051.md 24.2 KB
Newer Older
Lab机器人's avatar
readme  
Lab机器人 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321
# Container Scanning

> 原文:[https://docs.gitlab.com/ee/user/application_security/container_scanning/](https://docs.gitlab.com/ee/user/application_security/container_scanning/)

*   [Overview](#overview)
*   [Requirements](#requirements)
*   [Configuration](#configuration)
    *   [Customizing the Container Scanning settings](#customizing-the-container-scanning-settings)
        *   [Available variables](#available-variables)
    *   [Overriding the Container Scanning template](#overriding-the-container-scanning-template)
    *   [Vulnerability allowlisting](#vulnerability-allowlisting)
    *   [Running Container Scanning in an offline environment](#running-container-scanning-in-an-offline-environment)
        *   [Requirements for offline Container Scanning](#requirements-for-offline-container-scanning)
        *   [Make GitLab Container Scanning analyzer images available inside your Docker registry](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry)
        *   [Set Container Scanning CI job variables to use local Container Scanner analyzers](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers)
        *   [Automating Container Scanning vulnerability database updates with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline)
*   [Running the standalone Container Scanning Tool](#running-the-standalone-container-scanning-tool)
*   [Reports JSON format](#reports-json-format)
*   [Security Dashboard](#security-dashboard)
*   [Vulnerabilities database update](#vulnerabilities-database-update)
*   [Interacting with the vulnerabilities](#interacting-with-the-vulnerabilities)
*   [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation)
*   [Troubleshooting](#troubleshooting)
    *   [`docker: Error response from daemon: failed to copy xattrs`](#docker-error-response-from-daemon-failed-to-copy-xattrs)

# Container Scanning[](#container-scanning-ultimate "Permalink")

[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4.

## Overview[](#overview "Permalink")

应用程序的 Docker 映像本身可能基于包含已知漏洞的 Docker 映像. 通过在管道中包含一个额外的作业来扫描这些漏洞并将其显示在合并请求中,您可以使用 GitLab 来审核基于 Docker 的应用程序. 默认情况下,GitLab 中的容器扫描基于[Clair](https://github.com/quay/clair)[Klar](https://github.com/optiopay/klar) ,这是用于对容器中的漏洞进行静态分析的开源工具. [GitLab 的 Klar 分析仪](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)扫描容器并用作 Clair 的包装纸.

**注意:**要将除 Clair 和 Klar 以外的其他[安全扫描器集成](../../../development/integrations/secure.html)到 GitLab 中,请参阅" [安全扫描器集成"](../../../development/integrations/secure.html) .

您可以通过执行以下任一操作来启用容器扫描:

*   在现有的`.gitlab-ci.yml`文件中[包括 CI 作业](#configuration) .
*   隐式使用[Auto DevOps](../../../topics/autodevops/index.html)提供的[自动](../../../topics/autodevops/index.html) [容器扫描](../../../topics/autodevops/stages.html#auto-container-scanning-ultimate) .

GitLab 比较发现的源分支与目标分支之间的漏洞,并在合并请求中直接显示信息.

[![Container Scanning Widget](img/81b83780f68abcbb32edb1eb48002a4d.png)](img/container_scanning_v13_2.png)

## Requirements[](#requirements "Permalink")

要在管道中启用容器扫描,您需要以下内容:

*   带有[Docker](https://docs.gitlab.com/runner/executors/docker.html)[Kubernetes](https://docs.gitlab.com/runner/install/kubernetes.html)执行器的[GitLab Runner](https://docs.gitlab.com/runner/) .
*   Docker `18.09.03`或更高版本与 Runner 安装在同一台计算机上. 如果您在 GitLab.com 上使用共享的 Runners,那么情况已经如此.
*   [构建](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd) Docker 镜像[并将其推](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd)送到项目的容器注册表中. Docker 映像的名称应使用以下[预定义的环境变量](../../../ci/variables/predefined_variables.html)

    ```
    $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA 
    ```

    您可以在`.gitlab-ci.yml`文件中直接使用它们:

    ```
    build:
      image: docker:19.03.12
      stage: build
      services:
        - docker:19.03.12-dind
      variables:
        IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
      script:
        - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
        - docker build -t $IMAGE_TAG .
        - docker push $IMAGE_TAG 
    ```

## Configuration[](#configuration "Permalink")

启用容器扫描的方式取决于您的 GitLab 版本:

*   GitLab 11.9 及更高版本: [包括](../../../ci/yaml/README.html#includetemplate) GitLab 安装随附的[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) .
*   11.9 之前的 GitLab 版本:从[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml)复制并使用作业.

要包括`Container-Scanning.gitlab-ci.yml`模板(GitLab 11.9 及更高版本),请将以下内容添加到您的`.gitlab-ci.yml`文件中:

```
include:
  - template: Container-Scanning.gitlab-ci.yml 
```

包含的模板:

*   在 CI / CD 管道中创建`container_scanning`作业.
*   从项目的[Container Registry 中](../../packages/container_registry/index.html)拉出已构建的 Docker 映像(请参阅[要求](#requirements) ),并扫描其可能的漏洞.

GitLab 将结果保存为" [容器扫描"报告工件](../../../ci/pipelines/job_artifacts.html#artifactsreportscontainer_scanning-ultimate) ,您可以稍后下载和分析. 下载时,您始终会收到最新的工件.

以下是一个示例`.gitlab-ci.yml` ,用于构建您的 Docker 映像,将其推送到 Container Registry 并扫描容器:

```
variables:
  DOCKER_DRIVER: overlay2

stages:
  - build
  - test

build:
  image: docker:stable
  stage: build
  services:
    - docker:19.03.12-dind
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - docker info
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker push $IMAGE

include:
  - template: Container-Scanning.gitlab-ci.yml 
```

### Customizing the Container Scanning settings[](#customizing-the-container-scanning-settings "Permalink")

There may be cases where you want to customize how GitLab scans your containers. For example, you may want to enable more verbose output from Clair or Klar, access a Docker registry that requires authentication, and more. To change such settings, use the [`variables`](../../../ci/yaml/README.html#variables) parameter in your `.gitlab-ci.yml` to set [environment variables](#available-variables). The environment variables you set in your `.gitlab-ci.yml` overwrite those in `Container-Scanning.gitlab-ci.yml`.

此示例[包括](../../../ci/yaml/README.html#include)容器扫描模板,并通过将`CLAIR_OUTPUT`环境变量设置为`High`来启用 Clair 的详细输出:

```
include:
  - template: Container-Scanning.gitlab-ci.yml

variables:
  CLAIR_OUTPUT: High 
```

#### Available variables[](#available-variables "Permalink")

可以使用环境变量[配置](#customizing-the-container-scanning-settings)容器扫描.

| 环境变量 | Description | Default |
| --- | --- | --- |
| `SECURE_ANALYZERS_PREFIX` | 设置用于下载分析器的 Docker 注册表基地址. | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` |
| `KLAR_TRACE` | 设置为 true 可启用 klar 的更多详细输出. | `"false"` |
| `CLAIR_TRACE` | 设置为 true 可启用 clair 服务器进程的更多详细输出. | `"false"` |
| `DOCKER_USER` | 用于访问需要身份验证的 Docker 注册表的用户名. | `$CI_REGISTRY_USER` |
| `DOCKER_PASSWORD` | 访问需要身份验证的 Docker 注册表的密码. | `$CI_REGISTRY_PASSWORD` |
| `CLAIR_OUTPUT` | 严重级别阈值. 严重级别高于或等于此阈值的漏洞将被输出. 支持的级别为`Unknown``Negligible``Low``Medium``High``Critical``Defcon1` . | `Unknown` |
| `REGISTRY_INSECURE` | 允许[Klar](https://github.com/optiopay/klar)访问不安全的注册表(仅 HTTP). 仅应在本地测试图像时设置为`true` . | `"false"` |
| `DOCKER_INSECURE` | 允许[Klar](https://github.com/optiopay/klar)使用带有错误(或自签名)SSL 证书的 HTTPS 访问安全的 Docker 注册表. | `"false"` |
| `CLAIR_VULNERABILITIES_DB_URL` | (不推荐**使用-改为使用`CLAIR_DB_CONNECTION_STRING`** )此变量在`Container-Scanning.gitlab-ci.yml`文件的[services 部分](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)中显式设置,并且默认为`Container-Scanning.gitlab-ci.yml` `clair-vulnerabilities-db` . 该值表示[托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)正在运行的地址,除非您按照" [运行独立容器扫描工具"](#running-the-standalone-container-scanning-tool)部分中的说明在本地运行映像,否则**不应更改**该地址. | `clair-vulnerabilities-db` |
| `CLAIR_DB_CONNECTION_STRING` | 该变量表示[托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)数据库的[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)[连接字符串](https://s0www0postgresql0org.icopy.site/docs/9.3/libpq-connect.html) ,除非您按照" [运行独立容器扫描工具"](#running-the-standalone-container-scanning-tool)部分中的说明在本地运行映像,否则**不应更改**该变量. 连接字符串的主机值必须与`Container-Scanning.gitlab-ci.yml`模板文件的[别名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)值匹配,该[别名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)默认为`clair-vulnerabilities-db` . | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` |
| `CI_APPLICATION_REPOSITORY` | Docker repository URL for the image to be scanned. | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` |
| `CI_APPLICATION_TAG` | 待扫描图像的 Docker 存储库标签. | `$CI_COMMIT_SHA` |
| `CLAIR_DB_IMAGE` | [托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像名称和标记. 使用特定版本覆盖此值可能很有用,例如,为了进行集成测试而提供一致的漏洞集,或在本地进行脱机安装时引用本地托管的漏洞数据库. | `arminc/clair-db:latest` |
| `CLAIR_DB_IMAGE_TAG` | (不推荐**使用-改为使用`CLAIR_DB_IMAGE`**[托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像标记. 可以使用特定版本覆盖此值,例如,为集成测试目的提供一致的漏洞集很有用. | `latest` |
| `DOCKERFILE_PATH` | 用于生成补救的`Dockerfile`的路径. 默认情况下,扫描程序将在项目的根目录中查找名为`Dockerfile`的文件,因此仅当您的`Dockerfile`位于非标准位置(例如子目录)时,才应配置此变量. 有关更多详细信息,请参见[漏洞解决方案](#solutions-for-vulnerabilities-auto-remediation) . | `Dockerfile` |
| `ADDITIONAL_CA_CERT_BUNDLE` | 您要信任的 CA 证书捆绑包. | ”” |
| `SECURE_LOG_LEVEL` | 可用的日志级别为: `fatal``error``warn``info``debug` | `info` |

### Overriding the Container Scanning template[](#overriding-the-container-scanning-template "Permalink")

如果要覆盖作业定义(例如,更改诸如`variables`属性),则必须在`container_scanning`模板之后声明一个`container_scanning`作业,然后指定任何其他键. 例如:

```
include:
  - template: Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    GIT_STRATEGY: fetch 
```

**Deprecated:** GitLab 13.0 and later doesn’t support [`only` and `except`](../../../ci/yaml/README.html#onlyexcept-basic). When overriding the template, you must use [`rules`](../../../ci/yaml/README.html#rules) instead.

### Vulnerability allowlisting[](#vulnerability-allowlisting "Permalink")

要允许列表特定漏洞,请按照下列步骤操作:

1.  设置`GIT_STRATEGY: fetch`按照[覆盖容器扫描模板中](#overriding-the-container-scanning-template)的说明, `GIT_STRATEGY: fetch` `.gitlab-ci.yml`文件.
2.  在名为`vulnerability-allowlist.yml`的 YAML 文件中定义允许列出的漏洞. 这必须使用[许可清单示例文件中](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/raw/master/testdata/vulnerability-allowlist.yml)描述的格式.
3.`vulnerability-allowlist.yml`文件添加到项目的 Git 存储库中.

### Running Container Scanning in an offline environment[](#running-container-scanning-in-an-offline-environment "Permalink")

对于在通过互联网有限,受限或间歇性访问外部资源的环境中进行自我管理的 GitLab 实例,需要进行一些调整才能使容器扫描作业成功运行. 有关更多信息,请参阅[脱机环境](../offline_deployments/index.html) .

#### Requirements for offline Container Scanning[](#requirements-for-offline-container-scanning "Permalink")

要在脱机环境中使用容器扫描,您需要:

*   GitLab 亚军与[`docker`或`kubernetes`执行](#requirements) .
*   要使用 Container Scanning [分析器](https://gitlab.com/gitlab-org/security-products/analyzers/klar)映像的副本配置本地 Docker Container Registry,请在[Container Scanning 容器注册表中找到](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry) .

**注意:** GitLab Runner 的[默认`pull policy`为`always`](https://docs.gitlab.com/runner/executors/docker.html) ,这意味着即使本地副本可用,Runner 也会尝试从 GitLab 容器注册表中拉取 Docker 映像. 如果您只喜欢使用本地可用的 Docker 映像,则可以在离线环境[`pull_policy`](https://docs.gitlab.com/runner/executors/docker.html) GitLab Runner 的[`pull_policy`设置为`if-not-present`](https://docs.gitlab.com/runner/executors/docker.html) . 但是,如果不在离线环境中,我们建议将拉取策略设置保持为`always` ,因为这样可以在 CI / CD 管道中使用更新的扫描仪.

#### Make GitLab Container Scanning analyzer images available inside your Docker registry[](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry "Permalink")

对于容器扫描,将以下默认图像从`registry.gitlab.com`导入[本地 Docker 容器注册表](../../packages/container_registry/index.html)

```
registry.gitlab.com/gitlab-org/security-products/analyzers/klar
https://hub.docker.com/r/arminc/clair-db 
```

将 Docker 映像导入本地脱机 Docker 注册表的过程取决于**您的网络安全策略** . 请咨询您的 IT 员工,以找到可以导入或临时访问外部资源的已接受和批准的流程. 请注意,这些扫描程序会[定期](../index.html#maintenance-and-update-of-the-vulnerabilities-database)使用新定义进行[更新](../index.html#maintenance-and-update-of-the-vulnerabilities-database) ,因此请考虑您是否能够自己进行定期更新.

有关更多信息,请参见[有关如何使用管道更新映像的特定步骤](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline) .

有关将 Docker 映像保存和传输为文件的详细信息,请参阅 Docker 有关[`docker save`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/save/)[`docker load`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/load/)[`docker export`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/export/)[`docker import`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/import/)的文档.

#### Set Container Scanning CI job variables to use local Container Scanner analyzers[](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers "Permalink")

1.  [覆盖](#overriding-the-container-scanning-template) `.gitlab-ci.yml`文件中[的容器扫描模板](#overriding-the-container-scanning-template) ,以引用本地 Docker 容器注册表中托管的 Docker 映像:

    ```
    include:
      - template: Container-Scanning.gitlab-ci.yml

    container_scanning:
      image: $CI_REGISTRY/namespace/gitlab-klar-analyzer
      variables:
        CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db 
    ```

2.  如果您的本地 Docker 容器注册表正在通过`HTTPS`安全运行,但是您使用的是自签名证书,则必须在`.gitlab-ci.yml`的上述`container_scanning`部分中将`DOCKER_INSECURE: "true"`设置为.

#### Automating Container Scanning vulnerability database updates with a pipeline[](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline "Permalink")

设置[计划的管道](../../../ci/pipelines/schedules.html)以按照预设的计划自动构建漏洞数据库的新版本可能是值得的. 使用管道自动执行此操作意味着您不必每次都手动进行操作. 您可以使用以下`.gitlab-yml.ci`作为模板:

```
image: docker:stable

stages:
  - build

build_latest_vulnerabilities:
  stage: build
  services:
    - docker:19.03.12-dind
  script:
    - docker pull arminc/clair-db:latest
    - docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker push $CI_REGISTRY/namespace/clair-vulnerabilities-db 
```

上面的模板适用于在本地安装上运行的 GitLab Docker 注册表,但是,如果您使用的是非 GitLab Docker 注册表,则需要更改`$CI_REGISTRY`值和 Docker `docker login`凭据以匹配以下内容:您的本地注册表.

## Running the standalone Container Scanning Tool[](#running-the-standalone-container-scanning-tool "Permalink")

可以对 Docker 容器运行[GitLab 容器扫描工具](https://gitlab.com/gitlab-org/security-products/analyzers/klar) ,而无需在 CI 作业的上下文中运行它. 要直接扫描图像,请按照下列步骤操作:

1.  Run [Docker Desktop](https://www.docker.com/products/docker-desktop) or [Docker Machine](https://github.com/docker/machine).
2.  运行最新的[预填充漏洞数据库](https://hub.docker.com/repository/docker/arminc/clair-db) Docker 映像:

    ```
    docker run -p 5432:5432 -d --name clair-db arminc/clair-db:latest 
    ```

3.  Configure an environment variable to point to your local machine’s IP address (or insert your IP address instead of the `LOCAL_MACHINE_IP_ADDRESS` variable in the `CLAIR_DB_CONNECTION_STRING` in the next step):

    ```
    export LOCAL_MACHINE_IP_ADDRESS=your.local.ip.address 
    ```

4.  运行分析器的 Docker 映像,并在`CI_APPLICATION_REPOSITORY``CI_APPLICATION_TAG`环境变量中传递要分析的映像和标签:

    ```
    docker run \
      --interactive --rm \
      --volume "$PWD":/tmp/app \
      -e CI_PROJECT_DIR=/tmp/app \
      -e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@${LOCAL_MACHINE_IP_ADDRESS}:5432/postgres?sslmode=disable&statement_timeout=60000" \
      -e CI_APPLICATION_REPOSITORY=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256 \
      -e CI_APPLICATION_TAG=bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \
      registry.gitlab.com/gitlab-org/security-products/analyzers/klar 
    ```

结果存储在`gl-container-scanning-report.json` .

## Reports JSON format[](#reports-json-format "Permalink")

容器扫描工具会发出 JSON 报告文件. 有关更多信息,请参见此[报告](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json)[架构](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json) .

这是示例容器扫描报告:

```
{  "version":  "2.3",  "vulnerabilities":  [  {  "id":  "ac0997ad-1006-4c81-81fb-ee2bbe6e78e3",  "category":  "container_scanning",  "message":  "CVE-2019-3462 in apt",  "description":  "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.",  "severity":  "High",  "confidence":  "Unknown",  "solution":  "Upgrade apt from 1.4.8 to 1.4.9",  "scanner":  {  "id":  "klar",  "name":  "klar"  },  "location":  {  "dependency":  {  "package":  {  "name":  "apt"  },  "version":  "1.4.8"  },  "operating_system":  "debian:9",  "image":  "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"  },  "identifiers":  [  {  "type":  "cve",  "name":  "CVE-2019-3462",  "value":  "CVE-2019-3462",  "url":  "https://security-tracker.debian.org/tracker/CVE-2019-3462"  }  ],  "links":  [  {  "url":  "https://security-tracker.debian.org/tracker/CVE-2019-3462"  }  ]  }  ],  "remediations":  [  {  "fixes":  [  {  "id":  "c0997ad-1006-4c81-81fb-ee2bbe6e78e3"  }  ],  "summary":  "Upgrade apt from 1.4.8 to 1.4.9",  "diff":  "YXB0LWdldCB1cGRhdGUgJiYgYXB0LWdldCB1cGdyYWRlIC15IGFwdA=="  }  ]  } 
```

## Security Dashboard[](#security-dashboard "Permalink")

[安全仪表板](../security_dashboard/index.html)向您显示组,项目和管道中所有安全漏洞的概述.

## Vulnerabilities database update[](#vulnerabilities-database-update "Permalink")

有关漏洞数据库更新的更多信息,请查看[维护表](../index.html#maintenance-and-update-of-the-vulnerabilities-database) .

## Interacting with the vulnerabilities[](#interacting-with-the-vulnerabilities "Permalink")

一旦发现漏洞,便可以[与其进行交互](../index.html#interacting-with-the-vulnerabilities) .

## Solutions for vulnerabilities (auto-remediation)[](#solutions-for-vulnerabilities-auto-remediation "Permalink")

可以通过应用 GitLab 自动生成的解决方案来修复某些漏洞.

为了使整治的支持,对扫描工具*必须*能够访问`Dockerfile`指定由[`DOCKERFILE_PATH`](#available-variables)环境变量. 为确保扫描工具可以访问此文件,有必要设置[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy)按照本文档中" [覆盖容器扫描模板"](#overriding-the-container-scanning-template)部分中介绍的说明,在`.gitlab-ci.yml`文件中进行[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy) .

阅读有关[漏洞解决方案的](../index.html#solutions-for-vulnerabilities-auto-remediation)更多信息.

## Troubleshooting[](#troubleshooting "Permalink")

### `docker: Error response from daemon: failed to copy xattrs`[](#docker-error-response-from-daemon-failed-to-copy-xattrs "Permalink")

当 GitLab Runner 使用 Docker 执行程序并使用 NFS 时(例如, `/var/lib/docker`在 NFS 挂载上),容器扫描可能会失败,并显示以下错误:

```
docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported. 
```

这是由于 Docker 中的一个错误而导致的,该错误现已[修复](https://github.com/containerd/continuity/pull/138 "fs:添加 WithAllowXAttrErrors CopyOpt") . 为避免该错误,请确保 Runner 使用的 Docker 版本为`18.09.03`或更高. 有关更多信息,请参见[问题#10241](https://gitlab.com/gitlab-org/gitlab/-/issues/10241 "调查为什么容器扫描不适用于 NFS 挂载") .