Grype open source vulnerability scanner demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is alfred odessa and we are going to talk today about gripe it's a vulnerability scanning tool that is pretty useful and it's one of the tools that i've been working on for a few months it is uh pretty good pretty fast and let's try and see how this works why it's useful and why you want to why would you want to install it and run it against your projects so i'm here on github the the address for the project is github.com anchor slash gripe and i'll go through the process of installing and seeing how this works let me just scroll down a little bit here it's a bunch of files it's a go project so you have binaries uh all over the place um not all over the place but for a bunch of different systems which is pretty useful so um here you have like a the readme is pretty complete but let's scroll down uh i'll skip the features for now let's scroll down to getting started uh or actually just getting installed there we go installation um i'm running os 10 so i am going to go ahead and use uh homebrew but if you're using some of the other uh instructions then that that would also work fine so let me go to my terminal i don't have gripe install so i'm gonna have to go and install it so i'm gonna head back to the terminal uh here i have like a sample python application has a docker file some requirements that text we'll we'll get into that in a second to see how gripe is relevant in this situation so um if i do which gripe i don't have gripe installed the instructions mentioned that i should that i can use brew and um it's always good to do brew update in my case i just did that before um before starting so it shouldn't take that long there you go it it just took like a couple of seconds there that might take a few minutes if you're just trying out brew update if you haven't done this in a while uh brew is is kind of like a package manager if you haven't used it before you knows then it's it's um it's kind of like a package manager for os 10 but um i'm gonna use that i'm not going to go into details on how to set it up if you've never used brew like the other installation methods would would work fine so then we need to do brew tab and gripe so that basically tells brew hey i have a formula here brew works with formulas since like i there's a specific formula here that knows how how to install gripe and make it available in my system and now i'm able to brew install drive so let me go ahead and do that and so this pulls in the latest release which in this case is 0.7.0 there is a specific uh image for my system and that's it and now if i do which gripe should work perfect so let's do gripe version great so it tells me the version is zero that's in the zero it was built in january uh it seems like oh all is good let's try it let's try the help menu let's see help ooh there we go so there's a bunch of stuff in here um you can um you can you can scan for vulnerabilities in a um for an image and so it supports the docker syntax here which is repository image column tag but you also have the possibility to to use a docker tar oci tar or directory or or a file system directory so so there's a lot of uh stuff in there right like primarily we'll just concentrate in docker um containers and paths um so far we've not seen anything useful so let's let's try to make let's try to make something useful so i'm here in this python app i'm gonna do ls i have a requirement set text let's take a look at how what that what's ooh flask uh zero that's zero that one so that that looks pretty old i think flask is up to several versions beyond that uh so this is a very old one so uh first thing that you can do with gripe gripe accepts a path to a directory for for scanning vulnerabilities and we are going to go one directory app and then we're going to say gripe the colon and i'm going to say what is it python app python dash app perfect so right now it's pulling the latest vulnerability database it's 47 megabytes oh and look at that so it it did three things which is a pretty pretty crucial so it first he checked if there if there was an update for the vulnerability database the database gets updated all of the time vulnerabilities are reported all the time so if if this application wasn't vulnerable this morning it could certainly be vulnerable by this afternoon so there's a constant check of uh updates to the vulnerability database it pulls that and then it catalogs the image well in this case there we're not going to log cataloging an image we're cataloging a path we're cataloging a directory path and it's going in there and trying to find out what would be uh installed if this was running in the system so it found that there was a requirements that text file and something something was declared there and he caught that and it's like oh well flask 0.01 would be installed and that's problematic so then it um then it scans and then it does the the matching so it tells you hey you have installed 0.01 but there's a fix and it tells you the bernoulli in this case uh ghsa that's a github security advisory and otherwise it gives you uh cbes so there's a couple of cvs associated with that version and it tells you the severity so so so that's that's pretty cool right like if i'm if i'm writing an application like i might not know that the way gripe is doing this is because it sees that there's a pin dependency so let's take a look at that python uh the pi requirements the text uh so it sees that oh this is pinned like so if i'm a developer uh i think i think it was 12 the three where it was 16 perfect yeah so that was fixed in 12.3 so if i change that to say 0.12.4 let's change that pretty quickly 12 that four then um this application in particular wouldn't be vulnerable again so i'm going to run it again see that there's no update available now with the database because it already pulled the latest version available and now my vulnerabilities are less than initially and again this is all very fast right it just takes it takes a few seconds looks at the directory and tries to figure out what is going on there all right so it seems that 12 that four is still vulnerable the severity is low uh it's uh ghsa and this one this one right here but uh this one seems pretty important this is a high one like and doesn't have a fix so cves are useful because then you can look at what type of vulnerability this is um in this case i believe let me see we can go to um uh there we go we can say that one let's see what happens this is the cv um uh website where you can get more information so uh information about vulnerabilities and let's see pal projects fast before 1.1 is affected by unexpected memory usage okay impact is the nail of service that sounds pretty very terrible um if you send a crafted encoded json data so fixed version is one and there might be an overlap okay perfect so if we go back to our little project over here um it seems that we can go and make another update to our python uh application with its requirements in the pi so i'm going to set it to like i want this to be installed here let's run gripe again perfect it doesn't find anything now because i've set it to uh 1.0.0 then the vulnerability is like my application is seemingly safe nothing is being pulled in so that's perfect i have a perfect little python project with a requirements that text file it doesn't find anything that's pretty cool however if i go in here there is a docker file so the docker file is using the python38 it's copying the requirements and then it sets the work directory to web app it installs a requirement so you would install flask and then it would just run uh the flask application uh that's fine let's take a look at web app and this let's see web app i think there's a single file in there that's right so web app has a couple of flash groups this is a tiny tiny flask application that will run on port i think it's 80 80 the the default port or 8000 double full port for pla flask and it has some a couple of sample routes so let's uh how about we build these how about we build this container because gripe can also scan containers and so we're going to do docker build d we can say we can say alfredo desa which is my username and then we'll say flask app and here i think that should do it let's see all right so my container is building it's a bunch of stuff being downloaded uh nice um okay so it it created this alfredo this is flask app container so the thing that gripe can do is you can scan containers and the way we do that we can say gripe and then pass the the tagged container so in in my case i use alfred slash flash cap so let's let's take a look at that let's do alfredo let's uh slash flask app and see what happens so no update available and now it's loading the image so he's requesting the image from docker so he's going to the docker daemon and pulling trying to pull that image down copying it locally and so it will do it will do some inspection inside the image as you know images can contain many layers and these layers are compressed and so behind the scenes scribe is bringing down this whole image uh finding all the layers and trying to decompose each layer and try to find vulnerabilities in each of those layers in this case it's taking a little bit longer because it is trying to pull this um image which it seems like it's a pretty pretty heavy like the progress bar is there is is moving so this is not necessarily uh gripes doing it's that the image happens to be you know pretty pretty big i can see now i'm looking at my network monitor download download downloading several megabytes of data from the docker daemon all right so it's almost done it loaded the image it's parsing the image so that goes pretty quickly now it's cataloging everything that you see it finds in there and it's like we have a boatload of stuff why is this important and what is why is happening like i just deployed my required my requirements that text and my little flask app which is which was not vulnerable look at look at this this is just pretty pretty substantial so what's what's going on let me scroll back all the way up let me scroll all the way to the beginning so that we can we can see what what is the deal here oops there we go i scroll way past it okay so um it scanned the image catalog damage and he found this is this is pretty important when it catalog the image it found 442 packages wow that's substantial if sometimes developers are thinking well i'm just installing this flask app what's the deal well you have a a base container image and in this case it's the python 3.8 image and that has other package that has system packages installed in it this is apparently a debian based distro so you can see apt is in there and it does behind the scenes gripe is analyzing and finding these vulnerabilities so now we have 1600 vulnerabilities and you didn't install apt that came with the container image so gripe is detecting what version is installed and uh in and if it matches any vulnerability and it does and you can see here there's a bunch of negligible ones negligible is basically meaning like you know it's it's there's there's little risk that that might uh cause a certain security concern so we can we can keep going and you can see there's a bunch of stuff being utils um and now we're going into some that are critical right so you see click here is 7.1.2 that that seems uh pretty pretty uh serious and so a lot of these things are out of your control because you're installing a little python app with one dependency and you have you have to deal with these so now it's up to you to decide how to mitigate these or perhaps use a different base image and and to deploy your application and see if any of these negligible ones are worth taking a look at as well as looking at the critical ones perhaps this vulnerability is not as critical in the type of environment that is going to be deployed so that's that's what happens so this is gripe that's how you install it how you run it uh we've installed gripe version um right version 0 that's 7.0 which was released in january 2021 pretty easy to install very fast and it gives you a really good picture of not only directories and paths but als also any any and all images that might be out there in the wild including the ones that you just built
Info
Channel: Anchore
Views: 545
Rating: 5 out of 5
Keywords:
Id: -8x-mxeAEEo
Channel Id: undefined
Length: 15min 29sec (929 seconds)
Published: Tue Mar 09 2021
Related Videos
Ethical Hacking Lab - NETLAB+ 05 Vulnerability Scanning with OpenVAS
Cypress College Cyber Club C4
1.3K
An introduction to the Arachni Web Application Security Scanner Framework
Develpreneur
992
Anchore Open Source Virtual Meetup - September 2021
Anchore
54
Software Bill of Materials: How to generate an SBOM from container images using Syft
Anchore
387
The Rise Of Open-Source Software
CNBC
2.3M
OpenVAS Greenbone Vulnerability Scanner - Setup, Update, Scan on Kali Linux 2021
SplendorBits
18K
Achieving FedRAMP security compliance for containers with Anchore
Anchore
154
Nessus Vulnerability Scanner Tutorial (Cyber Security Tools)
Jon Good
59K
How to Perform STIG checks with Anchore Enterprise 3.1
Anchore
92
Open Source Vulnerability Scans | Snyk | #6MinuteSaturdays | Tech Primers
Tech Primers
11K
Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman
Red Hat
3.5K
Scan for Vulnerabilities on Any Website Using Nikto [Tutorial]
Null Byte
249K
Vulnerability Scanning With Nmap
HackerSploit
42K
How to Use Anchore Enterprise with Kubernetes
Anchore
117
An Introduction to AnchoreCTL
Anchore
78
Analyzing docker images with anchore engine and anchore cli
Jose Manuel Ortega
2.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.