM Generator com a API Amazon Inspector Scan para criar uma integração de CI/CD personalizada. As etapas a seguir descrevem como criar uma integração de pipeline de CI/CD personalizada com o Amazon Inspector Scan.
dica
Você pode usar o Amazon Inspector SBOM Generator (Sbomgen) para pular as etapas 3 e 4 se quiser gerar e verificar sua SBOM em um único comando.
Etapa 1. Como configurar o Conta da AWS
Configure uma Conta da AWS que permita o acesso à API Amazon Inspector Scan. Para ter mais informações, consulte Como configurar uma conta da AWS para usar a integração CI/CD do Amazon Inspector.
Etapa 2. Instalar o binário Sbomgen
Instale e configurar o binário Sbomgen. Para obter mais informações, consulte Instalar o Sbomgen.
Etapa 3. Utilizar o Sbomgen
Use o Sbomgen para criar um arquivo SBOM para uma imagem de contêiner que você deseja verificar.
Você pode usar o seguinte exemplo. Substitua
pelo nome da imagem que você deseja verificar. Substitua image:id
pelo local onde deseja salvar a saída da SBOM. sbom_path.json
Exemplo
./inspector-sbomgen container --image
image:id
-o sbom_path.json
Etapa 4. Chamar a API Amazon Inspector Scan
Considere usar a API inspector-scan
para verificar o SBOM gerado e fornecer um relatório de vulnerabilidade.
Você pode usar o seguinte exemplo. Substitua sbom_path.json
pelo local de um arquivo SBOM válido compatível com o CycloneDX. Substitua ENDPOINT
pelo endpoint da API para a Região da AWS onde você se autentica no momento. Substitua REGION
pela região correspondente.
Exemplo
aws inspector-scan scan-sbom --sbom file://
sbom_path.json
--endpoint ENDPOINT-URL
--region REGION
Para conferir uma lista completa de Regiões da AWS e endpoints, consulte Regions and endpoints.
(Opcional) Etapa 5. Gerar e verificar a SBOM em um único comando
nota
Conclua esta etapa somente se você pulou as etapas 3 e 4.
Gerar e verificar a SBOM em um único comando usando o sinalizador --scan-bom
.
Você pode usar o seguinte exemplo. Substitua
pelo nome da imagem que você quer verificar. Substitua image:id
profile
pelo perfil correspondente. Substitua REGION
pela região correspondente. Substitua /tmp/scan.json
pelo local do arquivo scan.json no diretório tmp.
Exemplo
./inspector-sbomgen container --image
image:id
--scan-sbom --aws-profile profile
--aws-region REGION
-o /tmp/scan.json
Para conferir uma lista completa de Regiões da AWS e endpoints, consulte Regions and endpoints.
Formatos de saída da API
A API Amazon Inspector Scan pode gerar um relatório de vulnerabilidade no formato CycloneDX 1.5 ou no formato JSON de descobertas do Amazon Inspector. O padrão pode ser alterado usando o sinalizador --output-format
.
{ "status": "SBOM parsed successfully, 1 vulnerabilities found", "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1", "metadata": { "properties": [ { "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", "value": "1" }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" } ], "tools": [ { "name": "CycloneDX SBOM API", "vendor": "Amazon Inspector", "version": "empty:083c9b00:083c9b00:083c9b00" } ], "timestamp": "2023-06-28T14:15:53.760Z" }, "components": [ { "bom-ref": "comp-1", "type": "library", "name": "log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "properties": [ { "name": "amazon:inspector:sbom_scanner:path", "value": "/home/dev/foo.jar" } ] } ], "vulnerabilities": [ { "bom-ref": "vuln-1", "id": "CVE-2021-44228", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, "references": [ { "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" } }, { "id": "GHSA-jfh8-c2jp-5v3q", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" } } ], "ratings": [ { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v3-1/" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v2/" }, "score": 9.3, "severity": "critical", "method": "CVSSv2", "vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": { "name": "EPSS", "url": "https://www.first.org/epss/" }, "score": 0.97565, "severity": "none", "method": "other", "vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000" }, { "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "cwes": [ 400, 20, 502 ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "advisories": [ { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "url": "https://support.apple.com/kb/HT213189" }, { "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" }, { "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "url": "https://www.debian.org/security/2021/dsa-5020" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://twitter.com/kurtseifried/status/1469345530182455296" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html" }, { "url": "https://www.kb.cert.org/vuls/id/930724" } ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "affects": [ { "ref": "comp-1" } ], "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2023-03-06T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", "value": "2021-12-10T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", "value": "2021-12-24T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1", "value": "2.15.0" } ] } ] } }
{ "status": "SBOM parsed successfully, 1 vulnerability found", "inspector": { "messages": [ { "name": "foo", "purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom "info": "Component skipped: no rules found." } ], "vulnerability_count": { "critical": 1, "high": 0, "medium": 0, "low": 0 }, "vulnerabilities": [ { "id": "CVE-2021-44228", "severity": "critical", "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "related": [ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "GHSA-jfh8-c2jp-5v3q" ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "references": [ "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "https://support.apple.com/kb/HT213189", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "https://logging.apache.org/log4j/2.x/security.html", "https://www.debian.org/security/2021/dsa-5020", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://www.kb.cert.org/vuls/id/930724" ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "properties": { "cisa_kev_date_added": "2021-12-10T00:00:00Z", "cisa_kev_date_due": "2021-12-24T00:00:00Z", "cwes": [ 400, 20, 502 ], "cvss": [ { "source": "NVD", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss2_base_score": 9.3, "cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": "SNYK", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": "GITHUB", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "epss": 0.97565, "exploit_available": true, "exploit_last_seen_in_public": "2023-03-06T00:00:00Z" }, "affects": [ { "installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "fixed_version": "2.15.0", "path": "/home/dev/foo.jar" } ] } ] } }