이미지의 메타데이터 제공

특정 비즈니스 니즈를 충족하기 위해 컨테이너 분석에 자체 취약점 메타데이터를 제공할 수 있습니다. 예를 들어 고객의 Docker 컨테이너에 보안 관리를 제공하는 조직은 컨테이너 분석을 사용하여 이러한 이미지의 보안 관련 메타데이터를 저장하고 검색할 수 있습니다.

Container Analysis API를 사용하여 이미지의 커스텀 취약점 메타데이터를 제공하려면 아래 단계를 따르세요. 동일한 지침에 따라 컨테이너 분석이 지원하는 종류의 메타데이터를 저장하고 검색할 수 있습니다.

시작하기 전에

  1. Container Analysis API 사용 설정

  2. 컨테이너 분석 개요 읽기

  3. 프로젝트의 컨테이너 분석 액세스 제어를 구성하는 방법 알아보기

프로젝트에 대한 취약점 메모와 어커런스 작성

이 섹션에서는 타사 취약성 제공자가 사용자의 프로젝트에 대한 메모와 어커런스를 생성하는 방법을 설명합니다.

제공자는 프로젝트에서 각각의 취약점 유형에 대한 메모를 작성하며, 해당 취약점의 발생에 대한 어커런스를 고객의 프로젝트에서 생성하게 됩니다.

메모 만들기

메모 작성 방법:

API

  1. 취약점 설명과 세부정보가 포함된 note.json이라는 파일을 만듭니다. 다음 코드는 note.json 파일의 예시를 보여줍니다.

         {
             "shortDescription": "A brief Description of the note",
             "longDescription": "A longer description of the note",
             "kind": "PACKAGE_VULNERABILITY",
             "vulnerabilityType": {
                 "details": [
                 {
                     "package": "libexempi3",
                     "cpeUri": "cpe:/o:debian:debian_linux:7",
                     "minAffectedVersion": { "name": "2.5.7", "revision": "1"},
                     "maxAffectedVersion": { "name": "2.5.9", "revision": "1"},
                 },
                 {
                     "cpeUri": "something else"
                 }
                 ]
             }
         }
    
  2. 다음 curl 명령어를 실행해 [PROVIDER_PROJECT_ID]가 프로젝트 ID가 되는 메모를 작성합니다.

    curl -X POST -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/[PROVIDER_PROJECT_ID]/notes?note_id=[NOTE_ID] -d @note.json
    

자바

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry 자바 API 참조 문서를 확인하세요.

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.Note;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityNote;
import java.io.IOException;
import java.lang.InterruptedException;

public class CreateNote {

  // Creates and returns a new Note
  public static Note createNote(String noteId, String projectId)
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final String projectName = ProjectName.format(projectId);

    Note newNote = Note.newBuilder()
        // Associate the Note with the metadata type
        // https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
        // Here, we use the type "vulnerability"
        .setVulnerability(VulnerabilityNote.newBuilder()
            .addDetails(VulnerabilityNote.Detail.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersionStart(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setAffectedVersionEnd(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Note result = client.createNote(projectName, noteId, newNote);
    return result;
  }
}

Go

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Go API 참조 문서를 확인하세요.


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createNote creates and returns a new vulnerability Note.
func createNote(noteID, projectID string) (*grafeaspb.Note, error) {
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	projectName := fmt.Sprintf("projects/%s", projectID)

	req := &grafeaspb.CreateNoteRequest{
		Parent: projectName,
		NoteId: noteID,
		Note: &grafeaspb.Note{
			Type: &grafeaspb.Note_Vulnerability{
				// The 'Vulnerability' field can be modified to contain information about your vulnerability.
				Vulnerability: &grafeaspb.VulnerabilityNote{
					Details: []*grafeaspb.VulnerabilityNote_Detail{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersionStart: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							AffectedVersionEnd: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}

	return client.GetGrafeasClient().CreateNote(ctx, req)
}

Node.js

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Node.js API 참조 문서를 확인하세요.

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
// Associate the Note with a metadata type
// https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
// Here, we use the type "vulnerabiltity"
const formattedParent = client.getGrafeasClient().projectPath(projectId);

// Creates and returns a new Note
const [note] = await client.getGrafeasClient().createNote({
  parent: formattedParent,
  noteId: noteId,
  note: {
    vulnerability: {
      details: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersionStart: {
            kind: 'MINIMUM',
          },
          affectedVersionEnd: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});

console.log(`Note ${note.name} created.`);

Ruby

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Ruby API 참조 문서를 확인하세요.

# note_id    = "A user-specified identifier for the note"
# project_id = "Your Google Cloud project ID"

require "google/cloud/container_analysis"

# Initialize the client
client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

parent = client.project_path project: project_id
note = {
  vulnerability: {
    details: [
      {
        affected_cpe_uri:       "your-uri-here",
        affected_package:       "your-package-here",
        affected_version_start: { kind: :MINIMUM },
        fixed_version:          { kind: :MAXIMUM }
      }
    ]
  }
}
response = client.create_note parent: parent, note_id: note_id, note: note
puts response.name

Python

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Python API 참조 문서를 확인하세요.

def create_note(note_id, project_id):
    """Creates and returns a new vulnerability note."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    from grafeas.grafeas_v1.gapic.enums import Version
    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    project_name = grafeas_client.project_path(project_id)
    note = {
        'vulnerability': {
            'details': [
                {
                    'affected_cpe_uri': 'your-uri-here',
                    'affected_package': 'your-package-here',
                    'affected_version_start': {
                        'kind': Version.VersionKind.MINIMUM
                    },
                    'fixed_version': {
                        'kind': Version.VersionKind.MAXIMUM
                    }
                }
            ]
        }
    }
    response = grafeas_client.create_note(project_name, note_id, note)
    return response

메모에 대한 어커런스 만들기

메모에 대한 어커런스 생성 방법:

API

  1. 다음 콘텐츠로 occurrence.json이라는 파일을 만듭니다.

         {
             "resourceUrl": "<resource_url>",
             "noteName": "projects/<provider-project-id>/notes/<note_id>",
             "kind": "PACKAGE_VULNERABILITY",
             "vulnerabilityDetails": {
                 "packageIssue": [{
                     "affectedLocation": {
                         "cpeUri": "7",
                         "package": "a",
                         "version":  {
                             "epoch": "1"
                             "name": "namestring"
                             "revision": "r"
                         },
                     },
                     "fixedLocation": {
                         "cpeUri": "cpe:/o:debian:debian_linux:7",
                         "package": "a",
                         "version":  {
                             "epoch": "2"
                             "name": "namestring"
                             "revision": "1"
                         }
                     }
                 }]
             }
         }
    
  2. [CUSTOMER_PROJECT_ID]가 고객의 프로젝트 ID가 되는 다음 curl 명령어를 실행합니다.

    curl -v -X POST -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/[CUSTOMER_PROJECT_ID]/occurrences -d @occurrence.json
    

자바

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry 자바 API 참조 문서를 확인하세요.

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityOccurrence;
import io.grafeas.v1.VulnerabilityOccurrence.PackageIssue;
import java.io.IOException;
import java.lang.InterruptedException;

public class CreateOccurrence {
  // Creates and returns a new vulnerability Occurrence associated with an existing Note
  public static Occurrence createOccurrence(String resourceUrl, String noteId,
      String occProjectId, String noteProjectId) throws IOException, InterruptedException {
    // String resourceUrl = "https://gcr.io/project/image@sha256:123";
    // String noteId = "my-note";
    // String occProjectId = "my-project-id";
    // String noteProjectId = "my-project-id";
    final NoteName noteName = NoteName.of(noteProjectId, noteId);
    final String occProjectName = ProjectName.format(occProjectId);

    Occurrence newOcc = Occurrence.newBuilder()
        .setNoteName(noteName.toString())
        .setResourceUri(resourceUrl)
        .setVulnerability(VulnerabilityOccurrence.newBuilder()
            .addPackageIssue(PackageIssue.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setFixedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Occurrence result = client.createOccurrence(occProjectName, newOcc);
    return result;
  }
}

Go

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Go API 참조 문서를 확인하세요.


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createsOccurrence creates and returns a new Occurrence of a previously created vulnerability Note.
func createOccurrence(resourceURL, noteID, occProjectID, noteProjectID string) (*grafeaspb.Occurrence, error) {
	// resourceURL := fmt.Sprintf("https://gcr.io/my-project/my-image")
	// noteID := fmt.Sprintf("my-note")
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	req := &grafeaspb.CreateOccurrenceRequest{
		Parent: fmt.Sprintf("projects/%s", occProjectID),
		Occurrence: &grafeaspb.Occurrence{
			NoteName: fmt.Sprintf("projects/%s/notes/%s", noteProjectID, noteID),
			// Attach the occurrence to the associated resource uri.
			ResourceUri: resourceURL,
			// Details about the vulnerability instance can be added here.
			Details: &grafeaspb.Occurrence_Vulnerability{
				Vulnerability: &grafeaspb.VulnerabilityOccurrence{
					PackageIssue: []*grafeaspb.VulnerabilityOccurrence_PackageIssue{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							FixedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}
	return client.GetGrafeasClient().CreateOccurrence(ctx, req)
}

Node.js

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Node.js API 참조 문서를 확인하세요.

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const noteProjectId = 'your-project-id', // Your GCP Project Id
// const noteId = 'my-note-id', // Id of the note
// const occurrenceProjectId = 'your-project-id', // GCP Project Id of Occurrence
// const imageUrl = 'https://gcr.io/my-project/my-image:123' // Image to attach metadata to

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
const formattedParent = client
  .getGrafeasClient()
  .projectPath(occurrenceProjectId);
const formattedNote = client
  .getGrafeasClient()
  .notePath(noteProjectId, noteId);

// Creates and returns a new Occurrence associated with an existing Note
const [occurrence] = await client.getGrafeasClient().createOccurrence({
  parent: formattedParent,
  occurrence: {
    noteName: formattedNote,
    resourceUri: imageUrl,
    vulnerability: {
      packageIssue: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersion: {
            kind: 'MINIMUM',
          },
          fixedVersion: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});
console.log(`Occurrence created ${occurrence.name}.`);
return occurrence;

Ruby

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Ruby API 참조 문서를 확인하세요.

# resource_url       = "The URL of the resource associated with the occurrence."
#                      # e.g. https://gcr.io/project/image@sha256:123
# note_id            = "The identifier of the note associated with the occurrence"
# occurrence_project = "The Google Cloud project ID for the new occurrence"
# note_project       = "The Google Cloud project ID of the associated note"

require "google/cloud/container_analysis"

# Initialize the client
client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
note_path = client.note_path project: note_project, note: note_id
project_path = client.project_path project: occurrence_project

occurrence = {
  note_name:     note_path,
  resource_uri:  resource_url,
  vulnerability: {
    package_issue: [
      {
        affected_cpe_uri: "your-uri-here:",
        affected_package: "your-package-here",
        affected_version: { kind: :MINIMUM },
        fixed_version:    { kind: :MAXIMUM }
      }
    ]
  }
}

response = client.create_occurrence parent: project_path, occurrence: occurrence
puts response.name

Python

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Python API 참조 문서를 확인하세요.

def create_occurrence(resource_url, note_id, occurrence_project, note_project):
    """ Creates and returns a new occurrence of a previously
    created vulnerability note."""
    # resource_url = 'https://gcr.io/my-project/my-image@sha256:123'
    # note_id = 'my-note'
    # occurrence_project = 'my-gcp-project'
    # note_project = 'my-gcp-project'

    from grafeas.grafeas_v1.gapic.enums import Version
    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    formatted_note = grafeas_client.note_path(note_project, note_id)
    formatted_project = grafeas_client.project_path(occurrence_project)

    occurrence = {
        'note_name': formatted_note,
        'resource_uri': resource_url,
        'vulnerability': {
            'package_issue': [
                {
                    'affected_cpe_uri': 'your-uri-here',
                    'affected_package': 'your-package-here',
                    'affected_version': {
                        'kind': Version.VersionKind.MINIMUM
                    },
                    'fixed_version': {
                        'kind': Version.VersionKind.MAXIMUM
                    }
                }
            ]
        }
    }

    return grafeas_client.create_occurrence(formatted_project, occurrence)

특정 메모의 어커런스 모두 가져오기

notes.occurrences.list()를 사용하면 고객의 전체 프로젝트에서 특정 취약점의 어커런스를 모두 확인할 수 있습니다.

API

메모의 어커런스를 모두 나열하려면 다음과 같은 GET 요청을 보내야 합니다.

GET https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/NOTE_ID/occurrences

자세한 내용은 projects.notes.occurrences.list API 엔드포인트를 참조하세요.

자바

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry 자바 API 참조 문서를 확인하세요.

import static java.lang.Thread.sleep;

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.ListNoteOccurrencesRequest;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import java.io.IOException;
import java.lang.InterruptedException;

public class OccurrencesForNote {
  // Retrieves all the Occurrences associated with a specified Note
  // Here, all Occurrences are printed and counted
  public static int getOccurrencesForNote(String noteId, String projectId)
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final NoteName noteName = NoteName.of(projectId, noteId);

    ListNoteOccurrencesRequest request = ListNoteOccurrencesRequest.newBuilder()
                                                                   .setName(noteName.toString())
                                                                   .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    int i = 0;
    for (Occurrence o : client.listNoteOccurrences(request).iterateAll()) {
      // Write custom code to process each Occurrence here
      System.out.println(o.getName());
      i = i + 1;
    }
    return i;
  }
}

Go

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Go API 참조 문서를 확인하세요.


import (
	"context"
	"fmt"
	"io"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	"google.golang.org/api/iterator"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// getOccurrencesForNote retrieves all the Occurrences associated with a specified Note.
// Here, all Occurrences are printed and counted.
func getOccurrencesForNote(w io.Writer, noteID, projectID string) (int, error) {
	// noteID := fmt.Sprintf("my-note")
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return -1, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	req := &grafeaspb.ListNoteOccurrencesRequest{
		Name: fmt.Sprintf("projects/%s/notes/%s", projectID, noteID),
	}
	it := client.GetGrafeasClient().ListNoteOccurrences(ctx, req)
	count := 0
	for {
		occ, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return -1, fmt.Errorf("occurrence iteration error: %v", err)
		}
		// Write custom code to process each Occurrence here.
		fmt.Fprintln(w, occ)
		count = count + 1
	}
	return count, nil
}

Node.js

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Node.js API 참조 문서를 확인하세요.

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Get path to Note
const formattedNote = client.notePath(projectId, noteId);

// Retrieves all the Occurrences associated with a specified Note
const [occurrences] = await client.getGrafeasClient().listNoteOccurrences({
  name: formattedNote,
});

if (occurrences.length) {
  console.log('Occurrences:');
  occurrences.forEach(occurrence => {
    console.log(`${occurrence.name}:`);
  });
} else {
  console.log('No occurrences found.');
}

Ruby

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Ruby API 참조 문서를 확인하세요.

  # note_id    = "The identifier for the note to query"
  # project_id = "The Google Cloud project ID of the occurrences to retrieve"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  name = client.note_path project: project_id, note: note_id
  count = 0
  client.list_note_occurrences(name: name).each do |occurrence|
    # Process occurrence here
    puts occurrence
    count += 1
  end
  puts "Found #{count} occurrences"
  count
end

def get_discovery_info resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence."
  #                # e.g. https://gcr.io/project/image@sha256:123
  # project_id   = "The Google Cloud project ID of the occurrences to retrieve"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
  client.list_occurrences(parent: parent, filter: filter).each do |occurrence|
    # Process discovery occurrence here
    puts occurrence
  end
end

def occurrence_pubsub subscription_id:, timeout_seconds:, project_id:
  # subscription_id = "A user-specified identifier for the new subscription"
  # timeout_seconds = "The number of seconds to listen for new Pub/Sub messages"
  # project_id      = "Your Google Cloud project ID"

  require "google/cloud/pubsub"

  pubsub = Google::Cloud::Pubsub.new project: project_id
  topic = pubsub.topic "container-analysis-occurrences-v1"
  subscription = topic.subscribe subscription_id

  count = 0
  subscriber = subscription.listen do |received_message|
    count += 1
    # Process incoming occurrence here
    puts "Message #{count}: #{received_message.data}"
    received_message.acknowledge!
  end
  subscriber.start
  # Wait for incomming occurrences
  sleep timeout_seconds
  subscriber.stop.wait!
  subscription.delete
  # Print and return the total number of Pub/Sub messages received
  puts "Total Messages Received: #{count}"
  count
end

# rubocop:disable Metrics/MethodLength

def poll_discovery_finished resource_url:, timeout_seconds:, project_id:
  # resource_url    = "The URL of the resource associated with the occurrence."
  #                   # e.g. https://gcr.io/project/image@sha256:123
  # timeout_seconds = "The number of seconds to wait for the discovery occurrence"
  # project_id      = "Your Google Cloud project ID"

  require "google/cloud/container_analysis"

  deadline = Time.now + timeout_seconds

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
  parent = client.project_path project: project_id

  # Find the discovery occurrence using a filter string
  discovery_occurrence = nil
  while discovery_occurrence.nil?
    begin
      filter = "resourceUrl=\"#{resource_url}\" " \
               'AND noteProjectId="goog-analysis" ' \
               'AND noteId="PACKAGE_VULNERABILITY"'
      # The above filter isn't testable, since it looks for occurrences in a
      # locked down project. Fall back to a more permissive filter for testing
      filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
      # Only the discovery occurrence should be returned for the given filter
      discovery_occurrence = client.list_occurrences(parent: parent, filter: filter).first
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet found"
    ensure
      # check for timeout
      sleep 1
      raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
    end
  end

  # Wait for the discovery occurrence to enter a terminal state
  status = Grafeas::V1::DiscoveryOccurrence::AnalysisStatus::PENDING
  until [:FINISHED_SUCCESS, :FINISHED_FAILED, :FINISHED_UNSUPPORTED].include? status
    # Update occurrence
    begin
      updated = client.get_occurrence name: discovery_occurrence.name
      status = updated.discovery.analysis_status
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet in terminal state"
    ensure
      # check for timeout
      sleep 1
      raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
    end
  end
  puts "Found discovery occurrence #{updated.name}."
  puts "Status: #{updated.discovery.analysis_status}"
  updated
end

# rubocop:enable Metrics/MethodLength

def find_vulnerabilities_for_image resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence
  #                e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  client.list_occurrences parent: parent, filter: filter
end

def find_high_severity_vulnerabilities_for_image resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence,
  #                 e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  vulnerability_list = client.list_occurrences parent: parent, filter: filter
  # Filter the list to include only "high" and "critical" vulnerabilities
  vulnerability_list.select do |item|
    [:HIGH, :CRITICAL].include? item.vulnerability.effective_severity
  end
end

Python

Container Registry용 클라이언트 라이브러리를 설치하고 사용하는 방법은 Container Registry 클라이언트 라이브러리에서 확인할 수 있습니다. 자세한 내용은 Container Registry Python API 참조 문서를 확인하세요.

def get_occurrences_for_note(note_id, project_id):
    """Retrieves all the occurrences associated with a specified Note.
    Here, all occurrences are printed and counted."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    note_name = grafeas_client.note_path(project_id, note_id)

    response = grafeas_client.list_note_occurrences(note_name)
    count = 0
    for o in response:
        # do something with the retrieved occurrence
        # in this sample, we will simply count each one
        count += 1
    return count

다음 단계

  • Container Registry의 이미지에 대한 메모 및 어커런스를 확인하고 필터링하는 방법은 이미지 취약점 가져오기를 참조하세요.

  • 알림을 설정하는 방법은 Pub/Sub 알림을 참조하세요.