List vulnerable package names in an image
This guide shows how to retrieve a list of packages in a particular image.
First of all, obtain an authorization token by Authenticating a user
info
- The token is only valid for 30 minutes.
Start by Get Image Scan Results :
curl -sSL --header "authorization: Bearer access_token" \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/images"
Let's say, you're interested in viewing contents for sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689:
...
[
{
"_id": "sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689",
"type": "image",
"hostname": "",
"scanTime": "2023-01-12T11:42:57.349Z",
"binaries": [
{
"name": "bash",
"path": "/opt/bash/bin/bash",
"md5": "3fb95c7348791e4b4ff70e17367c9d22",
"cveCount": 0,
"missingPkg": true
},
...
}
...
]
Pick an image id name sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689 from the returned array, use this as id
and pass it as a query parameter along with layers set to true to Download Image Scan Results :
curl -sSL --header "authorization: Bearer access_token" \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/images/download?id=sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689&layers=true"
This will generate a CSV file that lists all vulnerable packages in a given image, organized by layer, with both the affected and fixed versions.