手动扫描 Go 软件包

本快速入门介绍了如何拉取容器映像、使用按需扫描手动扫描映像,以及检索系统和 Go 软件包的已识别漏洞。如需按照本快速入门中的说明操作,您需要使用 Cloud Shell 和 Alpine 示例映像。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

    5.

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Enable the API

    8.

下载并扫描图片

  1. 在项目中打开 Cloud Shell。

    打开 Cloud Shell

    这会打开一个终端,其中包含按照本指南操作所需的所有工具。

  2. 使用 docker 拉取容器映像:

    docker pull golang:1.17.6-alpine

  3. 运行扫描:

    gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO

    这会触发该扫描流程,并在完成后返回扫描名称:

    ✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

  4. 使用扫描名称(输出中的 scan 值)提取扫描结果:

    gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

    输出包含 Go、Go 标准库和 Linux 软件包漏洞的列表。以下标签表示 Go 漏洞的类型:

    • packageType:GO_STDLIB. Go 标准库漏洞。这表示漏洞是在用于构建二进制文件的 Go 工具链中或与工具链捆绑的标准库中发现的。可能的解决方法是升级构建工具链。

    • packageType:GO. Go 软件包漏洞。这表示漏洞是在第三方软件包中发现的。可能的解决方法是升级依赖模块。

清理

为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

后续步骤