本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
如果 Amazon Inspector CI/CD 外掛程式適用於您的 CI/CD 解決方案,建議您使用 Amazon Inspector CI/CD 外掛程式。如果您的 CI/CD 解決方案無法使用 Amazon Inspector CI/CD 外掛程式,您可以使用 Amazon Inspector SBOM Generator 和 Amazon Inspector Scan API 的組合來建立自訂 CI/CD 整合。下列步驟說明如何建立與 Amazon Inspector Scan 的自訂 CI/CD 管道整合。
提示
如果您想要在單一命令中產生和掃描 SBOM,您可以使用 Amazon Inspector SBOM 產生器 (Sbomgen) 略過步驟 3 和步驟 4。
步驟 1. 設定 AWS 帳戶
設定 AWS 帳戶 提供 Amazon Inspector Scan API 存取權的 。如需詳細資訊,請參閱設定 AWS 帳戶以使用 Amazon Inspector CI/CD 整合。
步驟 2. 安裝Sbomgen二進位
安裝和設定Sbomgen二進位檔。如需詳細資訊,請參閱安裝 Sbomgen。
步驟 3。使用 Sbomgen
使用 Sbomgen為您要掃描的容器映像建立 SBOM 檔案。
您可以使用下列範例。image:idsbom_path.json
範例
./inspector-sbomgen container --image
image:id -o sbom_path.json
步驟 4. 呼叫 Amazon Inspector Scan API
呼叫 inspector-scan API 來掃描產生的 SBOM 並提供漏洞報告。
您可以使用下列範例。將 sbom_path.json 取代為有效的 CycloneDX 相容 SBOM 檔案的位置。將 ENDPOINT 取代為您目前正在驗證 AWS 區域 之 的 API 端點。將 REGION 取代為對應的區域。
範例
aws inspector-scan scan-sbom --sbom file://
sbom_path.json --endpoint ENDPOINT-URL --region REGION
如需 AWS 區域 和 端點的完整清單,請參閱區域和端點。
(選用) 步驟 5。在單一命令中產生和掃描 SBOM
注意
只有在您略過步驟 3 和步驟 4 時,才完成此步驟。
使用 --scan-bom旗標,在單一命令中產生和掃描您的 SBOM。
您可以使用下列範例。image:id設定檔取代為對應的設定檔。將 REGION 取代為對應的區域。將 /tmp/scan.json 取代為 tmp 目錄中 scan.json 檔案的位置。
範例
./inspector-sbomgen container --image
image:id --scan-sbom --aws-profile profile --aws-region REGION -o /tmp/scan.json
如需 AWS 區域 和 端點的完整清單,請參閱區域和端點。
API 輸出格式
Amazon Inspector Scan API 可以 1.5 格式或 Amazon Inspector 調查結果 JSON CycloneDX 輸出漏洞報告。可以使用 --output-format旗標變更預設值。
{
"status": "SBOM parsed successfully, 1 vulnerabilities found",
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1",
"metadata": {
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
}
],
"tools": [
{
"name": "CycloneDX SBOM API",
"vendor": "Amazon Inspector",
"version": "empty:083c9b00:083c9b00:083c9b00"
}
],
"timestamp": "2023-06-28T14:15:53.760Z"
},
"components": [
{
"bom-ref": "comp-1",
"type": "library",
"name": "log4j-core",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "/home/dev/foo.jar"
}
]
}
],
"vulnerabilities": [
{
"bom-ref": "vuln-1",
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"references": [
{
"id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720",
"source": {
"name": "SNYK",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720"
}
},
{
"id": "GHSA-jfh8-c2jp-5v3q",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
}
}
],
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v3-1/"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v2/"
},
"score": 9.3,
"severity": "critical",
"method": "CVSSv2",
"vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": {
"name": "EPSS",
"url": "https://www.first.org/epss/"
},
"score": 0.97565,
"severity": "none",
"method": "other",
"vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000"
},
{
"source": {
"name": "SNYK",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H"
},
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes": [
400,
20,
502
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"advisories": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"url": "https://support.apple.com/kb/HT213189"
},
{
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/930724"
}
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"affects": [
{
"ref": "comp-1"
}
],
"properties": [
{
"name": "amazon:inspector:sbom_scanner:exploit_available",
"value": "true"
},
{
"name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
"value": "2023-03-06T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_added",
"value": "2021-12-10T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_due",
"value": "2021-12-24T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "2.15.0"
}
]
}
]
}
}
{
"status": "SBOM parsed successfully, 1 vulnerability found",
"inspector": {
"messages": [
{
"name": "foo",
"purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom
"info": "Component skipped: no rules found."
}
],
"vulnerability_count": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"severity": "critical",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"related": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720",
"GHSA-jfh8-c2jp-5v3q"
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"references": [
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"https://support.apple.com/kb/HT213189",
"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
"https://logging.apache.org/log4j/2.x/security.html",
"https://www.debian.org/security/2021/dsa-5020",
"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://twitter.com/kurtseifried/status/1469345530182455296",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
"https://www.kb.cert.org/vuls/id/930724"
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"properties": {
"cisa_kev_date_added": "2021-12-10T00:00:00Z",
"cisa_kev_date_due": "2021-12-24T00:00:00Z",
"cwes": [
400,
20,
502
],
"cvss": [
{
"source": "NVD",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss2_base_score": 9.3,
"cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": "SNYK",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H"
},
{
"source": "GITHUB",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"epss": 0.97565,
"exploit_available": true,
"exploit_last_seen_in_public": "2023-03-06T00:00:00Z"
},
"affects": [
{
"installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"fixed_version": "2.15.0",
"path": "/home/dev/foo.jar"
}
]
}
]
}
}
