差異處

這裏顯示兩個版本的差異處。

--- tech:grype [2023/12/12 12:34] – 建立 jonathan
+++ tech:grype [2023/12/12 12:50] (目前版本) – [使用方式] jonathan
@@ 行 16: / 行 16: @@
 ===== 使用方式 =====
+  * 查看使用版本 <cli>
+# grype --version
+grype 0.73.4
+</cli>
   * 弱點資料庫管理
     * 更新弱點資料庫 <cli>grype db update</cli>
@@ 行 42: / 行 46: @@
 No vulnerabilities found
 </cli>++
-  * ++結果改用 json 格式|<cli>
+    * ++結果改用 json 格式|<cli>
 # grype anchore/grype:latest -o json
  ✔ Vulnerability DB                [no update available]
@@ 行 200: / 行 204: @@
 }
 </cli>++
+  * 掃描原始碼使用套件的弱點 Exp. https://github.com/iii-org/akasha <cli>
+git clone https://github.com/iii-org/akasha.git
+grype akasha
+</cli>
+    * ++看結果|<cli>
+# grype akasha
+ ✔ Vulnerability DB                [no update available]
+ ✔ Indexed file system                                                                                                                                                                                                               akasha
+ ✔ Cataloged packages              [32 packages]
+ ✔ Scanned for vulnerabilities     [1 vulnerability matches]
+   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
+   └── by status:   1 fixed, 0 not-fixed, 0 ignored
+[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
+NAME    INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY
+opencc  1.1.1      1.1.2     python  GHSA-9qh2-6fxg-9m4g  Medium
+</cli>++
+    * ++結果以 json 格式呈現|<cli>
+# grype akasha -o json
+ ✔ Indexed file system                                                                                                                                                                                                               akasha
+ ✔ Vulnerability DB                [no update available]
+ ✔ Cataloged packages              [32 packages]
+ ✔ Scanned for vulnerabilities     [1 vulnerability matches]
+   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
+   └── by status:   1 fixed, 0 not-fixed, 0 ignored
+[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
+{
+ "matches": [
+  {
+   "vulnerability": {
+    "id": "GHSA-9qh2-6fxg-9m4g",
+    "dataSource": "https://github.com/advisories/GHSA-9qh2-6fxg-9m4g",
+    "namespace": "github:language:python",
+    "severity": "Medium",
+    "urls": [
+     "https://github.com/advisories/GHSA-9qh2-6fxg-9m4g"
+    ],
+    "description": "Open Chinese Convert subject to Denial of Service via Out-of-bounds Read",
+    "cvss": [
+     {
+      "version": "3.0",
+      "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+      "metrics": {
+       "baseScore": 5.5,
+       "exploitabilityScore": 1.8,
+       "impactScore": 3.6
+      },
+      "vendorMetadata": {
+       "base_severity": "Medium",
+       "status": "N/A"
+      }
+     }
+    ],
+    "fix": {
+     "versions": [
+      "1.1.2"
+     ],
+     "state": "fixed"
+    },
+    "advisories": []
+   },
+   "relatedVulnerabilities": [
+    {
+     "id": "CVE-2018-16982",
+     "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-16982",
+     "namespace": "nvd:cpe",
+     "severity": "Medium",
+     "urls": [
+      "https://github.com/BYVoid/OpenCC/issues/303"
+     ],
+     "description": "Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial of service (segmentation fault) because BinaryDict::NewFromFile in BinaryDict.cpp may have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file.",
+     "cvss": [
+      {
+       "source": "[email protected]",
+       "type": "Primary",
+       "version": "2.0",
+       "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+       "metrics": {
+        "baseScore": 4.3,
+        "exploitabilityScore": 8.6,
+        "impactScore": 2.9
+       },
+       "vendorMetadata": {}
+      },
+      {
+       "source": "[email protected]",
+       "type": "Primary",
+       "version": "3.0",
+       "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+       "metrics": {
+        "baseScore": 5.5,
+        "exploitabilityScore": 1.8,
+        "impactScore": 3.6
+       },
+       "vendorMetadata": {}
+      }
+     ]
+    }
+   ],
+   "matchDetails": [
+    {
+     "type": "exact-direct-match",
+     "matcher": "python-matcher",
+     "searchedBy": {
+      "language": "python",
+      "namespace": "github:language:python",
+      "package": {
+       "name": "opencc",
+       "version": "1.1.1"
+      }
+     },
+     "found": {
+      "versionConstraint": "<1.1.2 (python)",
+      "vulnerabilityID": "GHSA-9qh2-6fxg-9m4g"
+     }
+    }
+   ],
+   "artifact": {
+    "id": "dc27cd82392a6d54",
+    "name": "opencc",
+    "version": "1.1.1",
+    "type": "python",
+    "locations": [
+     {
+      "path": "/setup.py"
+     }
+    ],
+    "language": "python",
+    "licenses": [],
+    "cpes": [
+     "cpe:2.3:a:python-opencc:python-opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python-opencc:python_opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python_opencc:python-opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python_opencc:python_opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:opencc:python-opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:opencc:python_opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python-opencc:opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python:python-opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python:python_opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python_opencc:opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:opencc:opencc:1.1.1:*:*:*:*:*:*:*",
+     "cpe:2.3:a:python:opencc:1.1.1:*:*:*:*:*:*:*"
+    ],
+    "purl": "pkg:pypi/[email protected]",
+    "upstreams": []
+   }
+  }
+ ],
+ "source": {
+  "type": "directory",
+  "target": "akasha"
+ },
+ "distro": {
+  "name": "",
+  "version": "",
+  "idLike": null
+ },
+ "descriptor": {
+  "name": "grype",
+  "version": "0.73.4",
+  "configuration": {
+   "output": [
+    "json"
+   ],
+   "file": "",
+   "distro": "",
+   "add-cpes-if-none": false,
+   "output-template-file": "",
+   "check-for-app-update": true,
+   "only-fixed": false,
+   "only-notfixed": false,
+   "ignore-wontfix": "",
+   "platform": "",
+   "search": {
+    "scope": "squashed",
+    "unindexed-archives": false,
+    "indexed-archives": true
+   },
+   "ignore": null,
+   "exclude": [],
+   "db": {
+    "cache-dir": "/root/.cache/grype/db",
+    "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
+    "ca-cert": "",
+    "auto-update": true,
+    "validate-by-hash-on-start": false,
+    "validate-age": true,
+    "max-allowed-built-age": 432000000000000
+   },
+   "externalSources": {
+    "enable": false,
+    "maven": {
+     "searchUpstreamBySha1": true,
+     "baseUrl": "https://search.maven.org/solrsearch/select"
+    }
+   },
+   "match": {
+    "java": {
+     "using-cpes": false
+    },
+    "dotnet": {
+     "using-cpes": false
+    },
+    "golang": {
+     "using-cpes": false,
+     "always-use-cpe-for-stdlib": true
+    },
+    "javascript": {
+     "using-cpes": false
+    },
+    "python": {
+     "using-cpes": false
+    },
+    "ruby": {
+     "using-cpes": false
+    },
+    "rust": {
+     "using-cpes": false
+    },
+    "stock": {
+     "using-cpes": true
+    }
+   },
+   "fail-on-severity": "",
+   "registry": {
+    "insecure-skip-tls-verify": false,
+    "insecure-use-http": false,
+    "auth": null,
+    "ca-cert": ""
+   },
+   "show-suppressed": false,
+   "by-cve": false,
+   "name": "",
+   "default-image-pull-source": "",
+   "vex-documents": [],
+   "vex-add": []
+  },
+  "db": {
+   "built": "2023-12-12T01:28:57Z",
+   "schemaVersion": 5,
+   "location": "/root/.cache/grype/db/5",
+   "checksum": "sha256:5f2cb595bf332cff23fe0812819822e5292547f6a180c44a9e8675e9ab1be495",
+   "error": null
+  },
+  "timestamp": "2023-12-12T12:49:17.587473912+08:00"
+ }
+}
+</cli>++
 ===== 參考網址 =====