代码中增加如下配置
dbOpt.SkipDBUpdate = true//跳过漏洞库升级
cliOpt.Target = srcName
cliOpt.OfflineScan = true//离线扫描
cliOpt.SecurityChecks = []string{"vuln"}//扫描漏洞
cliOpt.DBOptions = dbOpt
cliOpt.GlobalOptions.CacheDir = utils.DefaultCacheDir()//默认的漏洞库目录
cliOpt.VulnType = []string{types.VulnTypeOS, types.VulnTypeLibrary}//扫描漏洞的种类可以参考如下链接
运行结果:
扫描 clamav/clamav:latest 镜像
打印结果如下:
2023-01-09T13:33:47.601+0800 INFO Vulnerability scanning is enabled
2023-01-09T13:33:53.577+0800 INFO Detected OS: alpine
2023-01-09T13:33:53.577+0800 INFO Detecting Alpine vulnerabilities...
2023-01-09T13:33:53.657+0800 INFO Number of language-specific files: 0
{"SchemaVersion":2,"ArtifactName":"8e0128f75969","ArtifactType":"container_image","Metadata":{"OS":{"Family":"alpine","Name":"3.16.2"},"ImageID":"sha256:8e0128f759690f30ae8f6e20e51e78883e7cec3755ed6a8db91eef656acada4d","DiffIDs":["sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7","sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0","sha256:bc5d252df8003da09581a75cd073c1ed81897893cc3b83d545a3659696295492","sha256:df8879937c6935b9f846a773ff96ed70afa2340fa278e3c9d9fa8380df69c5e0","sha256:cd9348c203fb921a1163ad11e58b5f7e1e0cba377f8506a771db3b57729313c9","sha256:ed0626f7d56a904f7dc129c2c8b0e4e03b8b1a7f7bb54dc0329801d821f0b5dc"],"RepoTags":["192.168.1.94:443/deploy/clamav/clamav:latest","clamav/clamav:latest"],"RepoDigests":["192.168.1.94:443/deploy/clamav/clamav@sha256:0353dfffc8e8d6e035208e380cdc0f7f64299b849acef4b20ca8d87d874ba409","clamav/clamav@sha256:0353dfffc8e8d6e035208e380cdc0f7f64299b849acef4b20ca8d87d874ba409"],"ImageConfig":{"architecture":"amd64","container":"8e9683c9fcf5396cf97794772709c1f36b8a11deeccd66165543a725d3fdfc39","created":"2022-09-01T00:13:35.430404938Z","docker_version":"20.10.17+azure-3","history":[{"created":"2022-08-09T17:19:53Z","created_by":"/bin/sh -c #(nop) ADD file:2a949686d9886ac7c10582a6c29116fd29d3077d02755e87e111870d63607725 in / "},{"created":"2022-08-09T17:19:53Z","created_by":"/bin/sh -c #(nop) CMD [\"/bin/sh\"]","empty_layer":true},{"created":"2022-08-11T21:18:18Z","created_by":"/bin/sh -c #(nop) LABEL maintainer=ClamAV bugs \u003cclamav-bugs@external.cisco.com\u003e","empty_layer":true},{"created":"2022-08-11T21:18:18Z","created_by":"/bin/sh -c #(nop) EXPOSE 3310","empty_layer":true},{"created":"2022-08-11T21:18:18Z","created_by":"/bin/sh -c #(nop) EXPOSE 7357","empty_layer":true},{"created":"2022-08-11T21:18:19Z","created_by":"/bin/sh -c #(nop) ENV TZ=Etc/UTC","empty_layer":true},{"created":"2022-08-11T21:18:20Z","created_by":"/bin/sh -c apk add --no-cache fts json-c libbz2 libcurl libltdl libmilter libstdc++ libxml2 ncurses-libs pcre2 tini tzdata zlib \u0026\u0026 addgroup -S \"clamav\" \u0026\u0026 adduser -D -G \"clamav\" -h \"/var/lib/clamav\" -s \"/bin/false\" -S \"clamav\" \u0026\u0026 install -d -m 755 -g \"clamav\" -o \"clamav\" \"/var/log/clamav\""},{"created":"2022-08-11T21:18:21Z","created_by":"/bin/sh -c #(nop) COPY dir:62e94eeaf199c211aa15a95919e23e00ee7811448e9d3408f5dfe2c1e832be10 in / "},{"created":"2022-08-11T21:18:21Z","created_by":"/bin/sh -c #(nop) COPY file:66e0471a836b5abbca9d962275515a035561e22247b255219838121b86fc0f4e in /usr/local/bin/ "},{"created":"2022-08-11T21:18:22Z","created_by":"/bin/sh -c #(nop) COPY file:21dd9b820b81e8869e62f794665a73404cc2fe68516ed5828a8dca08707f4416 in /init "},{"created":"2022-08-11T21:18:22Z","created_by":"/bin/sh -c #(nop) HEALTHCHECK \u0026{[\"CMD-SHELL\" \"\\\"clamdcheck.sh\\\"\"] \"0s\" \"0s\" \"6m0s\" '\\x00'}","empty_layer":true},{"created":"2022-08-11T21:18:22Z","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/init\"]","empty_layer":true},{"created":"2022-09-01T00:13:35Z","created_by":"/bin/sh -c freshclam --foreground --stdout \u0026\u0026 rm /var/lib/clamav/freshclam.dat || rm /var/lib/clamav/mirrors.dat || true"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7","sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0","sha256:bc5d252df8003da09581a75cd073c1ed81897893cc3b83d545a3659696295492","sha256:df8879937c6935b9f846a773ff96ed70afa2340fa278e3c9d9fa8380df69c5e0","sha256:cd9348c203fb921a1163ad11e58b5f7e1e0cba377f8506a771db3b57729313c9","sha256:ed0626f7d56a904f7dc129c2c8b0e4e03b8b1a7f7bb54dc0329801d821f0b5dc"]},"config":{"Healthcheck":{"Test":["CMD-SHELL","\"clamdcheck.sh\""],"StartPeriod":360000000000},"Entrypoint":["/init"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","TZ=Etc/UTC"],"Image":"sha256:f812dcb2a5e097e7968d71f062354e3b5d041d992c50dfc2772acd9ad5d989ad","Labels":{"maintainer":"ClamAV bugs \u003cclamav-bugs@external.cisco.com\u003e"}}}},"Results":[{"Target":"8e0128f75969 (alpine 3.16.2)","Class":"os-pkgs","Type":"alpine","Vulnerabilities":[{"VulnerabilityID":"CVE-2022-35252","PkgName":"libcurl","InstalledVersion":"7.83.1-r2","FixedVersion":"7.83.1-r3","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-35252","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"curl: control code in cookie denial of service","Description":"When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.","Severity":"LOW","CVSS":{"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","V3Score":3.7},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","V3Score":3.1}},"References":["https://access.redhat.com/security/cve/CVE-2022-35252","https://curl.se/docs/CVE-2022-35252.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252","https://hackerone.com/reports/1613943","https://nvd.nist.gov/vuln/detail/CVE-2022-35252","https://security.netapp.com/advisory/ntap-20220930-0005/","https://ubuntu.com/security/notices/USN-5587-1","https://www.openwall.com/lists/oss-security/2022/08/31/2"],"PublishedDate":"2022-09-23T14:15:00Z","LastModifiedDate":"2022-10-07T13:20:00Z"},{"VulnerabilityID":"CVE-2022-42915","PkgName":"libcurl","InstalledVersion":"7.83.1-r2","FixedVersion":"7.83.1-r4","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-42915","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"curl: HTTP proxy double-free","Description":"curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.","Severity":"CRITICAL","CweIDs":["CWE-415"],"CVSS":{"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8}},"References":["https://access.redhat.com/security/cve/CVE-2022-42915","https://curl.se/docs/CVE-2022-42915.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/","https://nvd.nist.gov/vuln/detail/CVE-2022-42915","https://ubuntu.com/security/notices/USN-5702-1"],"PublishedDate":"2022-10-29T20:15:00Z","LastModifiedDate":"2022-11-14T15:16:00Z"},{"VulnerabilityID":"CVE-2022-32221","PkgName":"libcurl","InstalledVersion":"7.83.1-r2","FixedVersion":"7.83.1-r4","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-32221","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"curl: POST following PUT confusion","Description":"When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.","Severity":"MEDIUM","CVSS":{"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","V3Score":4.8}},"References":["https://access.redhat.com/security/cve/CVE-2022-32221","https://curl.se/docs/CVE-2022-32221.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221","https://hackerone.com/reports/1704017","https://ubuntu.com/security/notices/USN-5702-1","https://ubuntu.com/security/notices/USN-5702-2"],"PublishedDate":"2022-12-05T22:15:00Z","LastModifiedDate":"2022-12-05T23:40:00Z"},{"VulnerabilityID":"CVE-2022-42916","PkgName":"libcurl","InstalledVersion":"7.83.1-r2","FixedVersion":"7.83.1-r4","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-42916","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"curl: HSTS bypass via IDN","Description":"In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.","Severity":"HIGH","CweIDs":["CWE-319"],"CVSS":{"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V3Score":7.5},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","V3Score":7.5}},"References":["https://access.redhat.com/security/cve/CVE-2022-42916","https://curl.se/docs/CVE-2022-42916.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/","https://nvd.nist.gov/vuln/detail/CVE-2022-42916","https://ubuntu.com/security/notices/USN-5702-1"],"PublishedDate":"2022-10-29T02:15:00Z","LastModifiedDate":"2022-11-14T15:16:00Z"},{"VulnerabilityID":"CVE-2022-2309","PkgName":"libxml2","InstalledVersion":"2.9.14-r0","FixedVersion":"2.9.14-r1","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-2309","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"lxml: NULL Pointer Dereference in lxml","Description":"NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.","Severity":"HIGH","CweIDs":["CWE-476"],"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5},"nvd":{"V2Vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V2Score":5,"V3Score":7.5},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5}},"References":["https://access.redhat.com/errata/RHSA-2022:8226","https://access.redhat.com/security/cve/CVE-2022-2309","https://bugzilla.redhat.com/2107571","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2309","https://errata.almalinux.org/9/ALSA-2022-8226.html","https://github.com/advisories/GHSA-wrxv-2j5q-m38w","https://github.com/lxml/lxml/blob/master/CHANGES.txt","https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f","https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f (lxml-4.9.1)","https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2022-230.yaml","https://gitlab.gnome.org/GNOME/libxml2/-/issues/378","https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba","https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/","https://linux.oracle.com/cve/CVE-2022-2309.html","https://linux.oracle.com/errata/ELSA-2022-8226.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/","https://nvd.nist.gov/vuln/detail/CVE-2022-2309","https://security.gentoo.org/glsa/202208-06","https://security.netapp.com/advisory/ntap-20220915-0006/","https://ubuntu.com/security/notices/USN-5760-1"],"PublishedDate":"2022-07-05T10:15:00Z","LastModifiedDate":"2022-10-28T18:55:00Z"},{"VulnerabilityID":"CVE-2022-40303","PkgName":"libxml2","InstalledVersion":"2.9.14-r0","FixedVersion":"2.9.14-r2","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-40303","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"libxml2: integer overflows with XML_PARSE_HUGE","Description":"An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.","Severity":"HIGH","CweIDs":["CWE-190"],"CVSS":{"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","V3Score":8.2}},"References":["https://access.redhat.com/security/cve/CVE-2022-40303","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303","https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0","https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3","https://nvd.nist.gov/vuln/detail/CVE-2022-40303","https://ubuntu.com/security/notices/USN-5760-1","https://ubuntu.com/security/notices/USN-5760-2"],"PublishedDate":"2022-11-23T00:15:00Z","LastModifiedDate":"2022-11-28T14:46:00Z"},{"VulnerabilityID":"CVE-2022-40304","PkgName":"libxml2","InstalledVersion":"2.9.14-r0","FixedVersion":"2.9.14-r2","Layer":{"DiffID":"sha256:c7d338cee60fca734eb2da3acaea4cce8ebaa561714f480f9faffc7f57e2eca0"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2022-40304","DataSource":{"ID":"alpine","Name":"Alpine Secdb","URL":"https://secdb.alpinelinux.org/"},"Title":"libxml2: dict corruption caused by entity reference cycles","Description":"An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.","Severity":"HIGH","CweIDs":["CWE-611"],"CVSS":{"nvd":{"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","V3Score":7.8},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","V3Score":8.2}},"References":["https://access.redhat.com/security/cve/CVE-2022-40304","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304","https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b","https://gitlab.gnome.org/GNOME/libxml2/-/tags","https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3","https://nvd.nist.gov/vuln/detail/CVE-2022-40304","https://ubuntu.com/security/notices/USN-5760-1","https://ubuntu.com/security/notices/USN-5760-2"],"PublishedDate":"2022-11-23T18:15:00Z","LastModifiedDate":"2022-11-30T16:26:00Z"}]}]}
523
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
