Posts Escaneo de Vulnerabilidades en Imágenes Docker con Snyk
Post
Cancel

Escaneo de Vulnerabilidades en Imágenes Docker con Snyk

Posted May 25 2024-05-25T09:00:00+02:00 by Ernesto Vázquez García

El escaneo de vulnerabilidades en imágenes Docker es una práctica crucial para garantizar la seguridad de las aplicaciones desplegadas en contenedores. Snyk es una herramienta popular para este propósito, ya que ofrece un análisis exhaustivo de las imágenes en busca de posibles vulnerabilidades y proporciona recomendaciones para mitigar los riesgos. En este artículo, exploraremos cómo utilizar Snyk para escanear vulnerabilidades en imágenes Docker, utilizando ejemplos reales.

Instalación de Snyk

Antes de comenzar, necesitas instalar Snyk en tu sistema. Puedes instalarlo globalmente a través de npm (Node Package Manager) con el siguiente comando:

1

npm install -g snyk

Creación de una Imagen Docker basada en Ubuntu

Para ilustrar el escaneo de vulnerabilidades con Snyk, crearemos un ejemplo simple de un Dockerfile que utilice Ubuntu como imagen base y contenga una vulnerabilidad conocida. Supongamos que tenemos el siguiente Dockerfile:

1
2
3
4
5
6
7
8
9

FROM ubuntu:20.04

# Actualizar repositorios e instalar dependencias
RUN apt-get update && \
    apt-get install -y curl && \
    apt-get clean

# Comando de inicio
CMD ["bash"]

En este Dockerfile, estamos utilizando la imagen base de Ubuntu 20.04 y instalando la herramienta curl como ejemplo de dependencia.

Escaneo de Vulnerabilidades con Snyk

Antes de escanear la imagen con Snyk, necesitas autenticarte con tu cuenta de Snyk utilizando el siguiente comando:

1

snyk auth

Una vez que hemos creado nuestra imagen Docker, podemos utilizar Snyk para escanearla en busca de vulnerabilidades. Supongamos que hemos construido y etiquetado nuestra imagen como miapp:latest. Para escanear esta imagen, ejecutamos el siguiente comando:

1

snyk container test miapp:latest

Snyk analizará la imagen en busca de vulnerabilidades conocidas y proporcionará un informe detallado de los hallazgos.

Interpretación de los Resultados

Después de ejecutar el comando de escaneo, Snyk proporcionará un informe detallado de las vulnerabilidades encontradas en la imagen Docker. Este informe incluirá información sobre el tipo de vulnerabilidad, su gravedad y posibles soluciones.

Actualización de Dependencias

Una vez que hayas identificado las vulnerabilidades en tu imagen Docker, puedes tomar medidas correctivas para mitigar los riesgos. En este ejemplo, puedes actualizar la imagen base de Ubuntu a una versión más reciente que no tenga las vulnerabilidades conocidas.

Ejemplo Completo

A continuación, se muestra un ejemplo completo que incluye la creación de la imagen Docker, el escaneo de vulnerabilidades con Snyk y la actualización de dependencias:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ docker build -t miapp:latest .
[+] Building 15.8s (6/6) FINISHED                                                                                                                                                                                             docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                    0.0s
 => => transferring dockerfile: 218B                                                                                                                                                                                                    0.0s
 => [internal] load metadata for docker.io/library/ubuntu:20.04                                                                                                                                                                         1.4s
 => [internal] load .dockerignore                                                                                                                                                                                                       0.0s
 => => transferring context: 2B                                                                                                                                                                                                         0.0s
 => [1/2] FROM docker.io/library/ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b                                                                                                                   2.2s
 => => resolve docker.io/library/ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b                                                                                                                   0.0s
 => => sha256:2abc4dfd83182546da40dfae3e391db0810ad4a130fb5a887c6ceb3df8e1d310 2.29kB / 2.29kB                                                                                                                                          0.0s
 => => sha256:d4c3c94e5e10ed15503bda7e145a3652ee935c0b2e9de9b5c98df7ec0a0cd925 27.51MB / 27.51MB                                                                                                                                        0.8s
 => => sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b 1.13kB / 1.13kB                                                                                                                                          0.0s
 => => sha256:cc9cc8169c9517ae035cf293b15f06922cb8c6c864d625a72b7b18667f264b70 424B / 424B                                                                                                                                              0.0s
 => => extracting sha256:d4c3c94e5e10ed15503bda7e145a3652ee935c0b2e9de9b5c98df7ec0a0cd925                                                                                                                                               1.1s
 => [2/2] RUN apt-get update &&     apt-get install -y curl &&     apt-get clean                                                                                                                                                       11.9s
 => exporting to image                                                                                                                                                                                                                  0.3s
 => => exporting layers                                                                                                                                                                                                                 0.3s
 => => writing image sha256:1e4d6574930239f29facd7687321ccec61df5b96a7a599b73e6f2ae1ed83dd9d                                                                                                                                            0.0s
 => => naming to docker.io/library/miapp:latest

Resultado de la imagen de ejemplo con las medidas recomendadas.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

$ snyk container test miapp:latest

Testing miapp:latest...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: CVE-2023-26604
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SYSTEMD-3339226
  Introduced through: systemd/libsystemd0@245.4-4ubuntu3.23, apt@2.0.10, procps/libprocps8@2:3.3.16-1ubuntu2.4, util-linux/bsdutils@1:2.34-0.1ubuntu9.6, util-linux/mount@2.34-0.1ubuntu9.6, systemd/libudev1@245.4-4ubuntu3.23
  From: systemd/libsystemd0@245.4-4ubuntu3.23
  From: apt@2.0.10 > systemd/libsystemd0@245.4-4ubuntu3.23
  From: procps/libprocps8@2:3.3.16-1ubuntu2.4 > systemd/libsystemd0@245.4-4ubuntu3.23
  and 6 more...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: CVE-2023-7008
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SYSTEMD-6137854
  Introduced through: systemd/libsystemd0@245.4-4ubuntu3.23, apt@2.0.10, procps/libprocps8@2:3.3.16-1ubuntu2.4, util-linux/bsdutils@1:2.34-0.1ubuntu9.6, util-linux/mount@2.34-0.1ubuntu9.6, systemd/libudev1@245.4-4ubuntu3.23
  From: systemd/libsystemd0@245.4-4ubuntu3.23
  From: apt@2.0.10 > systemd/libsystemd0@245.4-4ubuntu3.23
  From: procps/libprocps8@2:3.3.16-1ubuntu2.4 > systemd/libsystemd0@245.4-4ubuntu3.23
  and 6 more...

✗ Low severity vulnerability found in shadow/passwd
  Description: Arbitrary Code Injection
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SHADOW-5425687
  Introduced through: shadow/passwd@1:4.8.1-1ubuntu5.20.04.5, adduser@3.118ubuntu2, shadow/login@1:4.8.1-1ubuntu5.20.04.5, util-linux/mount@2.34-0.1ubuntu9.6
  From: shadow/passwd@1:4.8.1-1ubuntu5.20.04.5
  From: adduser@3.118ubuntu2 > shadow/passwd@1:4.8.1-1ubuntu5.20.04.5
  From: shadow/login@1:4.8.1-1ubuntu5.20.04.5
  and 1 more...

✗ Low severity vulnerability found in shadow/passwd
  Description: Time-of-check Time-of-use (TOCTOU)
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SHADOW-577863
  Introduced through: shadow/passwd@1:4.8.1-1ubuntu5.20.04.5, adduser@3.118ubuntu2, shadow/login@1:4.8.1-1ubuntu5.20.04.5, util-linux/mount@2.34-0.1ubuntu9.6
  From: shadow/passwd@1:4.8.1-1ubuntu5.20.04.5
  From: adduser@3.118ubuntu2 > shadow/passwd@1:4.8.1-1ubuntu5.20.04.5
  From: shadow/login@1:4.8.1-1ubuntu5.20.04.5
  and 1 more...

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Uncontrolled Recursion
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-PCRE3-580031
  Introduced through: pcre3/libpcre3@2:8.39-12ubuntu0.1, grep@3.4-1
  From: pcre3/libpcre3@2:8.39-12ubuntu0.1
  From: grep@3.4-1 > pcre3/libpcre3@2:8.39-12ubuntu0.1

✗ Low severity vulnerability found in ncurses/libtinfo6
  Description: CVE-2023-50495
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-NCURSES-6123866
  Introduced through: ncurses/libtinfo6@6.2-0ubuntu2.1, bash@5.0-6ubuntu1.2, ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/ncurses-bin@6.2-0ubuntu2.1, procps@2:3.3.16-1ubuntu2.4, util-linux/fdisk@2.34-0.1ubuntu9.6, util-linux/mount@2.34-0.1ubuntu9.6, ncurses/libncursesw6@6.2-0ubuntu2.1, ncurses/ncurses-base@6.2-0ubuntu2.1
  From: ncurses/libtinfo6@6.2-0ubuntu2.1
  From: bash@5.0-6ubuntu1.2 > ncurses/libtinfo6@6.2-0ubuntu2.1
  From: ncurses/libncurses6@6.2-0ubuntu2.1 > ncurses/libtinfo6@6.2-0ubuntu2.1
  and 12 more...

✗ Low severity vulnerability found in ncurses/libtinfo6
  Description: CVE-2023-45918
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-NCURSES-6253014
  Introduced through: ncurses/libtinfo6@6.2-0ubuntu2.1, bash@5.0-6ubuntu1.2, ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/ncurses-bin@6.2-0ubuntu2.1, procps@2:3.3.16-1ubuntu2.4, util-linux/fdisk@2.34-0.1ubuntu9.6, util-linux/mount@2.34-0.1ubuntu9.6, ncurses/libncursesw6@6.2-0ubuntu2.1, ncurses/ncurses-base@6.2-0ubuntu2.1
  From: ncurses/libtinfo6@6.2-0ubuntu2.1
  From: bash@5.0-6ubuntu1.2 > ncurses/libtinfo6@6.2-0ubuntu2.1
  From: ncurses/libncurses6@6.2-0ubuntu2.1 > ncurses/libtinfo6@6.2-0ubuntu2.1
  and 12 more...

✗ Low severity vulnerability found in krb5/libkrb5support0
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-KRB5-579303
  Introduced through: curl@7.68.0-1ubuntu2.22, krb5/krb5-locales@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libk5crypto3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5-3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  and 6 more...
  Image layer: 'apt-get install -y curl'

✗ Low severity vulnerability found in gnupg2/gpgv
  Description: Out-of-bounds Write
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GNUPG2-3035407
  Introduced through: gnupg2/gpgv@2.2.19-3ubuntu2.2, apt@2.0.10
  From: gnupg2/gpgv@2.2.19-3ubuntu2.2
  From: apt@2.0.10 > gnupg2/gpgv@2.2.19-3ubuntu2.2

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Use After Free
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GLIBC-1297554
  Introduced through: glibc/libc-bin@2.31-0ubuntu9.15, glibc/libc6@2.31-0ubuntu9.15
  From: glibc/libc-bin@2.31-0ubuntu9.15
  From: glibc/libc6@2.31-0ubuntu9.15

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GLIBC-2415100
  Introduced through: glibc/libc-bin@2.31-0ubuntu9.15, glibc/libc6@2.31-0ubuntu9.15
  From: glibc/libc-bin@2.31-0ubuntu9.15
  From: glibc/libc6@2.31-0ubuntu9.15

✗ Low severity vulnerability found in coreutils
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-COREUTILS-583876
  Introduced through: coreutils@8.30-3ubuntu2
  From: coreutils@8.30-3ubuntu2

✗ Medium severity vulnerability found in xz-utils/liblzma5
  Description: CVE-2020-22916
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-XZUTILS-5854646
  Introduced through: xz-utils/liblzma5@5.2.4-1ubuntu1.1
  From: xz-utils/liblzma5@5.2.4-1ubuntu1.1

✗ Medium severity vulnerability found in libgcrypt20
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-LIBGCRYPT20-6411449
  Introduced through: libgcrypt20@1.8.5-5ubuntu1.1, apt@2.0.10
  From: libgcrypt20@1.8.5-5ubuntu1.1
  From: apt@2.0.10 > apt/libapt-pkg6.0@2.0.10 > libgcrypt20@1.8.5-5ubuntu1.1
  From: apt@2.0.10 > gnupg2/gpgv@2.2.19-3ubuntu2.2 > libgcrypt20@1.8.5-5ubuntu1.1
  and 1 more...

✗ Medium severity vulnerability found in krb5/libkrb5support0
  Description: CVE-2024-26461
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-KRB5-6281066
  Introduced through: curl@7.68.0-1ubuntu2.22, krb5/krb5-locales@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libk5crypto3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5-3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  and 6 more...
  Image layer: 'apt-get install -y curl'

✗ Medium severity vulnerability found in krb5/libkrb5support0
  Description: CVE-2024-26462
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-KRB5-6281072
  Introduced through: curl@7.68.0-1ubuntu2.22, krb5/krb5-locales@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libk5crypto3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5-3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  and 6 more...
  Image layer: 'apt-get install -y curl'

✗ Medium severity vulnerability found in krb5/libkrb5support0
  Description: CVE-2024-26458
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-KRB5-6281078
  Introduced through: curl@7.68.0-1ubuntu2.22, krb5/krb5-locales@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libk5crypto3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  From: curl@7.68.0-1ubuntu2.22 > curl/libcurl4@7.68.0-1ubuntu2.22 > krb5/libgssapi-krb5-2@1.17-6ubuntu4.4 > krb5/libkrb5-3@1.17-6ubuntu4.4 > krb5/libkrb5support0@1.17-6ubuntu4.4
  and 6 more...
  Image layer: 'apt-get install -y curl'



Organization:      <name>
Package manager:   deb
Project name:      docker-image|miapp
Docker image:      miapp:latest
Platform:          linux/amd64
Licenses:          enabled

Tested 124 dependencies for known issues, found 17 issues.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test miapp:latest --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

Conclusión

El escaneo de vulnerabilidades en imágenes Docker es una práctica fundamental para garantizar la seguridad de las aplicaciones desplegadas en contenedores. Con Snyk, puedes identificar y mitigar eficazmente las vulnerabilidades en tus imágenes Docker, protegiendo así tu entorno de ejecución de posibles amenazas.

Administración de sistemas operativos
Sysadmin
This post is licensed under CC BY 4.0 by the author.

Contenido

Goss: Una Guía Completa para Pruebas de Infraestructura en Linux y Docker

Automatizando tareas en Linux con el comando 'expect'