<ruby id="bdb3f"></ruby>

    <p id="bdb3f"><cite id="bdb3f"></cite></p>

      

      <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
        <p id="bdb3f"><cite id="bdb3f"></cite></p>
          

          <pre id="bdb3f"></pre>
          <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>
          

          <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
          <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>
          

          <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>
                <ruby id="bdb3f"></ruby>
                
    


                
  
                                            
                            
        
                
          ??碼云GVP開源項目 12k star Uniapp+ElementUI 功能強大 支持多語言、二開方便!
          廣告
        
                        
                                                                        
  

                

                
    
                
        
                
                            # Container Scanning

> 原文:[https://docs.gitlab.com/ee/user/application_security/container_scanning/](https://docs.gitlab.com/ee/user/application_security/container_scanning/)

*   [Overview](#overview)
*   [Requirements](#requirements)
*   [Configuration](#configuration)
    *   [Customizing the Container Scanning settings](#customizing-the-container-scanning-settings)
        *   [Available variables](#available-variables)
    *   [Overriding the Container Scanning template](#overriding-the-container-scanning-template)
    *   [Vulnerability allowlisting](#vulnerability-allowlisting)
    *   [Running Container Scanning in an offline environment](#running-container-scanning-in-an-offline-environment)
        *   [Requirements for offline Container Scanning](#requirements-for-offline-container-scanning)
        *   [Make GitLab Container Scanning analyzer images available inside your Docker registry](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry)
        *   [Set Container Scanning CI job variables to use local Container Scanner analyzers](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers)
        *   [Automating Container Scanning vulnerability database updates with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline)
*   [Running the standalone Container Scanning Tool](#running-the-standalone-container-scanning-tool)
*   [Reports JSON format](#reports-json-format)
*   [Security Dashboard](#security-dashboard)
*   [Vulnerabilities database update](#vulnerabilities-database-update)
*   [Interacting with the vulnerabilities](#interacting-with-the-vulnerabilities)
*   [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation)
*   [Troubleshooting](#troubleshooting)
    *   [`docker: Error response from daemon: failed to copy xattrs`](#docker-error-response-from-daemon-failed-to-copy-xattrs)

# Container Scanning[](#container-scanning-ultimate "Permalink")

[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4.

## Overview[](#overview "Permalink")

應用程序的 Docker 映像本身可能基于包含已知漏洞的 Docker 映像. 通過在管道中包含一個額外的作業來掃描這些漏洞并將其顯示在合并請求中,您可以使用 GitLab 來審核基于 Docker 的應用程序. 默認情況下,GitLab 中的容器掃描基于[Clair](https://github.com/quay/clair)和[Klar](https://github.com/optiopay/klar) ,這是用于對容器中的漏洞進行靜態分析的開源工具. [GitLab 的 Klar 分析儀](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)掃描容器并用作 Clair 的包裝紙.

**注意:**要將除 Clair 和 Klar 以外的其他[安全掃描器集成](../../../development/integrations/secure.html)到 GitLab 中,請參閱" [安全掃描器集成"](../../../development/integrations/secure.html) .

您可以通過執行以下任一操作來啟用容器掃描:

*   在現有的`.gitlab-ci.yml`文件中[包括 CI 作業](#configuration) .
*   隱式使用[Auto DevOps](../../../topics/autodevops/index.html)提供的[自動](../../../topics/autodevops/index.html) [容器掃描](../../../topics/autodevops/stages.html#auto-container-scanning-ultimate) .

GitLab 比較發現的源分支與目標分支之間的漏洞,并在合并請求中直接顯示信息.

[![Container Scanning Widget](https://img.kancloud.cn/51/b5/51b5e0279d5b9003633fa13cec784e8d_908x222.png)](img/container_scanning_v13_2.png)

## Requirements[](#requirements "Permalink")

要在管道中啟用容器掃描,您需要以下內容:

*   帶有[Docker](https://docs.gitlab.com/runner/executors/docker.html)或[Kubernetes](https://docs.gitlab.com/runner/install/kubernetes.html)執行器的[GitLab Runner](https://docs.gitlab.com/runner/) .
*   Docker `18.09.03`或更高版本與 Runner 安裝在同一臺計算機上. 如果您在 GitLab.com 上使用共享的 Runners,那么情況已經如此.
*   [構建](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd) Docker 鏡像[并將其推](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd)送到項目的容器注冊表中. Docker 映像的名稱應使用以下[預定義的環境變量](../../../ci/variables/predefined_variables.html) :

    ```
    $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA 
    ```

    您可以在`.gitlab-ci.yml`文件中直接使用它們:

    ```
    build:
      image: docker:19.03.12
      stage: build
      services:
        - docker:19.03.12-dind
      variables:
        IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
      script:
        - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
        - docker build -t $IMAGE_TAG .
        - docker push $IMAGE_TAG 
    ```

## Configuration[](#configuration "Permalink")

啟用容器掃描的方式取決于您的 GitLab 版本:

*   GitLab 11.9 及更高版本: [包括](../../../ci/yaml/README.html#includetemplate) GitLab 安裝隨附的[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) .
*   11.9 之前的 GitLab 版本:從[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml)復制并使用作業.

要包括`Container-Scanning.gitlab-ci.yml`模板(GitLab 11.9 及更高版本),請將以下內容添加到您的`.gitlab-ci.yml`文件中:

```
include:
  - template: Container-Scanning.gitlab-ci.yml 
```

包含的模板:

*   在 CI / CD 管道中創建`container_scanning`作業.
*   從項目的[Container Registry 中](../../packages/container_registry/index.html)拉出已構建的 Docker 映像(請參閱[要求](#requirements) ),并掃描其可能的漏洞.

GitLab 將結果保存為" [容器掃描"報告工件](../../../ci/pipelines/job_artifacts.html#artifactsreportscontainer_scanning-ultimate) ,您可以稍后下載和分析. 下載時,您始終會收到最新的工件.

以下是一個示例`.gitlab-ci.yml` ,用于構建您的 Docker 映像,將其推送到 Container Registry 并掃描容器:

```
variables:
  DOCKER_DRIVER: overlay2

stages:
  - build
  - test

build:
  image: docker:stable
  stage: build
  services:
    - docker:19.03.12-dind
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - docker info
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker push $IMAGE

include:
  - template: Container-Scanning.gitlab-ci.yml 
```

### Customizing the Container Scanning settings[](#customizing-the-container-scanning-settings "Permalink")

There may be cases where you want to customize how GitLab scans your containers. For example, you may want to enable more verbose output from Clair or Klar, access a Docker registry that requires authentication, and more. To change such settings, use the [`variables`](../../../ci/yaml/README.html#variables) parameter in your `.gitlab-ci.yml` to set [environment variables](#available-variables). The environment variables you set in your `.gitlab-ci.yml` overwrite those in `Container-Scanning.gitlab-ci.yml`.

此示例[包括](../../../ci/yaml/README.html#include)容器掃描模板,并通過將`CLAIR_OUTPUT`環境變量設置為`High`來啟用 Clair 的詳細輸出:

```
include:
  - template: Container-Scanning.gitlab-ci.yml

variables:
  CLAIR_OUTPUT: High 
```

#### Available variables[](#available-variables "Permalink")

可以使用環境變量[配置](#customizing-the-container-scanning-settings)容器掃描.

| 環境變量 | Description | Default |
| --- | --- | --- |
| `SECURE_ANALYZERS_PREFIX` | 設置用于下載分析器的 Docker 注冊表基地址. | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` |
| `KLAR_TRACE` | 設置為 true 可啟用 klar 的更多詳細輸出. | `"false"` |
| `CLAIR_TRACE` | 設置為 true 可啟用 clair 服務器進程的更多詳細輸出. | `"false"` |
| `DOCKER_USER` | 用于訪問需要身份驗證的 Docker 注冊表的用戶名. | `$CI_REGISTRY_USER` |
| `DOCKER_PASSWORD` | 訪問需要身份驗證的 Docker 注冊表的密碼. | `$CI_REGISTRY_PASSWORD` |
| `CLAIR_OUTPUT` | 嚴重級別閾值. 嚴重級別高于或等于此閾值的漏洞將被輸出. 支持的級別為`Unknown` , `Negligible` , `Low` , `Medium` , `High` , `Critical`和`Defcon1` . | `Unknown` |
| `REGISTRY_INSECURE` | 允許[Klar](https://github.com/optiopay/klar)訪問不安全的注冊表(僅 HTTP). 僅應在本地測試圖像時設置為`true` . | `"false"` |
| `DOCKER_INSECURE` | 允許[Klar](https://github.com/optiopay/klar)使用帶有錯誤(或自簽名)SSL 證書的 HTTPS 訪問安全的 Docker 注冊表. | `"false"` |
| `CLAIR_VULNERABILITIES_DB_URL` | (不推薦**使用-改為使用`CLAIR_DB_CONNECTION_STRING`** )此變量在`Container-Scanning.gitlab-ci.yml`文件的[services 部分](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)中顯式設置,并且默認為`Container-Scanning.gitlab-ci.yml` `clair-vulnerabilities-db` . 該值表示[托管漏洞定義](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服務器](https://hub.docker.com/r/arminc/clair-db)正在運行的地址,除非您按照" [運行獨立容器掃描工具"](#running-the-standalone-container-scanning-tool)部分中的說明在本地運行映像,否則**不應更改**該地址. | `clair-vulnerabilities-db` |
| `CLAIR_DB_CONNECTION_STRING` | 該變量表示[托管漏洞定義](https://hub.docker.com/r/arminc/clair-db)數據庫的[PostgreSQL 服務器](https://hub.docker.com/r/arminc/clair-db)的[連接字符串](https://s0www0postgresql0org.icopy.site/docs/9.3/libpq-connect.html) ,除非您按照" [運行獨立容器掃描工具"](#running-the-standalone-container-scanning-tool)部分中的說明在本地運行映像,否則**不應更改**該變量. 連接字符串的主機值必須與`Container-Scanning.gitlab-ci.yml`模板文件的[別名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)值匹配,該[別名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)默認為`clair-vulnerabilities-db` . | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` |
| `CI_APPLICATION_REPOSITORY` | Docker repository URL for the image to be scanned. | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` |
| `CI_APPLICATION_TAG` | 待掃描圖像的 Docker 存儲庫標簽. | `$CI_COMMIT_SHA` |
| `CLAIR_DB_IMAGE` | [托管漏洞定義](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服務器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像名稱和標記. 使用特定版本覆蓋此值可能很有用,例如,為了進行集成測試而提供一致的漏洞集,或在本地進行脫機安裝時引用本地托管的漏洞數據庫. | `arminc/clair-db:latest` |
| `CLAIR_DB_IMAGE_TAG` | (不推薦**使用-改為使用`CLAIR_DB_IMAGE`** ) [托管漏洞定義](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服務器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像標記. 可以使用特定版本覆蓋此值,例如,為集成測試目的提供一致的漏洞集很有用. | `latest` |
| `DOCKERFILE_PATH` | 用于生成補救的`Dockerfile`的路徑. 默認情況下,掃描程序將在項目的根目錄中查找名為`Dockerfile`的文件,因此僅當您的`Dockerfile`位于非標準位置(例如子目錄)時,才應配置此變量. 有關更多詳細信息,請參見[漏洞解決方案](#solutions-for-vulnerabilities-auto-remediation) . | `Dockerfile` |
| `ADDITIONAL_CA_CERT_BUNDLE` | 您要信任的 CA 證書捆綁包. | ”” |
| `SECURE_LOG_LEVEL` | 可用的日志級別為: `fatal` , `error` , `warn` , `info` , `debug` | `info` |

### Overriding the Container Scanning template[](#overriding-the-container-scanning-template "Permalink")

如果要覆蓋作業定義(例如,更改諸如`variables`屬性),則必須在`container_scanning`模板之后聲明一個`container_scanning`作業,然后指定任何其他鍵. 例如:

```
include:
  - template: Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    GIT_STRATEGY: fetch 
```

**Deprecated:** GitLab 13.0 and later doesn’t support [`only` and `except`](../../../ci/yaml/README.html#onlyexcept-basic). When overriding the template, you must use [`rules`](../../../ci/yaml/README.html#rules) instead.

### Vulnerability allowlisting[](#vulnerability-allowlisting "Permalink")

要允許列表特定漏洞,請按照下列步驟操作:

1.  設置`GIT_STRATEGY: fetch`按照[覆蓋容器掃描模板中](#overriding-the-container-scanning-template)的說明, `GIT_STRATEGY: fetch` `.gitlab-ci.yml`文件.
2.  在名為`vulnerability-allowlist.yml`的 YAML 文件中定義允許列出的漏洞. 這必須使用[許可清單示例文件中](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/raw/master/testdata/vulnerability-allowlist.yml)描述的格式.
3.  將`vulnerability-allowlist.yml`文件添加到項目的 Git 存儲庫中.

### Running Container Scanning in an offline environment[](#running-container-scanning-in-an-offline-environment "Permalink")

對于在通過互聯網有限,受限或間歇性訪問外部資源的環境中進行自我管理的 GitLab 實例,需要進行一些調整才能使容器掃描作業成功運行. 有關更多信息,請參閱[脫機環境](../offline_deployments/index.html) .

#### Requirements for offline Container Scanning[](#requirements-for-offline-container-scanning "Permalink")

要在脫機環境中使用容器掃描,您需要:

*   GitLab 亞軍與[`docker`或`kubernetes`執行](#requirements) .
*   要使用 Container Scanning [分析器](https://gitlab.com/gitlab-org/security-products/analyzers/klar)映像的副本配置本地 Docker Container Registry,請在[Container Scanning 容器注冊表中找到](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry) .

**注意:** GitLab Runner 的[默認`pull policy`為`always`](https://docs.gitlab.com/runner/executors/docker.html) ,這意味著即使本地副本可用,Runner 也會嘗試從 GitLab 容器注冊表中拉取 Docker 映像. 如果您只喜歡使用本地可用的 Docker 映像,則可以在離線環境[`pull_policy`](https://docs.gitlab.com/runner/executors/docker.html) GitLab Runner 的[`pull_policy`設置為`if-not-present`](https://docs.gitlab.com/runner/executors/docker.html) . 但是,如果不在離線環境中,我們建議將拉取策略設置保持為`always` ,因為這樣可以在 CI / CD 管道中使用更新的掃描儀.

#### Make GitLab Container Scanning analyzer images available inside your Docker registry[](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry "Permalink")

對于容器掃描,將以下默認圖像從`registry.gitlab.com`導入[本地 Docker 容器注冊表](../../packages/container_registry/index.html) :

```
registry.gitlab.com/gitlab-org/security-products/analyzers/klar
https://hub.docker.com/r/arminc/clair-db 
```

將 Docker 映像導入本地脫機 Docker 注冊表的過程取決于**您的網絡安全策略** . 請咨詢您的 IT 員工,以找到可以導入或臨時訪問外部資源的已接受和批準的流程. 請注意,這些掃描程序會[定期](../index.html#maintenance-and-update-of-the-vulnerabilities-database)使用新定義進行[更新](../index.html#maintenance-and-update-of-the-vulnerabilities-database) ,因此請考慮您是否能夠自己進行定期更新.

有關更多信息,請參見[有關如何使用管道更新映像的特定步驟](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline) .

有關將 Docker 映像保存和傳輸為文件的詳細信息,請參閱 Docker 有關[`docker save`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/save/) , [`docker load`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/load/) , [`docker export`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/export/)和[`docker import`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/import/)的文檔.

#### Set Container Scanning CI job variables to use local Container Scanner analyzers[](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers "Permalink")

1.  [覆蓋](#overriding-the-container-scanning-template) `.gitlab-ci.yml`文件中[的容器掃描模板](#overriding-the-container-scanning-template) ,以引用本地 Docker 容器注冊表中托管的 Docker 映像:

    ```
    include:
      - template: Container-Scanning.gitlab-ci.yml

    container_scanning:
      image: $CI_REGISTRY/namespace/gitlab-klar-analyzer
      variables:
        CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db 
    ```

2.  如果您的本地 Docker 容器注冊表正在通過`HTTPS`安全運行,但是您使用的是自簽名證書,則必須在`.gitlab-ci.yml`的上述`container_scanning`部分中將`DOCKER_INSECURE: "true"`設置為.

#### Automating Container Scanning vulnerability database updates with a pipeline[](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline "Permalink")

設置[計劃的管道](../../../ci/pipelines/schedules.html)以按照預設的計劃自動構建漏洞數據庫的新版本可能是值得的. 使用管道自動執行此操作意味著您不必每次都手動進行操作. 您可以使用以下`.gitlab-yml.ci`作為模板:

```
image: docker:stable

stages:
  - build

build_latest_vulnerabilities:
  stage: build
  services:
    - docker:19.03.12-dind
  script:
    - docker pull arminc/clair-db:latest
    - docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker push $CI_REGISTRY/namespace/clair-vulnerabilities-db 
```

上面的模板適用于在本地安裝上運行的 GitLab Docker 注冊表,但是,如果您使用的是非 GitLab Docker 注冊表,則需要更改`$CI_REGISTRY`值和 Docker `docker login`憑據以匹配以下內容:您的本地注冊表.

## Running the standalone Container Scanning Tool[](#running-the-standalone-container-scanning-tool "Permalink")

可以對 Docker 容器運行[GitLab 容器掃描工具](https://gitlab.com/gitlab-org/security-products/analyzers/klar) ,而無需在 CI 作業的上下文中運行它. 要直接掃描圖像,請按照下列步驟操作:

1.  Run [Docker Desktop](https://www.docker.com/products/docker-desktop) or [Docker Machine](https://github.com/docker/machine).
2.  運行最新的[預填充漏洞數據庫](https://hub.docker.com/repository/docker/arminc/clair-db) Docker 映像:

    ```
    docker run -p 5432:5432 -d --name clair-db arminc/clair-db:latest 
    ```

3.  Configure an environment variable to point to your local machine’s IP address (or insert your IP address instead of the `LOCAL_MACHINE_IP_ADDRESS` variable in the `CLAIR_DB_CONNECTION_STRING` in the next step):

    ```
    export LOCAL_MACHINE_IP_ADDRESS=your.local.ip.address 
    ```

4.  運行分析器的 Docker 映像,并在`CI_APPLICATION_REPOSITORY`和`CI_APPLICATION_TAG`環境變量中傳遞要分析的映像和標簽:

    ```
    docker run \
      --interactive --rm \
      --volume "$PWD":/tmp/app \
      -e CI_PROJECT_DIR=/tmp/app \
      -e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@${LOCAL_MACHINE_IP_ADDRESS}:5432/postgres?sslmode=disable&statement_timeout=60000" \
      -e CI_APPLICATION_REPOSITORY=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256 \
      -e CI_APPLICATION_TAG=bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \
      registry.gitlab.com/gitlab-org/security-products/analyzers/klar 
    ```

結果存儲在`gl-container-scanning-report.json` .

## Reports JSON format[](#reports-json-format "Permalink")

容器掃描工具會發出 JSON 報告文件. 有關更多信息,請參見此[報告](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json)的[架構](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json) .

這是示例容器掃描報告:

```
{  "version":  "2.3",  "vulnerabilities":  [  {  "id":  "ac0997ad-1006-4c81-81fb-ee2bbe6e78e3",  "category":  "container_scanning",  "message":  "CVE-2019-3462 in apt",  "description":  "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.",  "severity":  "High",  "confidence":  "Unknown",  "solution":  "Upgrade apt from 1.4.8 to 1.4.9",  "scanner":  {  "id":  "klar",  "name":  "klar"  },  "location":  {  "dependency":  {  "package":  {  "name":  "apt"  },  "version":  "1.4.8"  },  "operating_system":  "debian:9",  "image":  "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"  },  "identifiers":  [  {  "type":  "cve",  "name":  "CVE-2019-3462",  "value":  "CVE-2019-3462",  "url":  "https://security-tracker.debian.org/tracker/CVE-2019-3462"  }  ],  "links":  [  {  "url":  "https://security-tracker.debian.org/tracker/CVE-2019-3462"  }  ]  }  ],  "remediations":  [  {  "fixes":  [  {  "id":  "c0997ad-1006-4c81-81fb-ee2bbe6e78e3"  }  ],  "summary":  "Upgrade apt from 1.4.8 to 1.4.9",  "diff":  "YXB0LWdldCB1cGRhdGUgJiYgYXB0LWdldCB1cGdyYWRlIC15IGFwdA=="  }  ]  } 
```

## Security Dashboard[](#security-dashboard "Permalink")

[安全儀表板](../security_dashboard/index.html)向您顯示組,項目和管道中所有安全漏洞的概述.

## Vulnerabilities database update[](#vulnerabilities-database-update "Permalink")

有關漏洞數據庫更新的更多信息,請查看[維護表](../index.html#maintenance-and-update-of-the-vulnerabilities-database) .

## Interacting with the vulnerabilities[](#interacting-with-the-vulnerabilities "Permalink")

一旦發現漏洞,便可以[與其進行交互](../index.html#interacting-with-the-vulnerabilities) .

## Solutions for vulnerabilities (auto-remediation)[](#solutions-for-vulnerabilities-auto-remediation "Permalink")

可以通過應用 GitLab 自動生成的解決方案來修復某些漏洞.

為了使整治的支持,對掃描工具*必須*能夠訪問`Dockerfile`指定由[`DOCKERFILE_PATH`](#available-variables)環境變量. 為確保掃描工具可以訪問此文件,有必要設置[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy)按照本文檔中" [覆蓋容器掃描模板"](#overriding-the-container-scanning-template)部分中介紹的說明,在`.gitlab-ci.yml`文件中進行[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy) .

閱讀有關[漏洞解決方案的](../index.html#solutions-for-vulnerabilities-auto-remediation)更多信息.

## Troubleshooting[](#troubleshooting "Permalink")

### `docker: Error response from daemon: failed to copy xattrs`[](#docker-error-response-from-daemon-failed-to-copy-xattrs "Permalink")

當 GitLab Runner 使用 Docker 執行程序并使用 NFS 時(例如, `/var/lib/docker`在 NFS 掛載上),容器掃描可能會失敗,并顯示以下錯誤:

```
docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported. 
```

這是由于 Docker 中的一個錯誤而導致的,該錯誤現已[修復](https://github.com/containerd/continuity/pull/138 "fs:添加 WithAllowXAttrErrors CopyOpt") . 為避免該錯誤,請確保 Runner 使用的 Docker 版本為`18.09.03`或更高. 有關更多信息,請參見[問題#10241](https://gitlab.com/gitlab-org/gitlab/-/issues/10241 "調查為什么容器掃描不適用于 NFS 掛載") .
                    
                
        
                
            
        
                
    
                
    
                
        
                
    
                

                







                  <ruby id="bdb3f"></ruby>
                  <p id="bdb3f"><cite id="bdb3f"></cite></p>
                    

                    <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
                      <p id="bdb3f"><cite id="bdb3f"></cite></p>
                        

                        <pre id="bdb3f"></pre>
                        <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>
                        

                        <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
                        <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>
                        

                        <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>
                              <ruby id="bdb3f"></ruby>
                              

哎呀哎呀视频在线观看