èåŒ±æ§æªçšå¯èœæ§æ å ±ïŒVEXïŒ
VEX ãšã¯ïŒ
VEXïŒVulnerability Exploitability eXchange / èåŒ±æ§æªçšå¯èœæ§æ å ±äº€æïŒ ã¯ãç±³åœãµã€ããŒã»ãã¥ãªãã£ã»ã€ã³ãã©ã»ãã¥ãªãã£åºïŒCISAïŒãéçºããããœãããŠã§ã¢ã³ã³ããŒãã³ãå ã®è匱æ§ã®æªçšå¯èœæ§ãèšé²ããããã®æšæºåããããã¬ãŒã ã¯ãŒã¯ã§ãã
åŸæ¥ã® CVEïŒCommon Vulnerabilities and Exposures / å ±éè匱æ§èå¥åïŒããŒã¿ããŒã¹ãšã¯ç°ãªããVEX ã¯ç¹å®ã®ç°å¢ã§ãã®è匱æ§ãæªçšå¯èœãã©ãããšããæèæ å ±ãæç€ºããŸãã
ãã®ã¢ãããŒãã«ãããçµç¹ã¯å®éã«æªçšå¯èœãªè匱æ§ãšãèªç€Ÿã®å©çšã±ãŒã¹ã«ãããŠé¢é£æ§ã®ãªãè匱æ§ãåºå¥ã§ãã察çã®åªå é äœä»ãã容æã«ãªããŸãã
ãªã VEX ãéèŠãªã®ãïŒ
-
誀æ€ç¥ã®åæž: ç°å¢ã«äŸåããè©äŸ¡ãæäŸããããšã§ãç¹å®ã®ç°å¢ã§ã¯è åšãšãªããªãè匱æ§ãé€å€ã§ããŸãã
-
察çã®åªå é äœä»ã: çµç¹ã¯ãèªç€Ÿç°å¢ã§å®éã«æªçšå¯èœãªè匱æ§ãžã®å¯Ÿå¿ã«ãªãœãŒã¹ãéäžã§ããè匱æ§ç®¡çã®å¹çãåäžããŸãã
-
ã³ã³ãã©ã€ã¢ã³ã¹ã®åŒ·å: VEX ã¬ããŒãã¯è©³çŽ°ãªæ å ±ãæäŸããèŠå¶èŠä»¶ã瀟å ã»ãã¥ãªãã£åºæºãæºããããã®æ¯æŽãšãªããŸãã
ãã®ã¢ãããŒãã¯ãã³ã³ããŒãã³ããæ§æã倿°ååšããè€éãªç°å¢ã§ç¹ã«æå¹ã§ãã
åŸæ¥ã® CVE ããŒã¹ã®è©äŸ¡ã§ã¯ãäžå¿ èŠãªä¿®æ£äœæ¥ã«ã€ãªããããšããããŸãããVEX ã«ãã£ãŠãã®ãªã¹ã¯ãå€§å¹ ã«æžããããšãã§ããŸãã
Docker Hardened Images ã«ããã VEX ã®çµ±å
è匱æ§ç®¡çã匷åããããã«ãDocker Hardened ImagesïŒDHIïŒã¯ VEX ã¬ããŒããçµã¿èŸŒã¿ãæ¢ç¥ã®è匱æ§ã«å¯Ÿããç°å¢äŸåã®è©äŸ¡ïŒã³ã³ããã¹ãæ å ±ïŒãæäŸããŸãã
ãã®çµ±åã«ãã£ãŠã以äžãå¯èœã«ãªããŸã:
-
æªçšå¯èœæ§ã®è©äŸ¡: ã€ã¡ãŒãžå ã®ã³ã³ããŒãã³ãã«ååšããæ¢ç¥ã®è匱æ§ãããã®ç¹å®ã®ç°å¢ã§æªçšå¯èœãã©ããã倿ã§ããŸãã
-
察å¿ã®åªå é äœä»ã: å®éã«ãªã¹ã¯ãšãªãè匱æ§ãžã®ä¿®æ£ã«æ³šåã§ãããªãœãŒã¹ã®æé©åãå®çŸããŸãã
-
ç£æ»ã®å¹çå: VEX ã¬ããŒããæäŸããè©³çŽ°ãªæ å ±ãæŽ»çšããããšã§ãã³ã³ãã©ã€ã¢ã³ã¹ç£æ»ãå ±åãç°¡çŽ åã§ããŸãã
DHI ã®ã»ãã¥ãªãã£æ©èœãš VEX ã®ã³ã³ããã¹ãæ å ±ãçµã¿åãããããšã§ãçµç¹ã¯ãã广çãã€å¹ççãªè匱æ§ç®¡çãå®çŸã§ããŸãã
VEX ã䜿ã£ãŠæ¢ç¥ã®æªçšäžå¯èœãª CVE ãé€å€ãã
Docker Scout ã䜿çšããå ŽåãVEX ã¹ããŒãã¡ã³ãã¯èªåçã«é©çšãããæåã§ã®èšå®ã¯äžèŠã§ãã
VEX ã«å¯Ÿå¿ããããŒã«ã§äœ¿çšããããã«ãVEX ã¢ãã¹ããŒã·ã§ã³ãæåã§ååŸããã«ã¯æ¬¡ã®ã³ãã³ããå®è¡ããŸã:
$ docker scout attest get \
--predicate-type https://openvex.dev/ns/v0.2.0 \
--predicate \
<your-namespace>/dhi-<image>:<tag> --platform <platform> > vex.json
äŸ:
$ docker scout attest get \
--predicate-type https://openvex.dev/ns/v0.2.0 \
--predicate \
docs/dhi-python:3.13 --platform linux/amd64 > vex.json
ãã®ã³ãã³ãã«ãããæå®ããã€ã¡ãŒãžã«å¯Ÿå¿ãã VEX ã¹ããŒãã¡ã³ããå«ãã vex.json
ãã¡ã€ã«ãçæãããŸãã
ãã®åŸããã®ãã¡ã€ã«ã VEX 察å¿ããŒã«ã«èªã¿èŸŒãŸããããšã§ãæ¢ç¥ã®æªçšäžå¯èœãª CVE ãã¹ãã£ã³çµæããé€å€ããããšãã§ããŸãã
ããšãã°ãGrype ã Trivy ã§ã¯ --vex
ãã©ã°ã䜿çšããŠãã¹ãã£ã³æã« VEX ã¹ããŒãã¡ã³ããé©çšã§ããŸã:
$ grype <your-namespace>/dhi-<image>:<tag> --vex vex.json