1.
ConPan: Analyzing Packages
Installed in Docker Containers
Ahmed Zerouali, Valerio Cosentino,
Jesus Gonzalez-Barahona, Gregorio Robles,
Tom Mens
Int’l Conf. Mining Software Repositories (MSR)
Montreal, QC, Canada - May 26-27, 2019

2.
Docker containers
● are isolated bundles of software packages
● facilitate deploying software applications in production
environments
● are created by combining and modifying images from
public (official or community) repositories

3.
Motivation: Security vulnerabilities are
main barrier to container adoption
ClusterHQ, June 2015

4.
Motivation: Security vulnerabilities are
main barrier to container adoption
FlawCheck, August 2015

5.
Commercial tools for scanning Docker images

6.
Commercial tools for scanning Docker images

7.
“Systems with a low dependency freshness are more than four
times as likely to contain security issues in these dependencies.”
“Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015)
"The number of vulnerabilities is moderately correlated
with the number of outdated packages in a container”
“On the Relation between Outdated Docker Containers, Severity Vulnerabilities,
and Bugs”, A. Zerouali et al. (SANER 2019)
Outdatedness causes Security Vulnerabilities

8.
ConPAn– Container Packages Analyzer
Goal: combine information about outdatedness and security vulnerabilities

9.
ConPan Installation
$ git clone https://github.com/neglectos/ConPan
$ python3 setup.py build
$ python3 setup.py install

10.
ConPan in action
Through command-line interface:
$ conpan -p debian -c <Docker image> -d path/to/data
Example:
$ conpan -p debian -c google/mysql -d /ConPan/data/debian/

11.
ConPan in action
Through API:

12.
ConPan in action
Through API:

13.
ConPan in action
Through API: