--- title: Tanzu Application Platform 1.2で"Source Test Scan to URL"を試す tags: ["Kubernetes", "Cartographer", "Tanzu", "TAP", "Backstage", "Tekton", "Grype"] categories: ["Dev", "CaaS", "Kubernetes", "TAP"] date: 2022-08-14T16:35:34Z updated: 2022-08-24T02:16:36Z --- [Tanzu Application Platform 1.2 (Full Profile) をAKSにインストールしAzure ADと連携するメモ - Self Signed編](/entries/708)で作成した環境で"Source Test Scan to URL"を試します。 **目次** ### Metadata StoreへのRead Onlyアクセストークン作成 Metadata Storeにアクセスするためのトークンを作成します。後にDeveloperが使用するので、Read Onlyなものを作成します。 ```yaml cat <
DeveloperがMetadata Storeのアクセストークンを取得できるようにRoleBindingを作成します。 ```yaml kubectl create rolebinding metadata-store-read-only-token-read-${GROUP_ID} -n metadata-store --role metadata-store-read-only-token-read --group ${GROUP_ID} ``` #### Tekton Pipelineの作成 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-ootb-supply-chain-testing.html 今回はテストは空実装にします。 ```yaml cat <<'EOF' | kubectl -n demo apply -f - apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: developer-defined-tekton-pipeline labels: apps.tanzu.vmware.com/pipeline: test spec: params: - name: source-url - name: source-revision tasks: - name: test params: - name: source-url value: $(params.source-url) - name: source-revision value: $(params.source-revision) taskSpec: params: - name: source-url - name: source-revision steps: - name: test image: alpine script: |- echo "Skip Test :)" EOF ``` #### ScanTemplateのインストール https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scst-scan-install-scst-scan.html ``` cat < grype-demo.yaml namespace: demo targetImagePullSecret: registry-credentials EOF ``` ``` tanzu package install grype-demo -p grype.scanning.apps.tanzu.vmware.com -v 1.2.2 -n tap-install -f grype-demo.yaml ``` Scan Tempalte一覧を確認します。 ``` $ kubectl get scantemplate -n demo NAME AGE blob-source-scan-template 6s private-image-scan-template 6s public-image-scan-template 6s public-source-scan-template 6s ``` また、次のコマンドを実行して`Reconcile succeeded`になっていることを確認してください。 ``` $ kubectl get secretimports.secretgen.carvel.dev -n demo NAME DESCRIPTION AGE app-tls-cert Reconcile succeeded 23s ``` #### ScanPolicyの作成 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-getting-started-add-test-and-security.html#install-ootb-supply-chain-with-testing-and-scanning-5 ``` kubectl apply -n demo -f - << EOF --- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: scan-policy spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["Critical","High","UnknownSeverity"] ignoreCves := ["CVE-2016-1000027"] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } EOF ``` CVE-2016-1000027はSpring Frameworkに関する脆弱性ですが、https://github.com/spring-projects/spring-framework/issues/24434 にて議論されているように妥当ではないです。 Grypeではこの脆弱性を検出してしまうため、Spring Frameworkを使用している場合は無視する必要があります。ScanPolicyで予め無視しておくのが良いです。
https://github.com/anchore/grype/issues/773 ### Workloadの作成 以下はDeveloperとして実行します。 ``` az aks get-credentials --resource-group tap-rg --name tap-sandbox --overwrite-existing ``` 次のコマンドでWorkloadを作成します。`--label apps.tanzu.vmware.com/has-tests=true`が必要です。 ``` tanzu apps workload apply spring-music \ --app spring-music \ --git-repo https://github.com/tanzu-japan/spring-music \ --git-branch tanzu \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --annotation autoscaling.knative.dev/minScale=1 \ -n demo \ -y tanzu apps workload tail spring-music -n demo # "or" stern -n demo spring-music ``` 次のコマンドで進捗をwatchします。 ``` watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music ``` 次のような出力になります。 ``` $ kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music NAME SOURCE SUPPLYCHAIN READY REASON AGE workload.carto.run/spring-music https://github.com/tanzu-japan/spring-music source-test-scan-to-url True Ready 7m46s NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/scan-spring-music-njwjz-dst66 0/1 Completed 0 7m19s 10.244.2.25 aks-nodepool1-87250474-vmss000002 pod/scan-spring-music-vgj8d-6l8ld 0/1 Completed 0 107s 10.244.2.27 aks-nodepool1-87250474-vmss000002 pod/spring-music-00001-deployment-865d75d795-8c8m6 2/2 Running 0 34s 10.244.2.29 aks-nodepool1-87250474-vmss000002 pod/spring-music-build-1-build-pod 0/1 Completed 0 6m4s 10.244.2.26 aks-nodepool1-87250474-vmss000002 pod/spring-music-config-writer-4f4lh-pod 0/1 Completed 0 62s 10.244.2.28 aks-nodepool1-87250474-vmss000002 pod/spring-music-crdww-test-pod 0/1 Completed 0 7m34s 10.244.2.24 aks-nodepool1-87250474-vmss000002 NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/spring-music https://github.com/tanzu-japan/spring-music True Fetched revision: tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f 7m44s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pipelinerun.tekton.dev/spring-music-crdww True Succeeded 7m35s 7m25s NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL sourcescan.scanning.apps.tanzu.vmware.com/spring-music Completed tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz 7m20s NAME LATESTIMAGE READY image.kpack.io/spring-music tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 True NAME IMAGE SUCCEEDED build.kpack.io/spring-music-build-1 tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 True NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL imagescan.scanning.apps.tanzu.vmware.com/spring-music Completed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 108s 1 0 9 12 0 22 NAME READY REASON AGE podintent.conventions.apps.tanzu.vmware.com/spring-music True ConventionsApplied 69s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME taskrun.tekton.dev/spring-music-config-writer-4f4lh True Succeeded 63s 56s taskrun.tekton.dev/spring-music-crdww-test True Succeeded 7m35s 7m25s NAME IMAGE URL READY REASON AGE imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974 http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/b1f2ada575fe7790bac2dbdbf70d0170450f26906cb7b8930c693b4f9786a1a2.tar.gz True Ready 7m41s NAME SOURCE DELIVERY READY REASON AGE deliverable.carto.run/spring-music tap28868.azurecr.io/supply-chain/spring-music-demo-bundle:c8367da0-2712-4378-b494-c18f284f8974 delivery-basic True Ready 7m44s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/spring-music Reconcile succeeded 36s 36s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/spring-music https://spring-music-demo.20-89-141-216.sslip.io spring-music-00001 spring-music-00001 True ``` GrypeはGradleのSourceScanに対応していないようなので、次の通り、何も検出されません。 ``` $ kubectl get sourcescan -n demo spring-music NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL spring-music Completed tanzu/297dad0750cbbb963819ba9bfaafeaf58402b06f http://source-controller.flux-system.svc.cluster.local./gitrepository/demo/spring-music/297dad0750cbbb963819ba9bfaafeaf58402b06f.tar.gz 8m53s ``` ImageScanは次の通り、Criticalが1件検出されますが、PHASEはCompletedになっています。 ``` $ kubectl get imagescan -n demo spring-music NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL spring-music Completed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 4m4s 1 0 9 12 0 22 ``` `tanzu insight`コマンドでMetadata Storeにアクセスして、保存された情報を確認しましょう。 ``` METADATA_STORE_DOMAIN=metadata-store.$(kubectl get ksvc -n demo spring-music -ojsonpath='{.status.url}' | sed 's|https://||' | sed 's|spring-music-demo.||') openssl s_client -servername ${METADATA_STORE_DOMAIN} -connect ${METADATA_STORE_DOMAIN}:443 < /dev/null 2> /dev/null | openssl x509 -outform PEM > metadata-store.crt AUTH_TOKEN=$(kubectl get secret -n metadata-store metadata-store-read-only-token -otemplate='{{.data.token | base64decode}}') tanzu insight config set-target https://${METADATA_STORE_DOMAIN} --ca-cert metadata-store.crt --access-token=${AUTH_TOKEN} ``` 以下のログが出力されます。 ``` ℹ Using config file: /Users/toshiaki/.config/tanzu/insight/config.yaml ℹ Setting trustedcacert in config ℹ Setting accesstoken in config ℹ Setting endpoint in config to: https://metadata-store.20-89-141-216.sslip.io ✔ Success: Set Metadata Store endpoint ``` 次のコマンドで疎通チェックします。 ``` $ tanzu insight health Success: Reached Metadata Store! ``` `tanzu insight image`でイメージスキャンの結果を確認します。 イメージに含まれるパッケージ一覧と検出された脆弱性を確認できます。 ``` $ tanzu insight image get --digest sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 ID: 1 Registry: tap28868.azurecr.io Image Name: supply-chain/spring-music-demo Digest: sha256:9e39def446c09e1852842b8ec861c11ae8fa8c71ecb5406e8b9ed32158df6163 Packages: 1. helper@9.3.6 2. BellSoft Liberica JRE@11.0.15 3. helper@3.2.3 4. HdrHistogram@2.1.12 5. HikariCP@4.0.3 6. LatencyUtils@2.0.3 7. angular-ui@0.4.0-2 8. angular-ui-bootstrap@0.10.0-1 9. angularjs@1.2.16 10. antlr@2.7.7 11. aspectjweaver@1.9.7 12. bootstrap@3.1.1 13. bson@4.4.2 14. byte-buddy-dep@1.11.22 15. checker-qual@3.5.0 16. classmate@1.5.1 17. commons-pool2@2.11.1 18. h2@2.1.214 19. hibernate-commons-annotations@5.1.2.Final 20. hibernate-core@5.6.10.Final 21. hibernate-validator@6.2.3.Final 22. istack-commons-runtime@3.0.12 23. jackson-annotations@2.13.3 24. jackson-core@2.13.3 25. jackson-databind@2.13.3 26. jackson-datatype-jdk8@2.13.3 27. jackson-datatype-jsr310@2.13.3 28. jackson-module-parameter-names@2.13.3 29. jakarta.activation@1.2.2 30. jakarta.annotation-api@1.3.5 31. jakarta.persistence-api@2.2.3 32. jakarta.transaction-api@1.3.3 33. jakarta.validation-api@2.0.2 34. jakarta.xml.bind-api@2.3.3 35. jandex@2.4.2.Final 36. jaxb-runtime@2.3.6 37. jboss-logging@3.4.3.Final 38. jctools-core@3.1.0 39. jquery@2.1.0-2 CVEs: 1. CVE-2007-2379 (Medium) 2. CVE-2015-9251 (Medium) 3. CVE-2019-11358 (Medium) 4. CVE-2020-11022 (Medium) 5. CVE-2020-11023 (Medium) 40. jul-to-slf4j@1.7.36 41. lettuce-core@6.1.9.RELEASE 42. log4j-api@2.17.2 43. log4j-to-slf4j@2.17.2 44. logback-classic@1.2.11 45. logback-core@1.2.11 46. micrometer-core@1.8.8 47. mongodb-driver-core@4.4.2 48. mongodb-driver-sync@4.4.2 49. mssql-jdbc@9.4.1 50. mysql-connector-java@8.0.29 51. netty-buffer@4.1.79.Final 52. netty-codec@4.1.79.Final 53. netty-common@4.1.79.Final 54. netty-handler@4.1.79.Final 55. netty-resolver@4.1.79.Final 56. netty-transport@4.1.79.Final 57. netty-transport-native-unix-common@4.1.79.Final 58. postgresql@42.3.6 CVEs: 1. CVE-2017-8806 (Medium) 59. reactive-streams@1.0.4 60. reactor-core@3.4.21 61. slf4j-api@1.7.36 62. snakeyaml@1.29 63. spring-aop@5.3.22 64. spring-aspects@5.3.22 65. spring-beans@5.3.22 66. spring-boot@2.6.10 67. spring-boot-actuator@2.6.10 68. spring-boot-actuator-autoconfigure@2.6.10 69. spring-boot-autoconfigure@2.6.10 70. spring-boot-jarmode-layertools@2.6.10 71. spring-context@5.3.22 72. spring-context-support@5.3.22 73. spring-core@5.3.22 CVEs: 1. CVE-2016-1000027 (Critical) 74. spring-data-commons@2.6.6 75. spring-data-jpa@2.6.6 76. spring-data-keyvalue@2.6.6 77. spring-data-mongodb@3.3.6 78. spring-data-redis@2.6.6 79. spring-expression@5.3.22 80. spring-jcl@5.3.22 81. spring-jdbc@5.3.22 82. spring-orm@5.3.22 83. spring-oxm@5.3.22 84. spring-tx@5.3.22 85. spring-web@5.3.22 86. spring-webmvc@5.3.22 87. tomcat-embed-core@9.0.65 88. tomcat-embed-el@9.0.65 89. tomcat-embed-websocket@9.0.65 90. txw2@2.3.6 91. helper@5.11.0 92. Spring Cloud Bindings@1.9.0 93. adduser@3.116ubuntu1 94. apt@1.6.14 95. base-files@10.1ubuntu2.11 96. base-passwd@3.5.44 97. bash@4.4.18-2ubuntu1.3 98. bsdutils@1:2.31.1-0.4ubuntu3.7 99. bzip2@1.0.6-8.1ubuntu0.2 100. ca-certificates@20211016~18.04.1 101. coreutils@8.28-1ubuntu1 CVEs: 1. CVE-2016-2781 (Low) 102. dash@0.5.8-2.10 103. debconf@1.5.66ubuntu1 104. debianutils@4.8.4 105. diffutils@1:3.6-1 106. dpkg@1.19.0.5ubuntu2.4 107. e2fsprogs@1.44.1-1ubuntu1.4 108. fdisk@2.31.1-0.4ubuntu3.7 109. findutils@4.6.0+git+20170828-2 110. gcc-8-base@8.4.0-1ubuntu1~18.04 CVEs: 1. CVE-2020-13844 (Medium) 111. gpgv@2.2.4-1ubuntu1.6 112. grep@3.1-2build1 113. gzip@1.6-5ubuntu1.2 114. hostname@3.20 115. init-system-helpers@1.51 116. libacl1@2.2.52-3build1 117. libapt-pkg5.0@1.6.14 118. libattr1@1:2.4.47-2build1 119. libaudit-common@1:2.8.2-1ubuntu1.1 120. libaudit1@1:2.8.2-1ubuntu1.1 121. libblkid1@2.31.1-0.4ubuntu3.7 122. libbz2-1.0@1.0.6-8.1ubuntu0.2 123. libc-bin@2.27-3ubuntu1.6 CVEs: 1. CVE-2009-5155 (Low) 2. CVE-2015-8985 (Low) 3. CVE-2016-20013 (Low) 124. libc6@2.27-3ubuntu1.6 CVEs: 1. CVE-2009-5155 (Low) 2. CVE-2015-8985 (Low) 3. CVE-2016-20013 (Low) 125. libcap-ng0@0.7.7-3.1 126. libcom-err2@1.44.1-1ubuntu1.4 127. libdb5.3@5.3.28-13.1ubuntu1.1 128. libdebconfclient0@0.213ubuntu1 129. libexpat1@2.2.5-3ubuntu0.7 130. libext2fs2@1.44.1-1ubuntu1.4 131. libfdisk1@2.31.1-0.4ubuntu3.7 132. libffi6@3.2.1-8 133. libgcc1@1:8.4.0-1ubuntu1~18.04 CVEs: 1. CVE-2020-13844 (Medium) 134. libgcrypt20@1.8.1-4ubuntu1.3 135. libgmp10@2:6.1.2+dfsg-2 136. libgnutls30@3.5.18-1ubuntu1.5 CVEs: 1. CVE-2018-16868 (Low) 2. CVE-2021-4209 (Low) 3. CVE-2022-2509 (Medium) 137. libgpg-error0@1.27-6 138. libhogweed4@3.4.1-0ubuntu0.18.04.1 139. libidn2-0@2.0.4-1.1ubuntu0.2 140. liblz4-1@0.0~r131-2ubuntu3.1 141. liblzma5@5.2.2-1.3ubuntu0.1 142. libmount1@2.31.1-0.4ubuntu3.7 143. libncurses5@6.1-1ubuntu1.18.04 CVEs: 1. CVE-2019-17594 (Low) 2. CVE-2019-17595 (Low) 3. CVE-2021-39537 (Low) 4. CVE-2022-29458 (Low) 144. libncursesw5@6.1-1ubuntu1.18.04 CVEs: 1. CVE-2019-17594 (Low) 2. CVE-2019-17595 (Low) 3. CVE-2021-39537 (Low) 4. CVE-2022-29458 (Low) 145. libnettle6@3.4.1-0ubuntu0.18.04.1 146. libp11-kit0@0.23.9-2ubuntu0.1 147. libpam-modules@1.1.8-3.6ubuntu2.18.04.3 148. libpam-modules-bin@1.1.8-3.6ubuntu2.18.04.3 149. libpam-runtime@1.1.8-3.6ubuntu2.18.04.3 150. libpam0g@1.1.8-3.6ubuntu2.18.04.3 151. libpcre3@2:8.39-9ubuntu0.1 CVEs: 1. CVE-2017-11164 (Low) 152. libprocps6@2:3.3.12-3ubuntu1.2 153. libseccomp2@2.5.1-1ubuntu1~18.04.2 154. libselinux1@2.7-2build2 155. libsemanage-common@2.7-2build2 156. libsemanage1@2.7-2build2 157. libsepol1@2.7-1ubuntu0.1 158. libsmartcols1@2.31.1-0.4ubuntu3.7 159. libss2@1.44.1-1ubuntu1.4 160. libssl1.1@1.1.1-1ubuntu2.1~18.04.20 161. libstdc++6@8.4.0-1ubuntu1~18.04 CVEs: 1. CVE-2020-13844 (Medium) 162. libsystemd0@237-3ubuntu10.53 163. libtasn1-6@4.13-2 164. libtinfo5@6.1-1ubuntu1.18.04 CVEs: 1. CVE-2019-17594 (Low) 2. CVE-2019-17595 (Low) 3. CVE-2021-39537 (Low) 4. CVE-2022-29458 (Low) 165. libudev1@237-3ubuntu10.53 166. libunistring2@0.9.9-0ubuntu2 167. libuuid1@2.31.1-0.4ubuntu3.7 168. libyaml-0-2@0.1.7-2ubuntu3 169. libzstd1@1.3.3+dfsg-2ubuntu1.2 170. locales@2.27-3ubuntu1.6 CVEs: 1. CVE-2009-5155 (Low) 2. CVE-2015-8985 (Low) 3. CVE-2016-20013 (Low) 171. login@1:4.5-1ubuntu2.3 CVEs: 1. CVE-2013-4235 (Low) 172. lsb-base@9.20170808ubuntu1 173. mawk@1.3.3-17ubuntu3 174. mount@2.31.1-0.4ubuntu3.7 175. ncurses-base@6.1-1ubuntu1.18.04 CVEs: 1. CVE-2019-17594 (Low) 2. CVE-2019-17595 (Low) 3. CVE-2021-39537 (Low) 4. CVE-2022-29458 (Low) 176. ncurses-bin@6.1-1ubuntu1.18.04 CVEs: 1. CVE-2019-17594 (Low) 2. CVE-2019-17595 (Low) 3. CVE-2021-39537 (Low) 4. CVE-2022-29458 (Low) 177. netbase@5.4 178. openssl@1.1.1-1ubuntu2.1~18.04.20 179. passwd@1:4.5-1ubuntu2.3 CVEs: 1. CVE-2013-4235 (Low) 180. perl-base@5.26.1-6ubuntu0.5 CVEs: 1. CVE-2020-16156 (Medium) 181. procps@2:3.3.12-3ubuntu1.2 182. sed@4.4-2 183. sensible-utils@0.0.12 184. sysvinit-utils@2.88dsf-59.10ubuntu1 185. tar@1.29b-2ubuntu0.3 186. tzdata@2022a-0ubuntu0.18.04 187. ubuntu-keyring@2018.09.18.1~18.04.2 188. util-linux@2.31.1-0.4ubuntu3.7 189. zlib1g@1:1.2.11.dfsg-0ubuntu2.1 190. byte-buddy@1.11.22 191. github.com/BurntSushi/toml@v1.1.0 192. github.com/Masterminds/semver/v3@v3.1.1 193. github.com/apex/log@v1.9.0 194. github.com/buildpacks/libcnb@v1.26.0 195. github.com/buildpacks/lifecycle@(devel) 196. github.com/creack/pty@v1.1.18 197. github.com/h2non/filetype@v1.1.3 198. github.com/heroku/color@v0.0.6 199. github.com/imdario/mergo@v0.3.12 200. github.com/imdario/mergo@v0.3.13 201. github.com/magiconair/properties@v1.8.6 202. github.com/mattn/go-colorable@v0.1.12 203. github.com/mattn/go-isatty@v0.0.14 204. github.com/mattn/go-shellwords@v1.0.12 205. github.com/miekg/dns@v1.1.49 206. github.com/mitchellh/hashstructure/v2@v2.0.2 207. github.com/onsi/gomega@v1.19.0 208. github.com/paketo-buildpacks/ca-certificates/v3@(devel) 209. github.com/paketo-buildpacks/libjvm@v1.37.0 210. github.com/paketo-buildpacks/libpak@v1.60.1 211. github.com/paketo-buildpacks/spring-boot/v5@(devel) 212. github.com/pavel-v-chernykh/keystore-go/v4@v4.3.0 213. github.com/pelletier/go-toml@v1.9.5 214. github.com/pkg/errors@v0.9.1 215. github.com/xi2/xz@v0.0.0-20171230120015-48954b6210f8 216. golang.org/x/net@v0.0.0-20220225172249-27dd8689420f 217. golang.org/x/sys@v0.0.0-20220319134239-a9b59b0215f8 218. golang.org/x/sys@v0.0.0-20220520151302-bc2c85ada10a 219. jrt-fs@11.0.15.1 220. spring-cloud-bindings@1.9.0 ``` Criticalな脆弱性は無視したCVE-2016-1000027であることがわかります。 なお、検出された脆弱性一覧は次の図のようにTAP GUIでも確認できます。(なぜかCVE-2016-1000027は"Unknown"になっていますが...) image > `grype` CLIで直接イメージをスキャンした場合は次のような結果が得られます。検出された脆弱性のうちFixされているもの(=改善の余地のあるもの)はほとんどないことが分かります。 > > ``` > $ grype $(kubectl get imagescan -n demo spring-music -ojsonpath='{.spec.registry.image}') > ✔ Vulnerability DB [updated] > ✔ Loaded image > ✔ Parsed image > ✔ Cataloged packages [241 packages] > ✔ Scanned image [47 vulnerabilities] > > NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY > coreutils 8.28-1ubuntu1 deb CVE-2016-2781 Low > gcc-8-base 8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium > jquery 2.1.0-2 java-archive CVE-2007-2379 Medium > jquery 2.1.0-2 java-archive CVE-2020-11022 Medium > jquery 2.1.0-2 java-archive CVE-2020-11023 Medium > jquery 2.1.0-2 java-archive CVE-2015-9251 Medium > jquery 2.1.0-2 java-archive CVE-2019-11358 Medium > libc-bin 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible > libc-bin 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible > libc-bin 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible > libc6 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible > libc6 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible > libc6 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible > libgcc1 1:8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium > libgnutls30 3.5.18-1ubuntu1.5 3.5.18-1ubuntu1.6 deb CVE-2021-4209 Low > libgnutls30 3.5.18-1ubuntu1.5 3.5.18-1ubuntu1.6 deb CVE-2022-2509 Medium > libgnutls30 3.5.18-1ubuntu1.5 deb CVE-2018-16868 Low > libncurses5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible > libncurses5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible > libncurses5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible > libncurses5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible > libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible > libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible > libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible > libncursesw5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible > libpcre3 2:8.39-9ubuntu0.1 deb CVE-2017-11164 Negligible > libstdc++6 8.4.0-1ubuntu1~18.04 deb CVE-2020-13844 Medium > libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible > libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible > libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible > libtinfo5 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible > locales 2.27-3ubuntu1.6 deb CVE-2016-20013 Negligible > locales 2.27-3ubuntu1.6 deb CVE-2015-8985 Negligible > locales 2.27-3ubuntu1.6 deb CVE-2009-5155 Negligible > login 1:4.5-1ubuntu2.3 deb CVE-2013-4235 Low > ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible > ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible > ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible > ncurses-base 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible > ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2019-17594 Negligible > ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2019-17595 Negligible > ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2022-29458 Negligible > ncurses-bin 6.1-1ubuntu1.18.04 deb CVE-2021-39537 Negligible > passwd 1:4.5-1ubuntu2.3 deb CVE-2013-4235 Low > perl-base 5.26.1-6ubuntu0.5 deb CVE-2020-16156 Medium > postgresql 42.3.6 java-archive CVE-2017-8806 Medium > spring-core 5.3.22 java-archive CVE-2016-1000027 Critical > ``` 今回はScanにパスしたので、URLにアクセスできます。 image ### 脆弱性の検出 ソースコードにわざと脆弱なライブラリを追加してみます。Workloadのブランチを次のように変更してください。 ``` tanzu apps workload apply spring-music \ --app spring-music \ --git-repo https://github.com/tanzu-japan/spring-music \ --git-branch vulnerability-demo \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --annotation autoscaling.knative.dev/minScale=1 \ -n demo \ -y tanzu apps workload tail spring-music -n demo # "or" stern -n demo spring-music ``` 次のコマンドで進捗をwatchします。 ``` watch kubectl get workload,pod,gitrepo,pipelinerun,sourcescan,imgs,build,imagescan,podintent,taskrun,imagerepository,deliverable,app,ksvc -n demo -owide -l app.kubernetes.io/part-of=spring-music ``` 今回はImageScanがFaildになります。Highな脆弱性が1件追加されました。 ``` $ kubectl get imagescan -n demo spring-music NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL spring-music Failed tap28868.azurecr.io/supply-chain/spring-music-demo@sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f 30m 1 1 9 12 0 23 ``` `tanzu insight`コマンドで確認しましょう。 ``` $ tanzu insight image get --digest sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f ID: 2 Registry: tap28868.azurecr.io Image Name: supply-chain/spring-music-demo Digest: sha256:c9e65a62a0506de984b31642bf4b6711815df034e1dc59dad7fbff12081b240f Packages: 1. helper@9.3.6 ... 220. commons-collections4@4.0 CVEs: 1. GHSA-6hgm-866r-3cjv (High) ``` commons-collection4の脆弱性が検出されています。 TAP GUIでも確認できます。 image ScanPolicyに抵触する場合は、赤くメッセージが表示されます。 脆弱性がFixされたcommons-collection4を使用したbranchはvulnerability-fixedです。次のコマンドでWorkloadを更新すれば、ImageScanがCompletedになります。 ``` tanzu apps workload apply spring-music \ --app spring-music \ --git-repo https://github.com/tanzu-japan/spring-music \ --git-branch vulnerability-fixed \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --annotation autoscaling.knative.dev/minScale=1 \ -n demo \ -y tanzu apps workload tail spring-music -n demo # "or" stern -n demo spring-music ```