This article has been rewritten and reorganized using artificial intelligence (AI) based on referenced technical documentation. The purpose is to present the content in a clearer and more accessible manner. For technical clarifications or further verification, readers are advised to consult the original documentation or contact relevant technical personnel.
Have you ever thought about how the code you write every day is like building a house? How solid is the foundation, and how safe is the structure? If there are vulnerabilities hidden in the code, it’s like termites in the house, and over time, it can cause big problems!
Don’t worry, the Arm China technology team is always at the forefront, ensuring everyone’s safety. Today, we’re going to share a super cool tool we’ve been using recently – Trivy – to give our code a comprehensive “health check.”
What is Trivy? A Code Health Check Expert! #
Trivy is like a professional “code doctor.” It can quickly scan your code to find potential security vulnerabilities (CVEs) and the risk of confidential information leakage. Imagine it as a super detective, able to delve into every corner of the code and ferret out those hidden bad guys!
Why is this important?
- Safety First: Discover and fix vulnerabilities early to avoid hacker attacks and protect your systems and data.
- Compliance: Ensure your code meets relevant security standards and regulations.
- Save Time and Effort: Trivy scans quickly and is easy to operate, saving developers a lot of time and effort.
Experiment Begins! Trivy Shows Its Skills #
This time, we chose the U-Boot code repository as the target to simulate a real development environment. U-Boot is a widely used open-source bootloader, and if it has security vulnerabilities, the impact could be very large.
Experiment Steps:
-
Start Trivy: We enter the following command in the terminal to let Trivy start scanning the code repository.
trivy repo ./This command is like saying to Trivy: “Hey, help me check the code in this folder!”
-
Trivy Starts Scanning: Next, Trivy will start working hard. It will check every file in the code, looking for known security vulnerabilities and confidential information.
INFO [vuln] Vulnerability scanning is enabledINFO [secret] Secret scanning is enabledINFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanningWARN [pip] Unable to find python site-packages directory. License detection is skipped.
-
View Scan Results: After the scan is complete, Trivy will generate a detailed report listing all the vulnerabilities and confidential information found.
Experiment Results: Identifying Potential Risks #
After the Trivy scan, we found some potential security risks, mainly concentrated in the doc/sphinx/requirements.txt and test/py/requirements.txt files. These files list the Python packages that the project depends on.
Key Findings:
-
Multiple Python Packages Have Vulnerabilities: For example, Jinja2, Pygments, certifi, idna, requests, urllib3, pycryptodomex, zipp, and other packages have varying degrees of security vulnerabilities.
-
Private Key Found: In the
board/broadcom/bcmns3/fit/keys/dev.keyfile, Trivy detected a high-risk AsymmetricPrivateKey.HIGH: AsymmetricPrivateKey (private-key) ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Asymmetric Private Key ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── board/broadcom/bcmns3/fit/keys/dev.key:1 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 [ -----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY 2 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────This is a very serious issue because private key leakage can lead to serious security risks.
Don’t Panic! We Have Solutions!
In response to these findings, we took immediate action:
- Upgrade Package Versions: Upgrade the vulnerable Python packages to secure versions to fix known vulnerabilities.
- Remove or Protect Private Keys: Immediately remove or take appropriate security measures to protect private keys and prevent leakage.
Arm China: Continuous Innovation, Safety First #
This experience of using Trivy to scan code once again proves that security is crucial in the software development process. Arm China has always attached great importance to the security of its products. We are constantly exploring and adopting the latest security technologies to ensure that our products and services can provide customers with the most reliable protection.
Our Commitment:
- Continuous R&D: We will continue to invest resources in researching and developing more advanced security technologies to improve product security.
- Active Innovation: We will actively explore new security solutions to address ever-changing security threats.
- Customer First: We will focus on customer needs and provide the safest and most reliable products and services.
Arm China, your trusted technology partner! Let us work together to create a safer and more reliable future!