Como criar uma integração personalizada de pipeline de CI/CD com o Amazon Inspector Scan - Amazon Inspector

Como criar uma integração personalizada de pipeline de CI/CD com o Amazon Inspector Scan

Recomendamos que você use os plug-ins de CI/CD do Amazon Inspector se eles estiverem disponíveis para sua solução de CI/CD. Se os plug-ins de CI/CD do Amazon Inspector não estiverem disponíveis para a solução de CI/CD, você pode usar uma combinação do Amazon Inspector SBOM Generator com a API Amazon Inspector Scan para criar uma integração de CI/CD personalizada. As etapas a seguir descrevem como criar uma integração de pipeline de CI/CD personalizada com o Amazon Inspector Scan.

dica

Você pode usar o Amazon Inspector SBOM Generator (Sbomgen) para pular as etapas 3 e 4 se quiser gerar e verificar sua SBOM em um único comando.

Etapa 1. Como configurar o Conta da AWS

Configure uma Conta da AWS que permita o acesso à API Amazon Inspector Scan. Para ter mais informações, consulte Como configurar uma conta da AWS para usar a integração CI/CD do Amazon Inspector.

Etapa 2. Instalar o binário Sbomgen

Instale e configurar o binário Sbomgen. Para obter mais informações, consulte Instalar o Sbomgen.

Etapa 3. Utilizar o Sbomgen

Use o Sbomgen para criar um arquivo SBOM para uma imagem de contêiner que você deseja verificar.

Você pode usar o seguinte exemplo. Substitua image:id pelo nome da imagem que você deseja verificar. Substitua sbom_path.json pelo local onde deseja salvar a saída da SBOM.

Exemplo

./inspector-sbomgen container --image image:id -o sbom_path.json

Etapa 4. Chamar a API Amazon Inspector Scan

Considere usar a API inspector-scan para verificar o SBOM gerado e fornecer um relatório de vulnerabilidade.

Você pode usar o seguinte exemplo. Substitua sbom_path.json pelo local de um arquivo SBOM válido compatível com o CycloneDX. Substitua ENDPOINT pelo endpoint da API para a Região da AWS onde você se autentica no momento. Substitua REGION pela região correspondente.

Exemplo

aws inspector-scan scan-sbom --sbom file://sbom_path.json --endpoint ENDPOINT-URL --region REGION

Para conferir uma lista completa de Regiões da AWS e endpoints, consulte Regions and endpoints.

(Opcional) Etapa 5. Gerar e verificar a SBOM em um único comando

nota

Conclua esta etapa somente se você pulou as etapas 3 e 4.

Gerar e verificar a SBOM em um único comando usando o sinalizador --scan-bom.

Você pode usar o seguinte exemplo. Substitua image:id pelo nome da imagem que você quer verificar. Substitua profile pelo perfil correspondente. Substitua REGION pela região correspondente. Substitua /tmp/scan.json pelo local do arquivo scan.json no diretório tmp.

Exemplo

./inspector-sbomgen container --image image:id --scan-sbom --aws-profile profile --aws-region REGION -o /tmp/scan.json

Para conferir uma lista completa de Regiões da AWS e endpoints, consulte Regions and endpoints.

Formatos de saída da API

A API Amazon Inspector Scan pode gerar um relatório de vulnerabilidade no formato CycloneDX 1.5 ou no formato JSON de descobertas do Amazon Inspector. O padrão pode ser alterado usando o sinalizador --output-format.

{ "status": "SBOM parsed successfully, 1 vulnerabilities found", "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1", "metadata": { "properties": [ { "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", "value": "1" }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", "value": "0" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" } ], "tools": [ { "name": "CycloneDX SBOM API", "vendor": "Amazon Inspector", "version": "empty:083c9b00:083c9b00:083c9b00" } ], "timestamp": "2023-06-28T14:15:53.760Z" }, "components": [ { "bom-ref": "comp-1", "type": "library", "name": "log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "properties": [ { "name": "amazon:inspector:sbom_scanner:path", "value": "/home/dev/foo.jar" } ] } ], "vulnerabilities": [ { "bom-ref": "vuln-1", "id": "CVE-2021-44228", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, "references": [ { "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" } }, { "id": "GHSA-jfh8-c2jp-5v3q", "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" } } ], "ratings": [ { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v3-1/" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://www.first.org/cvss/v2/" }, "score": 9.3, "severity": "critical", "method": "CVSSv2", "vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": { "name": "EPSS", "url": "https://www.first.org/epss/" }, "score": 0.97565, "severity": "none", "method": "other", "vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000" }, { "source": { "name": "SNYK", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": { "name": "GITHUB", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, "score": 10.0, "severity": "critical", "method": "CVSSv31", "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "cwes": [ 400, 20, 502 ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "advisories": [ { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "url": "https://support.apple.com/kb/HT213189" }, { "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" }, { "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "url": "https://www.debian.org/security/2021/dsa-5020" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://twitter.com/kurtseifried/status/1469345530182455296" }, { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html" }, { "url": "https://www.kb.cert.org/vuls/id/930724" } ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "affects": [ { "ref": "comp-1" } ], "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", "value": "2023-03-06T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", "value": "2021-12-10T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", "value": "2021-12-24T00:00:00Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1", "value": "2.15.0" } ] } ] } }
{ "status": "SBOM parsed successfully, 1 vulnerability found", "inspector": { "messages": [ { "name": "foo", "purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom "info": "Component skipped: no rules found." } ], "vulnerability_count": { "critical": 1, "high": 0, "medium": 0, "low": 0 }, "vulnerabilities": [ { "id": "CVE-2021-44228", "severity": "critical", "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "related": [ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", "GHSA-jfh8-c2jp-5v3q" ], "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "references": [ "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "https://support.apple.com/kb/HT213189", "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "https://logging.apache.org/log4j/2.x/security.html", "https://www.debian.org/security/2021/dsa-5020", "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/", "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://twitter.com/kurtseifried/status/1469345530182455296", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html", "https://www.kb.cert.org/vuls/id/930724" ], "created": "2021-12-10T10:15:00Z", "updated": "2023-04-03T20:15:00Z", "properties": { "cisa_kev_date_added": "2021-12-10T00:00:00Z", "cisa_kev_date_due": "2021-12-24T00:00:00Z", "cwes": [ 400, 20, 502 ], "cvss": [ { "source": "NVD", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss2_base_score": 9.3, "cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C" }, { "source": "SNYK", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H" }, { "source": "GITHUB", "severity": "critical", "cvss3_base_score": 10.0, "cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "epss": 0.97565, "exploit_available": true, "exploit_last_seen_in_public": "2023-03-06T00:00:00Z" }, "affects": [ { "installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1", "fixed_version": "2.15.0", "path": "/home/dev/foo.jar" } ] } ] } }