目次
macosの脆弱性確認
恵比寿でIT企業をやっているとモテると聞いて創業しましたが早いことありがたいことに10年目に突入した長谷川です。
まだモテる成果は出ていません、、、これからです!(もうめんどくさいのでカウントやめました😆)
aquasecurityさんのtrivyでmacosの確認をしてみます。
trivyではいろいろなものを確認することができます。
Targets (what Trivy can scan):
– Container Image
– Filesystem
– Git Repository (remote)
– Virtual Machine Image
– Kubernetes
– AWS
Scanners (what Trivy can find there):
– OS packages and software dependencies in use (SBOM)
– Known vulnerabilities (CVEs)
– IaC issues and misconfigurations
– Sensitive information and secrets
– Software licenses
Install
homebrewに普通にあります🤣
brew install trivy参考にuvのdirectoryをscanしてみます。
Get yusuke’s stories in your inbox
Join Medium for free to get updates from this writer.Subscribe
自分のuvは現状こうなっています。
uv python list –python-preference=only-managed
uv python list --python-preference=only-managed
cpython-3.13.0+freethreaded-macos-aarch64-none <download available>
cpython-3.13.0-macos-aarch64-none /Users/yusukeh/uv/python/cpython-3.13.0-macos-aarch64-none/bin/python3 -> python3.13
cpython-3.12.7-macos-aarch64-none <download available>
cpython-3.12.3-macos-aarch64-none /Users/yusukeh/uv/python/cpython-3.12.3-macos-aarch64-none/bin/python3 -> python3.12
cpython-3.11.10-macos-aarch64-none <download available>
cpython-3.11.5-macos-aarch64-none /Users/yusukeh/uv/python/cpython-3.11.5-macos-aarch64-none/bin/python3 -> python3.11
cpython-3.10.15-macos-aarch64-none <download available>
cpython-3.9.20-macos-aarch64-none <download available>
cpython-3.8.20-macos-aarch64-none <download available>
pypy-3.10.14-macos-aarch64-none <download available>
pypy-3.9.19-macos-aarch64-none <download available>
pypy-3.8.16-macos-aarch64-none <download available>–python-preference=only-managedを入れないと、uvで入れてないpythonも検知する・・・😅
uv tool list
uv tool list
ansible v10.5.0
- ansible-community
ansible-shell v0.0.5
- ansible-shell
gptme v0.20.0
- gptme
- gptme-eval
- gptme-server
hatch v1.13.0
- hatch
hawk v0.1
- hawk
jupyterlab v4.2.5
- jlpm
- jupyter-lab
- jupyter-labextension
- jupyter-labhub
litellm v1.50.2
- litellm
mackup v0.8.41
- mackup
magika v0.5.1
- magika
mdbom v0.3.0
- mdb
pip v24.2
- pip
- pip3
- pip3.12
pyinfra v3.1.1
- pyinfra
rich-cli v1.8.0
- rich
ruff v0.7.0
- ruff
slack-export-viewer v1.4.4
- slack-export-viewer
- slack-export-viewer-cli
sqlfluff v3.2.4
- sqlfluff
wheel v0.44.0
- wheeltrivy filesystem
以下のコマンドで実行してみます。
自分の環境変数は以下のようになっているため
UV_HOME=${HOME}/uv
filesystemのPATHはUV_HOMEを指定しています。
trivy filesystem \
--scanners vuln,license,misconfig,secret\
--detection-priority comprehensive \
--severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
--format table \
--output trivy_filesystem_uv.txt ${UV_HOME}ちょっとERROR出てますがまあ止まらないので・・・🤣
–skip-files入れた方がいいんだろうけど・・・
2024-10-24T13:08:43+09:00 INFO [vuln] Vulnerability scanning is enabled
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfileedfile_path="tools/ansible/lib/python3.12/site-packages/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile'-file_path="tools/ansible/lib/python3.12/site-packages/ansible_collections/google/cloud/molecule/gcloud/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"ps://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile file_path="tools/ansible/lib/python3.12/site-packages/ansible_collections/google/cloud/molecule/gcsfuse/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile file_path="tools/ansible-shell/lib/python3.12/site-packages/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile file_path="tools/ansible-shell/lib/python3.12/site-packages/ansible_collections/google/cloud/molecule/gcloud/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile file_path="tools/ansible-shell/lib/python3.12/site-packages/ansible_collections/google/cloud/molecule/gcsfuse/Dockerfile.j2" err="process dockerfile instructions: unknown instruction: {%"
2024-10-24T13:09:50+09:00 ERROR [dockerfile parser] Failed to parse Dockerfile file_path="tools/litellm/lib/python3.12/site-packages/litellm/deprecated_litellm_server/Dockerfile" err="dockerfile parse error: file with no instructions"
2024-10-24T13:09:58+09:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-10-24T13:09:58+09:00 INFO Number of language-specific files num=90
2024-10-24T13:09:58+09:00 INFO [pip] Detecting vulnerabilities...
2024-10-24T13:09:58+09:00 INFO [poetry] Detecting vulnerabilities...
2024-10-24T13:09:58+09:00 INFO [pipenv] Detecting vulnerabilities...
2024-10-24T13:09:58+09:00 INFO [yarn] Detecting vulnerabilities...
2024-10-24T13:09:58+09:00 INFO [python-pkg] Detecting vulnerabilities...
2024-10-24T13:09:58+09:00 INFO Detected config files num=25結果
tools/ansible-shell/lib/python3.12/site-packages/ansible_collections/cisco/intersight/requirements.txt (pip)
============================================================================================================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ cryptography │ CVE-2023-0286 │ HIGH │ fixed │ 36.0.0 │ 39.0.1 │ openssl: X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├────────────────┤ │ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50782 │ │ │ │ 42.0.0 │ python-cryptography: Bleichenbacher timing oracle attack │
│ │ │ │ │ │ │ against RSA decryption - incomplete fix for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50782 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
tools/ansible-shell/lib/python3.12/site-packages/ansible_collections/cisco/meraki/requirements.txt (pip)
========================================================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ meraki │ GHSA-6x4h-9622-fqr6 │ HIGH │ fixed │ 1.33.0 │ 1.40.1 │ Improper validation in meraki │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-6x4h-9622-fqr6 │
└─────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘
~~ 長過ぎるので省略 ~~結構出た😅
ansibleがめっちゃ出てる😅
Appendix
GitHub – awesomeSBOM/awesome-sbom: A curated list of SBOM (Software Bill Of Materials) related…
ここを見るといろいろあります。
個人的にはいろいろ試してみましたが、以下は使いやすくて良さげです。
trivyは使いやすくてSecretやLicenseなども見てくれるので楽で素敵!
因みにtrivyで/opt/homebrewを確認すると、自分は毎日updateしてますが、かなりありました😅
ターミナル環境について他の記事も書いているので、よろしければこちらもご覧ください!
『ターミナルがダサいとモテない』シリーズ一覧
転載:ターミナルがダサいとモテない。trivyでmacを見てみる編
