IK.AM

@making's tech note


Tanzu Application Platform 1.2で"Source Test Scan to URL"を試す

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Backstage 🏷 Cartographer 🏷 Grype 🏷 Kubernetes 🏷 TAP 🏷 Tanzu 🏷 Tekton 
🗓 Updated at 2022-08-24T11:16:36+09:00  🗓 Created at 2022-08-15T01:35:34+09:00 {✒️️ Edit  ⏰ History  🗑 Delete}

Tanzu Application Platform 1.2 (Full Profile) をAKSにインストールしAzure ADと連携するメモ - Self Signed編で作成した環境で"Source Test Scan to URL"を試します。

目次

Metadata StoreへのRead Onlyアクセストークン作成

Metadata Storeにアクセスするためのトークンを作成します。後にDeveloperが使用するので、Read Onlyなものを作成します。

cat <<EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metadata-store-ready-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metadata-store-read-only
subjects:
- kind: ServiceAccount
  name: metadata-store-read-client
  namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metadata-store-read-client
  namespace: metadata-store
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
  name: metadata-store-read-only-token
  namespace: metadata-store  
  annotations:
    kubernetes.io/service-account.name: metadata-store-read-client
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metadata-store-read-only-token-read
  namespace: metadata-store
rules:
- apiGroups: [ "" ]
  resources: [ "secrets" ]
  resourceNames: [ "metadata-store-read-only-token" ]
  verbs: [ "get" ]
EOF

アクセストークンを次のコマンドで取得します。後に使用します。

AUTH_TOKEN=$(kubectl get secret -n metadata-store metadata-store-read-only-token -otemplate='{{.data.token | base64decode}}')

tap-values.ymlの更新

tap-values.ymlの以下の部分を

supply_chain: basic

ootb_supply_chain_basic:
# ...

次のように変更します。

supply_chain: testing_scanning

ootb_supply_chain_testing_scanning:
# ...

次のコマンドで置換できます。

sed -i.bak 's/basic/testing_scanning/g' tap-values.yml

次に、TAP GUIに関する以下の設定を追加してください。

tap_gui:
  # ...
  app_config:
    proxy:
      /metadata-store:
        target: https://metadata-store-app.metadata-store:8443/api/v1
        changeOrigin: true
        secure: false
        headers:
          Authorization: "Bearer ${AUTH_TOKEN}"
          X-Custom-Source: project-star

また、Metadata Storeに関する以下の設定を追加してください。

metadata_store:
  # ...
  ns_for_export_app_cert: "*"

次のコマンドでtap-values.ymlの変更を反映します。

tanzu package installed update -n tap-install tap -f tap-values.yml 

ClusterSupplyChain一覧が次のようになれば"Source Test Scan to URL"が利用可能です。

$ kubectl get clustersupplychain
NAME                         READY   REASON   AGE
scanning-image-scan-to-url   True    Ready    6s
source-test-scan-to-url      True    Ready    6s

Workloadを作成するための事前準備

RBACの設定

基本的な内容は前記事で設定済みです。

DeveloperがMetadata Storeのアクセストークンを取得できるようにRoleBindingを作成します。

kubectl create rolebinding metadata-store-read-only-token-read-${GROUP_ID} -n metadata-store --role metadata-store-read-only-token-read --group ${GROUP_ID}

Tekton Pipelineの作成

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-ootb-supply-chain-testing.html

今回はテストは空実装にします。

cat <<'EOF' | kubectl -n demo apply -f -
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: developer-defined-tekton-pipeline
  labels:
    apps.tanzu.vmware.com/pipeline: test
spec:
  params:
  - name: source-url
  - name: source-revision
  tasks:
    - name: test
      params:
      - name: source-url
        value: $(params.source-url)
      - name: source-revision
        value: $(params.source-revision)
      taskSpec:
        params:
        - name: source-url
        - name: source-revision
        steps:
        - name: test
          image: alpine
          script: |-
            echo "Skip Test :)"
EOF

ScanTemplateのインストール

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scst-scan-install-scst-scan.html

cat <<EOF > grype-demo.yaml
namespace: demo
targetImagePullSecret: registry-credentials
EOF
tanzu package install grype-demo -p grype.scanning.apps.tanzu.vmware.com -v 1.2.2 -n tap-install -f grype-demo.yaml

Scan Tempalte一覧を確認します。

$ kubectl get scantemplate -n demo
NAME                          AGE
blob-source-scan-template     6s
private-image-scan-template   6s
public-image-scan-template    6s
public-source-scan-template   6s

また、次のコマンドを実行してReconcile succeededになっていることを確認してください。

$ kubectl get secretimports.secretgen.carvel.dev -n demo
NAME           DESCRIPTION           AGE
app-tls-cert   Reconcile succeeded   23s

ScanPolicyの作成

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-getting-started-add-test-and-security.html#install-ootb-supply-chain-with-testing-and-scanning-5

kubectl apply -n demo -f - << EOF
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
  name: scan-policy
spec:
  regoFile: |
    package main

    # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
    notAllowedSeverities := ["Critical","High","UnknownSeverity"]
    ignoreCves := ["CVE-2016-1000027"]

    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }

    isSafe(match) {
      severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
      some i
      fails := contains(notAllowedSeverities, severities[i])
      not fails
    }

    isSafe(match) {
      ignore := contains(ignoreCves, match.id)
      ignore
    }

    deny[msg] {
      comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
      some i
      comp := comps[i]
      vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
      some j
      vuln := vulns[j]
      ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
      not isSafe(vuln)
      msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
    }
EOF

CVE-2016-1000027はSpring Frameworkに関する脆弱性ですが、https://github.com/spring-projects/spring-framework/issues/24434 にて議論されているように妥当ではないです。 Grypeではこの脆弱性を検出してしまうため、Spring Frameworkを使用している場合は無視する必要があります。ScanPolicyで予め無視しておくのが良いです。
https://github.com/anchore/grype/issues/773

Workloadの作成

以下はDeveloperとして実行します。

az aks get-credentials --resource-group tap-rg --name tap-sandbox --overwrite-existing

次のコマンドでWorkloadを作成します。--label apps.tanzu.vmware.com/has-tests=trueが必要です。

tanzu apps workload apply spring-music \
  --app spring-music \
  --git-repo https://github.com/tanzu-japan/spring-music \
  --git-branch tanzu \
  --type web \
  --label apps.tanzu.vmware.com/has-tests=true \
  --annotation autoscaling.knative.dev/minScale=1 \
  -n demo \
  -y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music

次のコマンドで進捗をwatchします。

watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music

次のような出力になります。

$ kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music
NAME                              SOURCE                                        SUPPLYCHAIN               READY   REASON   AGE
workload.carto.run/spring-music   https://github.com/tanzu-japan/spring-music   source-test-scan-to-url   True    Ready    7m46s

NAME                                                 READY   STATUS      RESTARTS   AGE     IP            NODE                                NOMINATED NODE   READINESS GATES
pod/scan-spring-music-njwjz-dst66                    0/1     Completed   0          7m19s   10.244.2.25   aks-nodepool1-87250474-vmss000002   <none>           <none>
pod/scan-spring-music-vgj8d-6l8ld                    0/1     Completed   0          107s    10.244.2.27   aks-nodepool1-87250474-vmss000002   <none>           <none>
pod/spring-music-00001-deployment-865d75d795-8c8m6   2/2     Running     0          34s     10.244.2.29   aks-nodepool1-87250474-vmss000002   <none>           <none>
pod/spring-music-build-1-build-pod                   0/1     Completed   0          6m4s    10.244.2.26   aks-nodepool1-87250474-vmss000002   <none>           <none>
pod/spring-music-config-writer-4f4lh-pod             0/1     Completed   0          62s     10.244.2.28   aks-nodepool1-87250474-vmss000002   <none>           <none>
pod/spring-music-crdww-test-pod                      0/1     Completed   0          7m34s   10.244.2.24   aks-nodepool1-87250474-vmss000002   <none>           <none>

NAME                                                  URL                                           READY   STATUS                                                             AGE
gitrepository.source.toolkit.fluxcd.io/spring-music   https://github.com/tanzu-japan/spring-music   True    Fetched revision: tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f   7m44s

NAME                                        SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
pipelinerun.tekton.dev/spring-music-crdww   True        Succeeded   7m35s       7m25s

NAME                                                     PHASE       SCANNEDREVISION                                  SCANNEDREPOSITORY                                                                                                                         AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
sourcescan.scanning.apps.tanzu.vmware.com/spring-music   Completed   tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f   http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz   7m20s                                              

NAME                          LATESTIMAGE                                                                                                                  READY
image.kpack.io/spring-music   tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163   True

NAME                                  IMAGE                                                                                                                        SUCCEEDED
build.kpack.io/spring-music-build-1   tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163   True

NAME                                                    PHASE       SCANNEDIMAGE                                                                                                                 AGE    CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
imagescan.scanning.apps.tanzu.vmware.com/spring-music   Completed   tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163   108s   1          0      9        12    0         22

NAME                                                       READY   REASON               AGE
podintent.conventions.apps.tanzu.vmware.com/spring-music   True    ConventionsApplied   69s

NAME                                                  SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
taskrun.tekton.dev/spring-music-config-writer-4f4lh   True        Succeeded   63s         56s
taskrun.tekton.dev/spring-music-crdww-test            True        Succeeded   7m35s       7m25s

NAME                                                                 IMAGE                                                                                            URL                                                                                                                                                                                                     READY   REASON   AGE
imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery   tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974   http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/b1f2ada575fe7790bac2dbdbf70d0170450f26906cb7b8930c693b4f9786a1a2.tar.gz   True    Ready    7m41s

NAME                                 SOURCE                                                                                           DELIVERY         READY   REASON   AGE
deliverable.carto.run/spring-music   tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974   delivery-basic   True    Ready    7m44s

NAME                                DESCRIPTION           SINCE-DEPLOY   AGE
app.kappctrl.k14s.io/spring-music   Reconcile succeeded   36s            36s

NAME                                       URL                                                LATESTCREATED        LATESTREADY          READY   REASON
service.serving.knative.dev/spring-music   https://spring-music-demo.20-89-141-216.sslip.io   spring-music-00001   spring-music-00001   True    

GrypeはGradleのSourceScanに対応していないようなので、次の通り、何も検出されません。

$ kubectl get sourcescan -n demo spring-music
NAME           PHASE       SCANNEDREVISION                                  SCANNEDREPOSITORY                                                                                                                         AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
spring-music   Completed   tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f   http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz   8m53s

ImageScanは次の通り、Criticalが1件検出されますが、PHASEはCompletedになっています。

$ kubectl get imagescan -n demo spring-music
NAME           PHASE       SCANNEDIMAGE                                                                                                                 AGE    CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
spring-music   Completed   tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163   4m4s   1          0      9        12    0         22

tanzu insightコマンドでMetadata Storeにアクセスして、保存された情報を確認しましょう。

METADATA_STORE_DOMAIN=metadata-store.$(kubectl get ksvc -n demo spring-music -ojsonpath='{.status.url}' | sed 's|https://||' | sed 's|spring-music-demo.||')
openssl s_client -servername ${METADATA_STORE_DOMAIN} -connect ${METADATA_STORE_DOMAIN}:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > metadata-store.crt
AUTH_TOKEN=$(kubectl get secret -n metadata-store metadata-store-read-only-token -otemplate='{{.data.token | base64decode}}')
tanzu insight config set-target https://${METADATA_STORE_DOMAIN} --ca-cert metadata-store.crt --access-token=${AUTH_TOKEN}

以下のログが出力されます。

ℹ  Using config file: /Users/toshiaki/.config/tanzu/insight/config.yaml 
ℹ  Setting trustedcacert in config 
ℹ  Setting accesstoken in config 
ℹ  Setting endpoint in config to: https://metadata-store.20-89-141-216.sslip.io 
✔  Success: Set Metadata Store endpoint

次のコマンドで疎通チェックします。

$ tanzu insight health
Success: Reached Metadata Store!

tanzu insight imageでイメージスキャンの結果を確認します。

イメージに含まれるパッケージ一覧と検出された脆弱性を確認できます。

$ tanzu insight image get --digest sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163
ID:       	1
Registry:  	tap28868.azurecr.io
Image Name:	supply-chain/spring-music-demo
Digest:    	sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163
Packages:
    1. helper@9.3.6
    2. BellSoft Liberica JRE@11.0.15
    3. helper@3.2.3
    4. HdrHistogram@2.1.12
    5. HikariCP@4.0.3
    6. LatencyUtils@2.0.3
    7. angular-ui@0.4.0-2
    8. angular-ui-bootstrap@0.10.0-1
    9. angularjs@1.2.16
    10. antlr@2.7.7
    11. aspectjweaver@1.9.7
    12. bootstrap@3.1.1
    13. bson@4.4.2
    14. byte-buddy-dep@1.11.22
    15. checker-qual@3.5.0
    16. classmate@1.5.1
    17. commons-pool2@2.11.1
    18. h2@2.1.214
    19. hibernate-commons-annotations@5.1.2.Final
    20. hibernate-core@5.6.10.Final
    21. hibernate-validator@6.2.3.Final
    22. istack-commons-runtime@3.0.12
    23. jackson-annotations@2.13.3
    24. jackson-core@2.13.3
    25. jackson-databind@2.13.3
    26. jackson-datatype-jdk8@2.13.3
    27. jackson-datatype-jsr310@2.13.3
    28. jackson-module-parameter-names@2.13.3
    29. jakarta.activation@1.2.2
    30. jakarta.annotation-api@1.3.5
    31. jakarta.persistence-api@2.2.3
    32. jakarta.transaction-api@1.3.3
    33. jakarta.validation-api@2.0.2
    34. jakarta.xml.bind-api@2.3.3
    35. jandex@2.4.2.Final
    36. jaxb-runtime@2.3.6
    37. jboss-logging@3.4.3.Final
    38. jctools-core@3.1.0
    39. jquery@2.1.0-2
    CVEs:
        1. CVE-2007-2379 (Medium)
        2. CVE-2015-9251 (Medium)
        3. CVE-2019-11358 (Medium)
        4. CVE-2020-11022 (Medium)
        5. CVE-2020-11023 (Medium)
    40. jul-to-slf4j@1.7.36
    41. lettuce-core@6.1.9.RELEASE
    42. log4j-api@2.17.2
    43. log4j-to-slf4j@2.17.2
    44. logback-classic@1.2.11
    45. logback-core@1.2.11
    46. micrometer-core@1.8.8
    47. mongodb-driver-core@4.4.2
    48. mongodb-driver-sync@4.4.2
    49. mssql-jdbc@9.4.1
    50. mysql-connector-java@8.0.29
    51. netty-buffer@4.1.79.Final
    52. netty-codec@4.1.79.Final
    53. netty-common@4.1.79.Final
    54. netty-handler@4.1.79.Final
    55. netty-resolver@4.1.79.Final
    56. netty-transport@4.1.79.Final
    57. netty-transport-native-unix-common@4.1.79.Final
    58. postgresql@42.3.6
    CVEs:
        1. CVE-2017-8806 (Medium)
    59. reactive-streams@1.0.4
    60. reactor-core@3.4.21
    61. slf4j-api@1.7.36
    62. snakeyaml@1.29
    63. spring-aop@5.3.22
    64. spring-aspects@5.3.22
    65. spring-beans@5.3.22
    66. spring-boot@2.6.10
    67. spring-boot-actuator@2.6.10
    68. spring-boot-actuator-autoconfigure@2.6.10
    69. spring-boot-autoconfigure@2.6.10
    70. spring-boot-jarmode-layertools@2.6.10
    71. spring-context@5.3.22
    72. spring-context-support@5.3.22
    73. spring-core@5.3.22
    CVEs:
        1. CVE-2016-1000027 (Critical)
    74. spring-data-commons@2.6.6
    75. spring-data-jpa@2.6.6
    76. spring-data-keyvalue@2.6.6
    77. spring-data-mongodb@3.3.6
    78. spring-data-redis@2.6.6
    79. spring-expression@5.3.22
    80. spring-jcl@5.3.22
    81. spring-jdbc@5.3.22
    82. spring-orm@5.3.22
    83. spring-oxm@5.3.22
    84. spring-tx@5.3.22
    85. spring-web@5.3.22
    86. spring-webmvc@5.3.22
    87. tomcat-embed-core@9.0.65
    88. tomcat-embed-el@9.0.65
    89. tomcat-embed-websocket@9.0.65
    90. txw2@2.3.6
    91. helper@5.11.0
    92. Spring Cloud Bindings@1.9.0
    93. adduser@3.116ubuntu1
    94. apt@1.6.14
    95. base-files@10.1ubuntu2.11
    96. base-passwd@3.5.44
    97. bash@4.4.18-2ubuntu1.3
    98. bsdutils@1:2.31.1-0.4ubuntu3.7
    99. bzip2@1.0.6-8.1ubuntu0.2
    100. ca-certificates@20211016~18.04.1
    101. coreutils@8.28-1ubuntu1
    CVEs:
        1. CVE-2016-2781 (Low)
    102. dash@0.5.8-2.10
    103. debconf@1.5.66ubuntu1
    104. debianutils@4.8.4
    105. diffutils@1:3.6-1
    106. dpkg@1.19.0.5ubuntu2.4
    107. e2fsprogs@1.44.1-1ubuntu1.4
    108. fdisk@2.31.1-0.4ubuntu3.7
    109. findutils@4.6.0+git+20170828-2
    110. gcc-8-base@8.4.0-1ubuntu1~18.04
    CVEs:
        1. CVE-2020-13844 (Medium)
    111. gpgv@2.2.4-1ubuntu1.6
    112. grep@3.1-2build1
    113. gzip@1.6-5ubuntu1.2
    114. hostname@3.20
    115. init-system-helpers@1.51
    116. libacl1@2.2.52-3build1
    117. libapt-pkg5.0@1.6.14
    118. libattr1@1:2.4.47-2build1
    119. libaudit-common@1:2.8.2-1ubuntu1.1
    120. libaudit1@1:2.8.2-1ubuntu1.1
    121. libblkid1@2.31.1-0.4ubuntu3.7
    122. libbz2-1.0@1.0.6-8.1ubuntu0.2
    123. libc-bin@2.27-3ubuntu1.6
    CVEs:
        1. CVE-2009-5155 (Low)
        2. CVE-2015-8985 (Low)
        3. CVE-2016-20013 (Low)
    124. libc6@2.27-3ubuntu1.6
    CVEs:
        1. CVE-2009-5155 (Low)
        2. CVE-2015-8985 (Low)
        3. CVE-2016-20013 (Low)
    125. libcap-ng0@0.7.7-3.1
    126. libcom-err2@1.44.1-1ubuntu1.4
    127. libdb5.3@5.3.28-13.1ubuntu1.1
    128. libdebconfclient0@0.213ubuntu1
    129. libexpat1@2.2.5-3ubuntu0.7
    130. libext2fs2@1.44.1-1ubuntu1.4
    131. libfdisk1@2.31.1-0.4ubuntu3.7
    132. libffi6@3.2.1-8
    133. libgcc1@1:8.4.0-1ubuntu1~18.04
    CVEs:
        1. CVE-2020-13844 (Medium)
    134. libgcrypt20@1.8.1-4ubuntu1.3
    135. libgmp10@2:6.1.2+dfsg-2
    136. libgnutls30@3.5.18-1ubuntu1.5
    CVEs:
        1. CVE-2018-16868 (Low)
        2. CVE-2021-4209 (Low)
        3. CVE-2022-2509 (Medium)
    137. libgpg-error0@1.27-6
    138. libhogweed4@3.4.1-0ubuntu0.18.04.1
    139. libidn2-0@2.0.4-1.1ubuntu0.2
    140. liblz4-1@0.0~r131-2ubuntu3.1
    141. liblzma5@5.2.2-1.3ubuntu0.1
    142. libmount1@2.31.1-0.4ubuntu3.7
    143. libncurses5@6.1-1ubuntu1.18.04
    CVEs:
        1. CVE-2019-17594 (Low)
        2. CVE-2019-17595 (Low)
        3. CVE-2021-39537 (Low)
        4. CVE-2022-29458 (Low)
    144. libncursesw5@6.1-1ubuntu1.18.04
    CVEs:
        1. CVE-2019-17594 (Low)
        2. CVE-2019-17595 (Low)
        3. CVE-2021-39537 (Low)
        4. CVE-2022-29458 (Low)
    145. libnettle6@3.4.1-0ubuntu0.18.04.1
    146. libp11-kit0@0.23.9-2ubuntu0.1
    147. libpam-modules@1.1.8-3.6ubuntu2.18.04.3
    148. libpam-modules-bin@1.1.8-3.6ubuntu2.18.04.3
    149. libpam-runtime@1.1.8-3.6ubuntu2.18.04.3
    150. libpam0g@1.1.8-3.6ubuntu2.18.04.3
    151. libpcre3@2:8.39-9ubuntu0.1
    CVEs:
        1. CVE-2017-11164 (Low)
    152. libprocps6@2:3.3.12-3ubuntu1.2
    153. libseccomp2@2.5.1-1ubuntu1~18.04.2
    154. libselinux1@2.7-2build2
    155. libsemanage-common@2.7-2build2
    156. libsemanage1@2.7-2build2
    157. libsepol1@2.7-1ubuntu0.1
    158. libsmartcols1@2.31.1-0.4ubuntu3.7
    159. libss2@1.44.1-1ubuntu1.4
    160. libssl1.1@1.1.1-1ubuntu2.1~18.04.20
    161. libstdc++6@8.4.0-1ubuntu1~18.04
    CVEs:
        1. CVE-2020-13844 (Medium)
    162. libsystemd0@237-3ubuntu10.53
    163. libtasn1-6@4.13-2
    164. libtinfo5@6.1-1ubuntu1.18.04
    CVEs:
        1. CVE-2019-17594 (Low)
        2. CVE-2019-17595 (Low)
        3. CVE-2021-39537 (Low)
        4. CVE-2022-29458 (Low)
    165. libudev1@237-3ubuntu10.53
    166. libunistring2@0.9.9-0ubuntu2
    167. libuuid1@2.31.1-0.4ubuntu3.7
    168. libyaml-0-2@0.1.7-2ubuntu3
    169. libzstd1@1.3.3+dfsg-2ubuntu1.2
    170. locales@2.27-3ubuntu1.6
    CVEs:
        1. CVE-2009-5155 (Low)
        2. CVE-2015-8985 (Low)
        3. CVE-2016-20013 (Low)
    171. login@1:4.5-1ubuntu2.3
    CVEs:
        1. CVE-2013-4235 (Low)
    172. lsb-base@9.20170808ubuntu1
    173. mawk@1.3.3-17ubuntu3
    174. mount@2.31.1-0.4ubuntu3.7
    175. ncurses-base@6.1-1ubuntu1.18.04
    CVEs:
        1. CVE-2019-17594 (Low)
        2. CVE-2019-17595 (Low)
        3. CVE-2021-39537 (Low)
        4. CVE-2022-29458 (Low)
    176. ncurses-bin@6.1-1ubuntu1.18.04
    CVEs:
        1. CVE-2019-17594 (Low)
        2. CVE-2019-17595 (Low)
        3. CVE-2021-39537 (Low)
        4. CVE-2022-29458 (Low)
    177. netbase@5.4
    178. openssl@1.1.1-1ubuntu2.1~18.04.20
    179. passwd@1:4.5-1ubuntu2.3
    CVEs:
        1. CVE-2013-4235 (Low)
    180. perl-base@5.26.1-6ubuntu0.5
    CVEs:
        1. CVE-2020-16156 (Medium)
    181. procps@2:3.3.12-3ubuntu1.2
    182. sed@4.4-2
    183. sensible-utils@0.0.12
    184. sysvinit-utils@2.88dsf-59.10ubuntu1
    185. tar@1.29b-2ubuntu0.3
    186. tzdata@2022a-0ubuntu0.18.04
    187. ubuntu-keyring@2018.09.18.1~18.04.2
    188. util-linux@2.31.1-0.4ubuntu3.7
    189. zlib1g@1:1.2.11.dfsg-0ubuntu2.1
    190. byte-buddy@1.11.22
    191. github.com/BurntSushi/toml@v1.1.0
    192. github.com/Masterminds/semver/v3@v3.1.1
    193. github.com/apex/log@v1.9.0
    194. github.com/buildpacks/libcnb@v1.26.0
    195. github.com/buildpacks/lifecycle@(devel)
    196. github.com/creack/pty@v1.1.18
    197. github.com/h2non/filetype@v1.1.3
    198. github.com/heroku/color@v0.0.6
    199. github.com/imdario/mergo@v0.3.12
    200. github.com/imdario/mergo@v0.3.13
    201. github.com/magiconair/properties@v1.8.6
    202. github.com/mattn/go-colorable@v0.1.12
    203. github.com/mattn/go-isatty@v0.0.14
    204. github.com/mattn/go-shellwords@v1.0.12
    205. github.com/miekg/dns@v1.1.49
    206. github.com/mitchellh/hashstructure/v2@v2.0.2
    207. github.com/onsi/gomega@v1.19.0
    208. github.com/paketo-buildpacks/ca-certificates/v3@(devel)
    209. github.com/paketo-buildpacks/libjvm@v1.37.0
    210. github.com/paketo-buildpacks/libpak@v1.60.1
    211. github.com/paketo-buildpacks/spring-boot/v5@(devel)
    212. github.com/pavel-v-chernykh/keystore-go/v4@v4.3.0
    213. github.com/pelletier/go-toml@v1.9.5
    214. github.com/pkg/errors@v0.9.1
    215. github.com/xi2/xz@v0.0.0-20171230120015-48954b6210f8
    216. golang.org/x/net@v0.0.0-20220225172249-27dd8689420f
    217. golang.org/x/sys@v0.0.0-20220319134239-a9b59b0215f8
    218. golang.org/x/sys@v0.0.0-20220520151302-bc2c85ada10a
    219. jrt-fs@11.0.15.1
    220. spring-cloud-bindings@1.9.0

Criticalな脆弱性は無視したCVE-2016-1000027であることがわかります。

なお、検出された脆弱性一覧は次の図のようにTAP GUIでも確認できます。(なぜかCVE-2016-1000027は"Unknown"になっていますが...)

image

grype CLIで直接イメージをスキャンした場合は次のような結果が得られます。検出された脆弱性のうちFixされているもの(=改善の余地のあるもの)はほとんどないことが分かります。

$ grype $(kubectl get imagescan -n demo spring-music -ojsonpath='{.spec.registry.image}')
 ✔ Vulnerability DB        [updated]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [241 packages]
 ✔ Scanned image           [47 vulnerabilities]

NAME          INSTALLED               FIXED-IN           TYPE          VULNERABILITY     SEVERITY   
coreutils     8.28-1ubuntu1                              deb           CVE-2016-2781     Low         
gcc-8-base    8.4.0-1ubuntu1~18.04                       deb           CVE-2020-13844    Medium      
jquery        2.1.0-2                                    java-archive  CVE-2007-2379     Medium      
jquery        2.1.0-2                                    java-archive  CVE-2020-11022    Medium      
jquery        2.1.0-2                                    java-archive  CVE-2020-11023    Medium      
jquery        2.1.0-2                                    java-archive  CVE-2015-9251     Medium      
jquery        2.1.0-2                                    java-archive  CVE-2019-11358    Medium      
libc-bin      2.27-3ubuntu1.6                            deb           CVE-2009-5155     Negligible  
libc-bin      2.27-3ubuntu1.6                            deb           CVE-2016-20013    Negligible  
libc-bin      2.27-3ubuntu1.6                            deb           CVE-2015-8985     Negligible  
libc6         2.27-3ubuntu1.6                            deb           CVE-2015-8985     Negligible  
libc6         2.27-3ubuntu1.6                            deb           CVE-2016-20013    Negligible  
libc6         2.27-3ubuntu1.6                            deb           CVE-2009-5155     Negligible  
libgcc1       1:8.4.0-1ubuntu1~18.04                     deb           CVE-2020-13844    Medium      
libgnutls30   3.5.18-1ubuntu1.5       3.5.18-1ubuntu1.6  deb           CVE-2021-4209     Low         
libgnutls30   3.5.18-1ubuntu1.5       3.5.18-1ubuntu1.6  deb           CVE-2022-2509     Medium      
libgnutls30   3.5.18-1ubuntu1.5                          deb           CVE-2018-16868    Low         
libncurses5   6.1-1ubuntu1.18.04                         deb           CVE-2022-29458    Negligible  
libncurses5   6.1-1ubuntu1.18.04                         deb           CVE-2019-17595    Negligible  
libncurses5   6.1-1ubuntu1.18.04                         deb           CVE-2019-17594    Negligible  
libncurses5   6.1-1ubuntu1.18.04                         deb           CVE-2021-39537    Negligible  
libncursesw5  6.1-1ubuntu1.18.04                         deb           CVE-2021-39537    Negligible  
libncursesw5  6.1-1ubuntu1.18.04                         deb           CVE-2019-17595    Negligible  
libncursesw5  6.1-1ubuntu1.18.04                         deb           CVE-2022-29458    Negligible  
libncursesw5  6.1-1ubuntu1.18.04                         deb           CVE-2019-17594    Negligible  
libpcre3      2:8.39-9ubuntu0.1                          deb           CVE-2017-11164    Negligible  
libstdc++6    8.4.0-1ubuntu1~18.04                       deb           CVE-2020-13844    Medium      
libtinfo5     6.1-1ubuntu1.18.04                         deb           CVE-2019-17594    Negligible  
libtinfo5     6.1-1ubuntu1.18.04                         deb           CVE-2022-29458    Negligible  
libtinfo5     6.1-1ubuntu1.18.04                         deb           CVE-2019-17595    Negligible  
libtinfo5     6.1-1ubuntu1.18.04                         deb           CVE-2021-39537    Negligible  
locales       2.27-3ubuntu1.6                            deb           CVE-2016-20013    Negligible  
locales       2.27-3ubuntu1.6                            deb           CVE-2015-8985     Negligible  
locales       2.27-3ubuntu1.6                            deb           CVE-2009-5155     Negligible  
login         1:4.5-1ubuntu2.3                           deb           CVE-2013-4235     Low         
ncurses-base  6.1-1ubuntu1.18.04                         deb           CVE-2019-17595    Negligible  
ncurses-base  6.1-1ubuntu1.18.04                         deb           CVE-2022-29458    Negligible  
ncurses-base  6.1-1ubuntu1.18.04                         deb           CVE-2021-39537    Negligible  
ncurses-base  6.1-1ubuntu1.18.04                         deb           CVE-2019-17594    Negligible  
ncurses-bin   6.1-1ubuntu1.18.04                         deb           CVE-2019-17594    Negligible  
ncurses-bin   6.1-1ubuntu1.18.04                         deb           CVE-2019-17595    Negligible  
ncurses-bin   6.1-1ubuntu1.18.04                         deb           CVE-2022-29458    Negligible  
ncurses-bin   6.1-1ubuntu1.18.04                         deb           CVE-2021-39537    Negligible  
passwd        1:4.5-1ubuntu2.3                           deb           CVE-2013-4235     Low         
perl-base     5.26.1-6ubuntu0.5                          deb           CVE-2020-16156    Medium      
postgresql    42.3.6                                     java-archive  CVE-2017-8806     Medium      
spring-core   5.3.22                                     java-archive  CVE-2016-1000027  Critical 

今回はScanにパスしたので、URLにアクセスできます。

image

脆弱性の検出

ソースコードにわざと脆弱なライブラリを追加してみます。Workloadのブランチを次のように変更してください。

tanzu apps workload apply spring-music \
  --app spring-music \
  --git-repo https://github.com/tanzu-japan/spring-music \
  --git-branch vulnerability-demo \
  --type web \
  --label apps.tanzu.vmware.com/has-tests=true \
  --annotation autoscaling.knative.dev/minScale=1 \
  -n demo \
  -y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music

次のコマンドで進捗をwatchします。

watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music

今回はImageScanがFaildになります。Highな脆弱性が1件追加されました。

$ kubectl get imagescan -n demo spring-music
NAME           PHASE    SCANNEDIMAGE                                                                                                                 AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
spring-music   Failed   tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f   30m   1          1      9        12    0         23

tanzu insightコマンドで確認しましょう。

$ tanzu insight image get --digest sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f

ID:       	2
Registry:  	tap28868.azurecr.io
Image Name:	supply-chain/spring-music-demo
Digest:    	sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f
Packages:
    1. helper@9.3.6
    ...
    220. commons-collections4@4.0
    CVEs:
        1. GHSA-6hgm-866r-3cjv (High)

commons-collection4の脆弱性が検出されています。

TAP GUIでも確認できます。

image

ScanPolicyに抵触する場合は、赤くメッセージが表示されます。

脆弱性がFixされたcommons-collection4を使用したbranchはvulnerability-fixedです。次のコマンドでWorkloadを更新すれば、ImageScanがCompletedになります。

tanzu apps workload apply spring-music \
  --app spring-music \
  --git-repo https://github.com/tanzu-japan/spring-music \
  --git-branch vulnerability-fixed \
  --type web \
  --label apps.tanzu.vmware.com/has-tests=true \
  --annotation autoscaling.knative.dev/minScale=1 \
  -n demo \
  -y
tanzu apps workload tail spring-music -n demo
# "or" stern -n demo spring-music