Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
# Création d'une intégration de CI/CD pipeline personnalisée avec Amazon Inspector Scan
Nous vous recommandons d'utiliser les [ CI/CD plug-ins Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) CI/CD s'ils sont disponibles pour votre CI/CD solution. Si les CI/CD plug-ins Amazon Inspector ne sont pas disponibles pour votre CI/CD solution, vous pouvez utiliser une combinaison du générateur Amazon Inspector SBOM et de l'API Amazon Inspector Scan pour créer une intégration personnalisée CI/CD . Les étapes suivantes décrivent comment créer une intégration de CI/CD pipeline personnalisée avec Amazon Inspector Scan.
**Astuce**
Vous pouvez utiliser le [générateur de SBOM d'Amazon Inspector (Sbomgen)](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen) pour ignorer les étapes 3 et 4 si vous souhaitez [générer et scanner votre SBOM en](https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html#generate-scan-sbom.html) une seule commande.
## Étape 1. Configuration Compte AWS
Configurez un Compte AWS qui donne accès à l'API Amazon Inspector Scan. Pour de plus amples informations, veuillez consulter [Configuration d'un AWS compte pour utiliser l' CI/CD intégration Amazon Inspector](configure-cicd-account.md).
## Étape 2. Installation du Sbomgen binaire
Installez et configurez le Sbomgen binaire. Pour de plus amples informations, veuillez consulter [Installation de l'Sbomgen](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen).
## Étape 3. Utilisation de Sbomgen
Utilisez le Sbomgen pour créer un fichier SBOM pour une image de conteneur que vous souhaitez numériser.
Vous pouvez utiliser l'exemple suivant. {{`image:id`}}Remplacez-le par le nom de l'image que vous souhaitez numériser. {{`sbom_path.json`}}Remplacez-le par l'emplacement où vous souhaitez enregistrer la sortie SBOM.
**Exemple**
`./inspector-sbomgen container --image {{image:id}} -o sbom_path.json`
## Étape 4 : Appel de l'API Amazon Inspector Scan
Appelez l'`inspector-scan`API pour scanner le SBOM généré et fournir un rapport de vulnérabilité.
Vous pouvez utiliser l'exemple suivant. Remplacez {{sbom\_path.json}} par l'emplacement d'un fichier SBOM valide compatible avec CycloneDX. {{ENDPOINT}}Remplacez-le par le point de terminaison de l'API correspondant à l' Région AWS endroit où vous êtes actuellement authentifié. Remplacez {{REGION}} par la région correspondante.
**Exemple**
`aws inspector-scan scan-sbom --sbom file://{{sbom_path.json}} --endpoint {{ENDPOINT-URL}} --region {{REGION}}`
Pour une liste complète des points de Régions AWS terminaison, voir [Régions et points de terminaison](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## (Facultatif) Étape 5. Générez et scannez des SBOM en une seule commande
**Note**
Effectuez cette étape uniquement si vous avez ignoré les étapes 3 et 4.
Générez et scannez votre SBOM en une seule commande à l'aide du `--scan-bom` drapeau.
Vous pouvez utiliser l'exemple suivant. {{`image:id`}}Remplacez-le par le nom de l'image que vous souhaitez numériser. Remplacez {{profile}} par le profil correspondant. Remplacez {{REGION}} par la région correspondante. Remplacez {{/tmp/scan.json}} par l'emplacement du fichier scan.json dans le répertoire tmp.
**Exemple**
`./inspector-sbomgen container --image {{image:id}} --scan-sbom --aws-profile {{profile}} --aws-region {{REGION}} -o {{/tmp/scan.json}}`
Pour une liste complète des points de Régions AWS terminaison, voir [Régions et points de terminaison](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## Formats de sortie de l'API
L'API Amazon Inspector Scan peut générer un rapport de vulnérabilité au format CycloneDX 1.5 ou Amazon Inspector trouve du JSON. La valeur par défaut peut être modifiée à l'aide du `--output-format` drapeau.
### Exemple de sortie au format CycloneDX 1.5 - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerabilities found",
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1",
"metadata": {
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
}
],
"tools": [
{
"name": "CycloneDX SBOM API",
"vendor": "Amazon Inspector",
"version": "empty:083c9b00:083c9b00:083c9b00"
}
],
"timestamp": "2023-06-28T14:15:53.760Z"
},
"components": [
{
"bom-ref": "comp-1",
"type": "library",
"name": "log4j-core",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "/home/dev/foo.jar"
}
]
}
],
"vulnerabilities": [
{
"bom-ref": "vuln-1",
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"references": [
{
"id": "GHSA-jfh8-c2jp-5v3q",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
}
}
],
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v3-1/"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v2/"
},
"score": 9.3,
"severity": "critical",
"method": "CVSSv2",
"vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": {
"name": "EPSS",
"url": "https://www.first.org/epss/"
},
"score": 0.97565,
"severity": "none",
"method": "other",
"vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000"
},
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes": [
400,
20,
502
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"advisories": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"url": "https://support.apple.com/kb/HT213189"
},
{
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/930724"
}
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"affects": [
{
"ref": "comp-1"
}
],
"properties": [
{
"name": "amazon:inspector:sbom_scanner:exploit_available",
"value": "true"
},
{
"name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
"value": "2023-03-06T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_added",
"value": "2021-12-10T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_due",
"value": "2021-12-24T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "2.15.0"
}
]
}
]
}
}
```
### Exemple de sortie au format CycloneDX 1.5 - Windows
```
{
"sbom": {
"specVersion": "1.5",
"metadata": {
"tools": {
"services": [
{
"name": "Amazon Inspector Scan SBOM API",
"version": "d79c681c+d73b8663+5e50a5ab"
}
]
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:other_vulnerabilities",
"value": "0"
}
],
"timestamp": "2026-03-17T00:00:52.344Z"
},
"components": [
{
"bom-ref": "comp-1",
"name": "defender",
"purl": "pkg:generic/microsoft/defender@4.18.25110.5",
"type": "application",
"version": "4.18.25110.5",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:source_file_scanner",
"value": "windows-apps"
},
{
"name": "amazon:inspector:sbom_scanner:source_package_collector",
"value": "windows-app-defender"
},
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0"
}
]
}
],
"serialNumber": "urn:uuid:6bed582d-191e-4cb7-9875-950dd0b99700",
"bomFormat": "CycloneDX",
"vulnerabilities": [
{
"advisories": [
{
"url": "https://support.microsoft.com/help/5011487"
},
{
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
],
"bom-ref": "vuln-1",
"references": [
{
"id": "CVE-2022-23278",
"source": {
"name": "MICROSOFT",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278"
}
}
],
"ratings": [
{
"severity": "none",
"score": 0.02691,
"method": "other",
"vector": "model:v2025.03.14,date:2026-03-15T12:55:00Z",
"source": {
"name": "EPSS",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23278"
}
},
{
"severity": "medium",
"score": 5.9,
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
}
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"ref": "comp-1"
}
],
"id": "KB5011487",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
},
"published": "2022-03-08T08:00:00Z",
"analysis": {
"state": "in_triage"
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:priority",
"value": "standard"
},
{
"name": "amazon:inspector:sbom_scanner:priority_intelligence",
"value": "unverified"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "10.0.19042.1586"
}
]
}
]
}
}
```
### Exemple de sortie au format Inspector - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerability found",
"inspector": {
"messages": [
{
"name": "foo",
"purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom
"info": "Component skipped: no rules found."
}
],
"vulnerability_count": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"severity": "critical",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"related": [
"GHSA-jfh8-c2jp-5v3q"
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"references": [
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"https://support.apple.com/kb/HT213189",
"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
"https://logging.apache.org/log4j/2.x/security.html",
"https://www.debian.org/security/2021/dsa-5020",
"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://twitter.com/kurtseifried/status/1469345530182455296",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
"https://www.kb.cert.org/vuls/id/930724"
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"properties": {
"cisa_kev_date_added": "2021-12-10T00:00:00Z",
"cisa_kev_date_due": "2021-12-24T00:00:00Z",
"cwes": [
400,
20,
502
],
"cvss": [
{
"source": "NVD",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss2_base_score": 9.3,
"cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": "GITHUB",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"epss": 0.97565,
"exploit_available": true,
"exploit_last_seen_in_public": "2023-03-06T00:00:00Z"
},
"affects": [
{
"installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"fixed_version": "2.15.0",
"path": "/home/dev/foo.jar"
}
]
}
]
}
}
```
### Exemple de sortie au format Inspector - Windows
```
{
"sbom": {
"vulnerabilities": [
{
"severity": "medium",
"priority_intelligence": "unverified",
"related": [
"CVE-2022-23278"
],
"references": [
"https://support.microsoft.com/help/5011487",
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"path": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0",
"fixed_version": "10.0.19042.1586",
"installed_version": "pkg:generic/microsoft/defender@4.18.25110.5"
}
],
"id": "KB5011487",
"source": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487",
"published": "2022-03-08T08:00:00Z",
"priority": "standard",
"properties": {
"epss": 0.0269099995,
"cvss": [
{
"severity": "medium",
"cvss_3_base_score": 5.9000000954,
"cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
]
}
}
],
"vulnerability_count": {
"high": 0,
"other": 0,
"critical": 0,
"low": 0,
"medium": 1
}
}
}
```