CN117892314A - A method and system for scanning service image vulnerabilities - Google Patents
- ️Tue Apr 16 2024
具体实施方式Detailed ways
下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solution of the present invention is further described in detail below through the accompanying drawings and embodiments.
发明概述SUMMARY OF THE INVENTION
本发明通过将服务镜像中的Java归档文件全部解压并使用文本搜索工具进行搜索,该方法能够确定服务镜像中文件之间的依赖关系。一旦搜索到包含漏洞的依赖文件的名称,将其作为关键词对解压后的每个文件进行搜索。如果某个文件引用了这个依赖,就会搜索到相应的依赖引用信息。文本关键词检索方法能够广泛而详细地搜索漏洞依赖文件名称的出现位置,因此能够更深入地扫描到引用这些依赖文件的文件。这种方法通过全面搜索漏洞的依赖文件,弥补了现有技术的不足,提高了漏洞扫描的深度和准确性。The present invention can determine the dependency relationship between files in the service image by decompressing all Java archive files in the service image and searching them using a text search tool. Once the name of the dependent file containing the vulnerability is searched, it is used as a keyword to search each of the decompressed files. If a certain file references this dependency, the corresponding dependency reference information will be searched. The text keyword retrieval method can search the occurrence location of the vulnerability dependency file name extensively and in detail, so it can scan more deeply to the files that reference these dependent files. This method makes up for the shortcomings of the prior art by comprehensively searching the dependent files of the vulnerability, and improves the depth and accuracy of vulnerability scanning.
示例性方法Exemplary Methods
图1为本发明实施例所提供的服务镜像漏洞扫描的方法流程图。FIG1 is a flow chart of a method for scanning service image vulnerabilities provided by an embodiment of the present invention.
步骤S101:收集存在漏洞的依赖文件名称,并生成漏洞依赖名称列表。Step S101: Collect the names of dependent files with vulnerabilities and generate a list of vulnerable dependency names.
在软件开发中,一个应用程序通常依赖于许多第三方的库、框架、模块或其他软件组件,这些被称为依赖文件。存有漏洞的依赖文件是指那些已知存在安全漏洞的软件组件或库文件。在软件开发生态系统中,漏洞是指潜在的安全问题或错误,可能导致应用程序受到攻击或不安全的状态。当存在漏洞时,第三方依赖文件的开发者会尽快发布修复补丁,升级版本,定期在网络上发布更新,包括原版本依赖文件存在的漏洞、新版本修复的漏洞、改进的性能、添加的新功能等。使用该第三方依赖的开发者会实时关注该依赖的安全性和稳定性。因此,他们会定期搜集所引用的依赖文件的漏洞信息,了解与其依赖相关的任何已知漏洞。并将收集到的漏洞信息做一个汇总,后续基于所汇总的漏洞扫描整个服务程序。In software development, an application usually depends on many third-party libraries, frameworks, modules or other software components, which are called dependent files. Vulnerable dependent files are those software components or library files that are known to have security vulnerabilities. In the software development ecosystem, vulnerabilities refer to potential security issues or errors that may cause the application to be attacked or insecure. When there are vulnerabilities, the developers of third-party dependent files will release patches and upgrade versions as soon as possible, and regularly release updates on the Internet, including vulnerabilities in the original version of the dependent file, vulnerabilities fixed in the new version, improved performance, new features added, etc. Developers who use this third-party dependency will pay attention to the security and stability of the dependency in real time. Therefore, they will regularly collect vulnerability information of the referenced dependent files and understand any known vulnerabilities related to their dependencies. The collected vulnerability information will be summarized, and the entire service program will be scanned based on the summarized vulnerabilities.
本实施例具体汇总那些存在漏洞的第三方依赖文件的名称,将汇总的结果统一保存在一个文件中,该文件名为漏洞依赖名称列表。所述漏洞依赖名称列表记载了存在漏洞的第三方依赖文件的名称和相应的版本。漏洞依赖名称列表可以是文本文件、JSON 文件或其他格式,将在后续的扫描过程中被使用。This embodiment specifically summarizes the names of third-party dependency files with vulnerabilities, and saves the summary results in a file called a vulnerability dependency name list. The vulnerability dependency name list records the names and corresponding versions of third-party dependency files with vulnerabilities. The vulnerability dependency name list can be a text file, a JSON file, or other format, and will be used in subsequent scanning processes.
步骤S102:创建指导文件,其中包含不同服务及其镜像的信息。Step S102: Create a guidance file, which contains information about different services and their images.
服务镜像是开发者开发的服务程序的打包形式,其中包含了使服务正常运行所需的程序文件、依赖文件以及配置等。一个应用程序通常包含多个服务,每个服务都有自己的服务镜像。这些镜像保存在特定的仓库中,例如Harbor。A service image is a packaged form of a service program developed by a developer, which contains the program files, dependency files, and configuration required for the service to run normally. An application usually contains multiple services, each with its own service image. These images are stored in a specific repository, such as Harbor.
在容器化环境中,服务镜像是服务的可移植单元,它包含了服务的所有运行时环境和依赖文件,确保在不同的环境中能够一致地运行。为了进行漏洞扫描,需要将整个服务镜像从仓库下载到本地主机,以便在容器中进行解析和分析。In a containerized environment, a service image is a portable unit of service that contains all the runtime environment and dependency files of the service, ensuring that it can run consistently in different environments. In order to perform vulnerability scanning, the entire service image needs to be downloaded from the warehouse to the local host so that it can be parsed and analyzed in the container.
本实施例创建指导文件是为了指导扫描系统从仓库中下载相应的服务镜像。该文件包含了各个服务镜像在仓库中的存放路径或目录信息,帮助扫描系统在仓库中准确地定位并获取所需的镜像。这样,系统可以根据指导文件中的信息,有序地从仓库中拉取相应的服务镜像到本地主机进行进一步处理。The purpose of creating a guidance file in this embodiment is to guide the scanning system to download the corresponding service image from the warehouse. The file contains the storage path or directory information of each service image in the warehouse, helping the scanning system to accurately locate and obtain the required image in the warehouse. In this way, the system can pull the corresponding service image from the warehouse to the local host in an orderly manner according to the information in the guidance file for further processing.
综合来说,扫描整个服务文件来找到漏洞需要将整个服务镜像下载。服务镜像保存在特定仓库中,通过指导文件提供的路径信息,扫描系统可以准确地从仓库中下载相应的镜像,并在本地容器中进行解压和扫描操作,以确保服务的安全性。In general, scanning the entire service file to find vulnerabilities requires downloading the entire service image. The service image is stored in a specific warehouse. Through the path information provided by the guidance file, the scanning system can accurately download the corresponding image from the warehouse, and decompress and scan it in the local container to ensure the security of the service.
通常,指导文件采用CSV(逗号分隔值)形式,以便于存储和处理这些信息。CSV文件是一种简单的文本格式,每行表示一个记录,不同字段之间通过逗号进行分隔。在CSV格式的指导文件中,每行记录可以包含服务的相关信息,如图2所示。Usually, the guidance file is in CSV (comma separated value) format to facilitate storage and processing of this information. CSV file is a simple text format, each line represents a record, and different fields are separated by commas. In the guidance file in CSV format, each line of record can contain relevant information about the service, as shown in Figure 2.
指导文件提供了系统所需的关键信息,系统可以根据这些信息有序地从仓库中下载相应的服务镜像,并在本地容器中进行后续的解压和扫描操作。The guidance document provides the key information required by the system. Based on this information, the system can download the corresponding service image from the warehouse in an orderly manner and perform subsequent decompression and scanning operations in the local container.
步骤S103:基于所述指导文件,在存有服务镜像的仓库中拉取相应的服务镜像,并使用所拉取的镜像创建一个临时容器。Step S103: Based on the guidance file, pull the corresponding service image from the warehouse where the service image is stored, and create a temporary container using the pulled image.
基于所述指导文件中的存放路径,在存有服务镜像的仓库中搜索相应的服务镜像。若在仓库中搜索到相应的服务镜像,则对其进行拉取。Based on the storage path in the guidance file, the corresponding service image is searched in the warehouse where the service image is stored. If the corresponding service image is found in the warehouse, it is pulled.
使用所拉取的服务镜像创建一个临时的容器。若在仓库中未搜索到相应的服务镜像,则基于所述指导文件中的服务名,从集群中获取相应的镜像。使用所获取的服务镜像创建一个临时的容器。A temporary container is created using the pulled service image. If the corresponding service image is not found in the repository, the corresponding image is obtained from the cluster based on the service name in the guidance file. A temporary container is created using the obtained service image.
基于指导文件,系统在存有服务镜像的仓库中搜索相应的服务镜像。搜索的依据主要是指导文件中记录的存放路径、服务名、Java归档文件类型和镜像名等信息。如果在仓库中找到了符合条件的服务镜像,系统会对其进行拉取操作。这个拉取的目的是为了在本地主机上创建一个临时的容器,其中包含了所需的服务镜像文件。在搜索仓库未找到相应的服务镜像时,系统会根据指导文件中记录的服务名,在集群中获取相应的镜像。这一步的操作是为了确保即使在仓库中没有找到服务镜像,也能够从集群中获取到需要的镜像文件。Based on the guidance file, the system searches for the corresponding service image in the warehouse where the service image is stored. The search is mainly based on the storage path, service name, Java archive file type, image name and other information recorded in the guidance file. If a qualified service image is found in the warehouse, the system will pull it. The purpose of this pull is to create a temporary container on the local host, which contains the required service image file. When the corresponding service image is not found in the search warehouse, the system will obtain the corresponding image in the cluster according to the service name recorded in the guidance file. This step is to ensure that even if the service image is not found in the warehouse, the required image file can be obtained from the cluster.
容器可以看作是镜像的实例。镜像是一个静态的打包文件,包含服务的运行环境和其依赖文件的所有内容。当运行一个镜像时,创建了一个容器,实际上是一个正在运行的进程,它基于镜像启动。容器是镜像的运行时实体,可以说容器是镜像的实例化,是一个可执行的、独立运行的单元。后续对服务的解压扫描都是在容器环境中进行。A container can be considered as an instance of an image. An image is a static package file that contains the service's operating environment and all the contents of its dependent files. When an image is run, a container is created, which is actually a running process that is started based on the image. The container is the runtime entity of the image. It can be said that the container is an instantiation of the image and is an executable, independently running unit. Subsequent decompression and scanning of the service are all performed in the container environment.
步骤S104:运行所述临时容器,对拉取的服务镜像中的Java归档文件进行解压操作,逐个解压其中的Java归档文件。基于所述指导文件中的Java归档文件类型,选择相应的解压方式对镜像中的Java归档文件进行逐级解压。Step S104: Run the temporary container to decompress the Java archive files in the pulled service image, decompress the Java archive files one by one, and select a corresponding decompression method based on the Java archive file type in the guidance file to decompress the Java archive files in the image step by step.
在这一步骤中,临时容器被启动,并对拉取的服务镜像进行解压操作。解压的目的是获取镜像中的内容,特别是那些Java归档文件,以便后续的操作可以针对这些文件进行。根据指导文件中的Java归档文件类型信息,选择相应的解压方式。不同的Java归档文件类型可能需要使用不同的工具或命令进行解压。逐级解压意味着如果镜像中的某个Java归档文件里还包含有其他Java归档文件,也需要将其解压,直到获取到没有压缩的文件。步骤S104为后续的漏洞扫描和依赖分析提供了所需的文件和目录结构。整个过程确保了对服务镜像中内容的逐级解析和获取。In this step, a temporary container is started and the pulled service image is decompressed. The purpose of decompression is to obtain the contents in the image, especially those Java archive files, so that subsequent operations can be performed on these files. According to the Java archive file type information in the guidance file, select the corresponding decompression method. Different Java archive file types may require different tools or commands to be decompressed. Step-by-step decompression means that if a Java archive file in the image contains other Java archive files, they also need to be decompressed until the uncompressed files are obtained. Step S104 provides the required file and directory structure for subsequent vulnerability scanning and dependency analysis. The entire process ensures the step-by-step parsing and acquisition of the content in the service image.
步骤S105:基于所述漏洞依赖名称列表扫描解压后的文件,分析出所述存在漏洞的依赖文件以及引用它的文件之间的依赖关系。Step S105: Scan the decompressed files based on the vulnerability dependency name list to analyze the dependency relationship between the dependent files with vulnerabilities and the files that reference them.
在这一阶段,通过在临时容器中运行文本搜索工具,对解压后的文件进行扫描。使用漏洞依赖名称列表中记录的依赖文件名称作为关键字,在每个解压后的文件中进行搜索。搜索的目的是找到引用了含有漏洞的依赖文件的文件,从而建立它们之间的依赖关系。In this phase, the decompressed files are scanned by running a text search tool in a temporary container. The dependent file names recorded in the vulnerability dependency name list are used as keywords to search for each decompressed file. The purpose of the search is to find files that reference the dependent files containing the vulnerability, so as to establish the dependency relationship between them.
如果搜索结果显示某个文件包含了漏洞的依赖文件的关键字,那么可以确定该文件引用了含有漏洞的依赖文件。这时会记录下含有漏洞的依赖文件以及引用它的文件之间的关系。这一步的目标是建立服务镜像中存在的漏洞依赖名称列表与依赖文件之间的关联,以便后续的漏洞报告和修复工作。整个过程确保了对镜像中漏洞依赖关系的全面分析和记录。If the search results show that a file contains the keywords of the dependent file of the vulnerability, then it can be determined that the file references the dependent file containing the vulnerability. At this time, the relationship between the dependent file containing the vulnerability and the file that references it will be recorded. The goal of this step is to establish the association between the list of vulnerability dependency names existing in the service image and the dependent files for subsequent vulnerability reporting and repair work. The whole process ensures a comprehensive analysis and recording of the vulnerability dependency relationship in the image.
本发明文本搜索工具能够在解压后的文件中全面搜索特定关键字,因此可以确保不会漏掉任何引用该依赖的文件。这是因为文本搜索是基于文本内容的,而不是依赖于特定文件结构或格式。这意味着无论文件是什么类型,只要包含了漏洞依赖文件的关键字,文本搜索工具就能够找到它。这种全面搜索的方式确保了对整个服务的彻底扫描,不会因文件类型或其他因素而遗漏关键信息。因此,使用文本搜索工具是一种有效的方式来分析整个服务镜像,发现漏洞依赖关系,从而建立准确的依赖关系图。The text search tool of the present invention can comprehensively search for specific keywords in the decompressed files, thus ensuring that no files referencing the dependency are missed. This is because text search is based on text content, rather than relying on a specific file structure or format. This means that no matter what type of file it is, as long as it contains the keywords of the vulnerability dependency file, the text search tool can find it. This comprehensive search method ensures a thorough scan of the entire service and does not miss key information due to file type or other factors. Therefore, using a text search tool is an effective way to analyze the entire service image, discover vulnerability dependencies, and thus establish an accurate dependency graph.
此外,在进行漏洞扫描和依赖关系分析时,不仅要关注依赖关系的存在,还需要考虑所引用的依赖文件的具体版本信息。版本信息对于确定漏洞是否存在以及如何解决至关重要。In addition, when performing vulnerability scanning and dependency analysis, it is important not only to focus on the existence of dependencies, but also to consider the specific version information of the referenced dependency files. Version information is crucial to determining whether a vulnerability exists and how to resolve it.
文本搜索工具可以用来查找特定关键字,但为了更精确地了解依赖关系,尤其是在涉及漏洞时,需要考虑版本号。在分析搜索结果时,应该关注包含关键字的文件的版本信息,以便准确地确定漏洞的存在和影响范围。这可以帮助确定哪些依赖文件版本受影响,从而更有效地采取相应的修复措施。Text search tools can be used to find specific keywords, but in order to get a more precise understanding of dependencies, especially when it comes to vulnerabilities, version numbers need to be considered. When analyzing search results, you should focus on the version information of the files containing keywords in order to accurately determine the presence and scope of the vulnerability. This can help determine which versions of dependent files are affected, so that appropriate repair measures can be taken more effectively.
在漏洞扫描和依赖关系分析完成后,所述服务镜像在临时容器运行之后被删除。防止不必要的存储占用和确保后续的工作不受影响。一旦依赖关系确定并且相关的漏洞信息被提取,解压后的文件被保存在本地主机上。这样做的目的是为了进一步分析、备份或记录相关的漏洞信息,以便开发者或系统管理员可以在需要时参考这些文件。在以上操作完成后,所述临时容器被关闭和销毁。确保了不再需要的容器资源被释放,避免了资源浪费。After the vulnerability scan and dependency analysis are completed, the service image is deleted after the temporary container is run. Prevent unnecessary storage occupation and ensure that subsequent work is not affected. Once the dependencies are determined and the relevant vulnerability information is extracted, the decompressed files are saved on the local host. The purpose of this is to further analyze, backup or record the relevant vulnerability information so that developers or system administrators can refer to these files when needed. After the above operations are completed, the temporary container is closed and destroyed. Ensure that container resources that are no longer needed are released, avoiding resource waste.
前文所述依赖关系具体是指存有漏洞的依赖文件与引用它的程序文件之间的关系。具体来说,当文本搜索工具在容器中运行时,它会搜索整个服务镜像中的文件,特别是与已知漏洞相关的依赖文件。一旦找到包含漏洞的依赖文件,工具将分析引用了这些文件的其他文件,建立这些文件之间的依赖关系。The dependency relationship mentioned above specifically refers to the relationship between the dependent file with the vulnerability and the program file that references it. Specifically, when the text search tool runs in the container, it searches for files in the entire service image, especially the dependent files related to known vulnerabilities. Once the dependent files containing the vulnerability are found, the tool will analyze other files that reference these files and establish the dependency relationship between these files.
后续开发人员基于漏洞信息(例如漏洞的类型、影响范围和可能的攻击方式),使用所述依赖关系来确定服务中哪些组件受到影响。一旦确定了受影响的组件,开发人员需要查找并应用包含漏洞修复的新版本并更新相应的依赖文件,或者重新进行编写组件等。更新组件的依赖文件后,重新构建整个服务并运行测试以确保系统的稳定性和功能性。这有助于验证新版本的组件不仅修复了漏洞还能正常运行。Subsequent developers use the dependencies to determine which components in the service are affected based on vulnerability information (such as the type of vulnerability, scope of impact, and possible attack methods). Once the affected components are identified, developers need to find and apply new versions that contain vulnerability fixes and update the corresponding dependency files, or rewrite the components. After updating the dependency files of the components, rebuild the entire service and run tests to ensure the stability and functionality of the system. This helps verify that the new version of the component not only fixes the vulnerability but also runs normally.
将修复后的代码重新构建成可运行的服务,并打包成新的镜像文件。将新生成的镜像上传到仓库,确保仓库中保存的是最新修复的版本。Rebuild the repaired code into a runnable service and package it into a new image file. Upload the newly generated image to the warehouse to ensure that the latest repaired version is saved in the warehouse.
如果修复后的服务信息与之前的版本保持一致(例如路径、镜像名等信息没有变化),可以选择将新生成的镜像文件覆盖仓库中原有路径的镜像文件,以确保其他环境使用的仍然是最新的版本。这样的流程保证了漏洞修复后的服务能够及时更新到仓库中,并且在整个应用程序中得到应用。If the service information after the repair is consistent with the previous version (for example, the path, image name and other information have not changed), you can choose to overwrite the image file with the original path in the warehouse with the newly generated image file to ensure that other environments still use the latest version. This process ensures that the service after the vulnerability is repaired can be updated to the warehouse in a timely manner and applied throughout the application.
具体地,本实施例所述指导文件可以为CSV文件;所述服务镜像具体为Java服务docker镜像;所述Java服务docker镜像中的Java归档文件类型为jar包或war 包;所述解压后的文件为class类型的文件;所述文本搜索工具为grep。Specifically, the guidance file in this embodiment can be a CSV file; the service image is specifically a Java service docker image; the Java archive file type in the Java service docker image is a jar package or a war package; the decompressed file is a class type file; and the text search tool is grep.
如图3所示,系统脚本301通过提供的CSV文件302,从Kubernetes集群303获取镜像或从harbor仓库304进行拉取指定的镜像。根据CSV文件302中提供的服务包路径,将所获取的镜像到本地305。对镜像中的jar包或war包进行逐级解压,直至解压到class类型文件。解压完成后,删除所有jar或war文件,直至不存在这些压缩文件。接下来,使用grep命令在解压后的文件中查找所需的依赖关系。As shown in Figure 3, the system script 301 obtains the image from the Kubernetes cluster 303 or pulls the specified image from the harbor warehouse 304 through the provided CSV file 302. According to the service package path provided in the CSV file 302, the obtained image is saved to the local 305. The jar package or war package in the image is decompressed step by step until it is decompressed into a class type file. After the decompression is completed, delete all jar or war files until these compressed files do not exist. Next, use the grep command to find the required dependencies in the decompressed files.
综上,本发明通过使用文本搜索工具,实现了对容器化服务镜像的全面深度扫描。这一方法不仅确保了每个文件以及多级引用关系都能被检测到,还有效减少了遗漏和误差的可能性。相较于传统方法,文本搜索提高了扫描效率,并清晰记录了存在漏洞的依赖文件和它们之间的引用关系,为后续的漏洞修复提供了详实的依据。这使得漏洞扫描更为全面、准确,尤其在多层次引用的情况下表现出卓越的效果。因此本发明能够更全面、深入地进行服务镜像漏洞扫描,减少了遗漏和误差,并为漏洞修复提供了详细的依赖关系分析。In summary, the present invention realizes a comprehensive and in-depth scan of containerized service images by using text search tools. This method not only ensures that each file and multi-level reference relationships can be detected, but also effectively reduces the possibility of omissions and errors. Compared with traditional methods, text search improves scanning efficiency, and clearly records the dependent files with vulnerabilities and the reference relationships between them, providing a detailed basis for subsequent vulnerability repairs. This makes vulnerability scanning more comprehensive and accurate, especially in the case of multi-level references. Excellent results are shown. Therefore, the present invention can perform service image vulnerability scanning more comprehensively and in-depth, reduce omissions and errors, and provide detailed dependency analysis for vulnerability repair.
示例性装置Exemplary Devices
相应地,本发明实施例还提供了一种服务镜像漏洞扫描系统,如图4所示。其中该系统包括:收集模块401、指导模块402、拉取模块403、解压模块404和分析模块405。Accordingly, the embodiment of the present invention further provides a service image vulnerability scanning system, as shown in FIG4 . The system includes: a collection module 401 , a guidance module 402 , a pull module 403 , a decompression module 404 and an analysis module 405 .
收集模块401,用于收集存在漏洞的依赖文件名称,并生成漏洞依赖名称列表。The collection module 401 is used to collect the names of dependent files with vulnerabilities and generate a list of vulnerable dependency names.
指导模块402,用于创建指导文件,其中包含不同服务及其镜像的信息。具体指导文件所记载的信息包括服务名、存放路径、Java归档文件类型和镜像名。The guidance module 402 is used to create a guidance file, which contains information about different services and their images. The information recorded in the guidance file includes the service name, storage path, Java archive file type and image name.
拉取模块403,用于基于所述指导文件,在存有服务镜像的仓库中拉取相应的服务镜像,并使用所拉取的镜像创建一个临时容器。基于所述指导文件中的存放路径,在存有服务镜像的仓库中搜索相应的服务镜像。若在仓库中搜索到相应的服务镜像,则对其进行拉取,使用所拉取的服务镜像创建一个临时的容器。若在仓库中未搜索到相应的服务镜像,则基于所述指导文件中的服务名,从集群中获取相应的镜像,使用所获取的服务镜像创建一个临时的容器。The pulling module 403 is used to pull the corresponding service image in the warehouse where the service image is stored based on the guidance file, and create a temporary container using the pulled image. Based on the storage path in the guidance file, the corresponding service image is searched in the warehouse where the service image is stored. If the corresponding service image is found in the warehouse, it is pulled, and a temporary container is created using the pulled service image. If the corresponding service image is not found in the warehouse, the corresponding image is obtained from the cluster based on the service name in the guidance file, and a temporary container is created using the obtained service image.
解压模块404,用于运行所述临时容器,对拉取的服务镜像进行解压操作,逐个解压其中的Java归档文件。基于所述指导文件的Java归档文件类型,选择相应的解压方式对镜像中的Java归档文件进行逐级解压。The decompression module 404 is used to run the temporary container, decompress the pulled service image, and decompress the Java archive files therein one by one. Based on the Java archive file type of the guidance file, a corresponding decompression method is selected to decompress the Java archive files in the image step by step.
分析模块405,用于基于所述漏洞依赖名称列表扫描解压后的文件,分析出所述存在漏洞的依赖文件以及引用它的文件之间的依赖关系。在所述临时容器中运行文本搜索工具。将所述漏洞依赖名称列表中所记录的依赖文件名称作为关键字,在解压后的每个文件中搜索。The analysis module 405 is used to scan the decompressed files based on the vulnerability dependency name list, analyze the dependency relationship between the dependent files with vulnerabilities and the files that reference them. Run a text search tool in the temporary container. Use the dependent file names recorded in the vulnerability dependency name list as keywords to search in each decompressed file.
基于搜索的结果,分析出所述依赖关系。若搜索结果显示某个文件包含漏洞的依赖文件的关键字,则确定该文件引用了含有漏洞的依赖文件。记录含有漏洞的依赖文件的以及引用它的文件之间的关系。Based on the search results, the dependency relationship is analyzed. If the search results show that a certain file contains the keyword of the dependent file of the vulnerability, it is determined that the file references the dependent file containing the vulnerability. The relationship between the dependent file containing the vulnerability and the file that references it is recorded.
所述服务镜像在所述临时容器运行之后进行删除。所述依赖关系确定好后,将所述临时容器中解压后的文件保存在本地主机上。将解压后的文件全都保存后,将所述临时容器关闭销毁。The service image is deleted after the temporary container is run. After the dependency is determined, the decompressed files in the temporary container are saved on the local host. After all the decompressed files are saved, the temporary container is closed and destroyed.
将解压后的文件保存在本地主机之后,基于所记录的依赖关系,对服务所存在的漏洞进行修复。将修复后的服务压缩后生成新的镜像文件上传到仓库,将仓库原有路径的镜像文件进行覆盖。After saving the decompressed file on the local host, fix the vulnerabilities in the service based on the recorded dependencies. Compress the repaired service to generate a new image file and upload it to the warehouse, overwriting the image file in the original path of the warehouse.
具体地,本系统所述指导文件可以为CSV文件;服务镜像具体为Java服务docker镜像;所述Java服务docker镜像中的Java归档文件类型为jar包或war 包;所述解压后的文件为class类型的文件;所述文本搜索工具为grep。Specifically, the guidance file of the system can be a CSV file; the service image is specifically a Java service docker image; the Java archive file type in the Java service docker image is a jar package or a war package; the decompressed file is a class type file; and the text search tool is grep.
虽然已经参考若干具体实施方式描述了本发明的精神和原理,但是应该理解,本发明并不限于所公开的具体实施方式,对各方面的划分也不意味着这些方面中的特征不能组合以进行受益,这种划分仅是为了表述的方便。本发明旨在涵盖所附权利要求的精神和范围内所包括的各种修改和等同布置。Although the spirit and principle of the present invention have been described with reference to several specific embodiments, it should be understood that the present invention is not limited to the disclosed specific embodiments, and the division of various aspects does not mean that the features in these aspects cannot be combined to benefit, and such division is only for the convenience of expression. The present invention is intended to cover various modifications and equivalent arrangements included in the spirit and scope of the attached claims.
本发明还提供了:The present invention also provides:
1、一种服务镜像漏洞扫描的方法,其中包括:1. A method for scanning a service image vulnerability, comprising:
收集存在漏洞的依赖文件名称,并生成漏洞依赖名称列表;Collect the names of dependent files with vulnerabilities and generate a list of vulnerable dependency names;
创建指导文件,其中包含不同服务及其镜像的信息;Create guidance documents containing information about different services and their images;
基于所述指导文件,在存有服务镜像的仓库中拉取相应的服务镜像,并使用所拉取的镜像创建一个临时容器;Based on the guidance document, pull the corresponding service image from the repository where the service image is stored, and create a temporary container using the pulled image;
运行所述临时容器,对拉取的服务镜像中的Java归档文件进行解压操作,逐个解压其中的Java归档文件;Run the temporary container, decompress the Java archive files in the pulled service image, and decompress the Java archive files one by one;
基于所述漏洞依赖名称列表扫描解压后的文件,分析出所述存在漏洞的依赖文件以及引用它的文件之间的依赖关系。The decompressed files are scanned based on the vulnerability dependency name list to analyze the dependency relationship between the dependent files with vulnerabilities and the files that reference them.
2、根据第1项所述方法,其中所述指导文件所记载的信息包括服务名、存放路径、Java归档文件类型和镜像名。2. According to the method described in item 1, the information recorded in the guidance file includes service name, storage path, Java archive file type and image name.
3、根据第2项所述方法,其中所述基于所述指导文件,在存有服务镜像的仓库中拉取相应的服务镜像,并使用所拉取的镜像创建一个临时容器还包括如下步骤:3. According to the method described in item 2, the step of pulling the corresponding service image from the warehouse storing the service image based on the guidance document and creating a temporary container using the pulled image further includes the following steps:
基于所述指导文件中的存放路径,在存有服务镜像的仓库中搜索相应的服务镜像;Based on the storage path in the guidance file, searching for a corresponding service image in a warehouse where service images are stored;
若在仓库中搜索到相应的服务镜像,则对其进行拉取;If the corresponding service image is found in the warehouse, it is pulled;
使用所拉取的服务镜像创建一个临时的容器。Create a temporary container using the pulled service image.
4、根据第3项所述方法,若在仓库中未搜索到相应的服务镜像,则基于所述指导文件中的服务名,从集群中获取相应的镜像;4. According to the method described in item 3, if the corresponding service image is not found in the warehouse, the corresponding image is obtained from the cluster based on the service name in the guidance file;
使用所获取的服务镜像创建一个临时的容器。Create a temporary container using the obtained service image.
5、根据第3或4项所述方法,其中所述运行所述临时容器,对拉取的服务镜像中的Java归档文件进行解压操作,逐个解压其中的Java归档文件还包括如下步骤:5. According to the method described in item 3 or 4, the step of running the temporary container and decompressing the Java archive files in the pulled service image, and decompressing the Java archive files one by one, further comprises the following steps:
基于所述指导文件中的Java归档文件类型,选择相应的解压方式对镜像中的Java归档文件进行逐级解压。Based on the Java archive file type in the guidance file, select the corresponding decompression method to decompress the Java archive files in the image step by step.
6、根据第5项所述方法,其中所述基于所述漏洞依赖名称列表扫描解压后的文件,分析出所述存在漏洞的依赖文件以及引用它的文件之间的依赖关系还包括如下步骤:6. According to the method described in item 5, the step of scanning the decompressed files based on the vulnerability dependency name list and analyzing the dependency relationship between the dependent files with vulnerabilities and the files that reference them further comprises the following steps:
在所述临时容器中运行文本搜索工具;running a text search tool in the temporary container;
将所述漏洞依赖名称列表中所记录的依赖文件名称作为关键字,在解压后的每个文件中搜索;Use the dependent file name recorded in the vulnerability dependency name list as a keyword to search in each decompressed file;
基于搜索的结果,分析出所述依赖关系。Based on the search results, the dependency relationship is analyzed.
7、根据第6项所述方法,其中所述基于搜索的结果,分析出所述依赖关系还包括如下步骤:7. According to the method of item 6, analyzing the dependency relationship based on the search result further comprises the following steps:
若搜索结果显示某个文件包含漏洞的依赖文件的关键字,则确定该文件引用了含有漏洞的依赖文件;If the search results show that a certain file contains the keyword of a dependent file of a vulnerability, it is determined that the file references the dependent file containing the vulnerability;
记录含有漏洞的依赖文件的以及引用它的文件之间的关系。Record the relationship between the dependent file containing the vulnerability and the files that reference it.
8、根据第1-7中的任何一项所述方法,其中所述服务镜像在所述临时容器运行之后进行删除;8. The method according to any one of items 1 to 7, wherein the service image is deleted after the temporary container is run;
所述依赖关系确定好后,将所述临时容器中解压后的文件保存在本地主机上;After the dependency relationship is determined, the decompressed files in the temporary container are saved on the local host;
将解压后的文件全都保存后,将所述临时容器关闭销毁。After all the decompressed files are saved, the temporary container is closed and destroyed.
9、根据第8项所述方法,其中将解压后的文件保存在本地主机之后,基于所记录的依赖关系,对服务所存在的漏洞进行修复。9. According to the method described in item 8, after the decompressed file is saved on the local host, the vulnerabilities existing in the service are repaired based on the recorded dependencies.
10、根据第9项所述方法,其中还包括如下步骤:10. The method according to item 9, further comprising the following steps:
将修复后的服务压缩后生成新的镜像文件上传到仓库;Compress the repaired service to generate a new image file and upload it to the warehouse;
将仓库原有路径的镜像文件进行覆盖。Overwrite the image file of the original warehouse path.
11、根据第6-10中的任何一项所述方法,其中所述指导文件为CSV文件;11. The method according to any one of items 6 to 10, wherein the guidance file is a CSV file;
所述服务镜像具体为Java服务docker镜像;The service image is specifically a Java service docker image;
所述Java服务docker镜像中的Java归档文件类型为jar包或war 包;The Java archive file type in the Java service docker image is a jar package or a war package;
所述解压后的文件为class类型的文件;The decompressed file is a class type file;
所述文本搜索工具为grep。The text search tool is grep.
12、一种服务镜像漏洞扫描系统,其中包括:12. A service image vulnerability scanning system, comprising:
收集模块,用于收集存在漏洞的依赖文件名称,并生成漏洞依赖名称列表;The collection module is used to collect the names of dependent files with vulnerabilities and generate a list of vulnerable dependency names;
指导模块, 用于创建指导文件,其中包含不同服务及其镜像的信息;Guidance module, used to create guidance files containing information about different services and their images;
拉取模块,用于基于所述指导文件,在存有服务镜像的仓库中拉取相应的服务镜像,并使用所拉取的镜像创建一个临时容器;A pulling module, configured to pull a corresponding service image from a repository storing service images based on the guidance file, and create a temporary container using the pulled image;
解压模块,用于运行所述临时容器,对拉取的服务镜像中的Java归档文件进行解压操作,逐个解压其中的Java归档文件;A decompression module, used to run the temporary container, decompress the Java archive files in the pulled service image, and decompress the Java archive files one by one;
分析模块,用于基于所述漏洞依赖名称列表扫描解压后的文件,分析出所述存在漏洞的依赖文件以及引用它的文件之间的依赖关系。The analysis module is used to scan the decompressed files based on the vulnerability dependency name list, and analyze the dependency relationship between the dependent files with vulnerabilities and the files that reference them.
13、根据第12项所述系统,其中所述指导文件所记载的信息包括服务名、存放路径、Java归档文件类型和镜像名。13. According to the system described in item 12, the information recorded in the guidance file includes service name, storage path, Java archive file type and image name.
14、根据第13项所述系统,其中所述拉取模块还用于:14. The system according to item 13, wherein the pulling module is further used for:
基于所述指导文件中的存放路径,在存有服务镜像的仓库中搜索相应的服务镜像;Based on the storage path in the guidance file, searching for the corresponding service image in the warehouse where the service image is stored;
若在仓库中搜索到相应的服务镜像,则对其进行拉取;If the corresponding service image is found in the warehouse, it is pulled;
使用所拉取的服务镜像创建一个临时的容器。Create a temporary container using the pulled service image.
15、根据第14项所述系统,其中所述拉取模块还用于:15. The system according to item 14, wherein the pulling module is further used for:
若在仓库中未搜索到相应的服务镜像,则基于所述指导文件中的服务名,从集群中获取相应的镜像;If the corresponding service image is not found in the warehouse, the corresponding image is obtained from the cluster based on the service name in the guidance file;
使用所获取的服务镜像创建一个临时的容器。Create a temporary container using the obtained service image.
16、根据第14或15项所述系统,其中解压模块还用于:16. The system according to item 14 or 15, wherein the decompression module is further used for:
基于所述指导文件的Java归档文件类型,选择相应的解压方式对镜像中的Java归档文件进行逐级解压。Based on the Java archive file type of the guidance file, select the corresponding decompression method to decompress the Java archive files in the image step by step.
17、根据第16项所述系统,其中所述分析模块还用于:17. The system according to item 16, wherein the analysis module is further used for:
在所述临时容器中运行文本搜索工具;running a text search tool in the temporary container;
将所述漏洞依赖名称列表中所记录的依赖文件名称作为关键字,在解压后的每个文件中搜索;Use the dependent file name recorded in the vulnerability dependency name list as a keyword to search in each decompressed file;
基于搜索的结果,分析出所述依赖关系。Based on the search results, the dependency relationship is analyzed.
18、根据第17项所述系统,其中所述分析模块基于搜索的结果,分析出所述依赖关系的操作还包括:18. According to the system of item 17, the operation of analyzing the dependency relationship based on the search result by the analysis module further comprises:
若搜索结果显示某个文件包含漏洞的依赖文件的关键字,则确定该文件引用了含有漏洞的依赖文件;If the search results show that a certain file contains the keyword of a dependent file of a vulnerability, it is determined that the file references the dependent file containing the vulnerability;
记录含有漏洞的依赖文件的以及引用它的文件之间的关系。Record the relationship between the dependent file containing the vulnerability and the files that reference it.
19、根据第12-18中的任何一项所述系统,其中所述服务镜像在所述临时容器运行之后进行删除;19. The system according to any one of items 12-18, wherein the service image is deleted after the temporary container is run;
所述依赖关系确定好后,将所述临时容器中解压后的文件保存在本地主机上;After the dependency relationship is determined, the decompressed files in the temporary container are saved on the local host;
将解压后的文件全都保存后,将所述临时容器关闭销毁。After all the decompressed files are saved, the temporary container is closed and destroyed.
20、根据第19项所述系统,其中将解压后的文件保存在本地主机之后,基于所记录的依赖关系,对服务所存在的漏洞进行修复。20. According to the system described in item 19, after the decompressed files are saved on the local host, the vulnerabilities existing in the service are repaired based on the recorded dependencies.
21、根据第20项所述系统,其中还包括:21. The system according to item 20, further comprising:
用于将修复后的服务压缩后生成新的镜像文件上传到仓库的模块;A module used to compress the repaired service to generate a new image file and upload it to the warehouse;
用于将仓库原有路径的镜像文件进行覆盖的模块。A module used to overwrite the image file of the original path of the warehouse.
22、根据第17-21中的任何一项所述系统,其中所述指导文件为CSV文件;22. The system according to any one of items 17-21, wherein the instruction file is a CSV file;
所述服务镜像具体为Java服务docker镜像;The service image is specifically a Java service docker image;
所述Java服务docker镜像中的Java归档文件类型为jar包或war 包;The Java archive file type in the Java service docker image is a jar package or a war package;
所述解压后的文件为class类型的文件;The decompressed file is a class type file;
所述文本搜索工具为grep。The text search tool is grep.