ConPan is a tool that analyzes software packages installed in Docker containers to identify outdated and vulnerable packages. It combines information about outdatedness and known security vulnerabilities. ConPan works by scanning Docker images and comparing package information to vulnerability databases. The goal is to help identify security risks from outdated and vulnerable packages in container images to improve container security.
Right Money Management App For Your Financial Goals
ConPan: Analysing Packages Installed in Docker Containers
1. ConPan: Analyzing Packages
Installed in Docker Containers
Ahmed Zerouali, Valerio Cosentino,
Jesus Gonzalez-Barahona, Gregorio Robles,
Tom Mens
Int’l Conf. Mining Software Repositories (MSR)
Montreal, QC, Canada - May 26-27, 2019
2. Docker containers
● are isolated bundles of software packages
● facilitate deploying software applications in production
environments
● are created by combining and modifying images from
public (official or community) repositories
7. “Systems with a low dependency freshness are more than four
times as likely to contain security issues in these dependencies.”
“Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015)
"The number of vulnerabilities is moderately correlated
with the number of outdated packages in a container”
“On the Relation between Outdated Docker Containers, Severity Vulnerabilities,
and Bugs”, A. Zerouali et al. (SANER 2019)
Outdatedness causes Security Vulnerabilities
8. ConPAn– Container Packages Analyzer
Goal: combine information about outdatedness and security vulnerabilities
So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments.
At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
Most of the tools available today are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is.
More outdated dependencies have more vulnerabilities.
Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
For this reason, we have developed ConPan.
A python utility that helps to anlayze packages installed in Docker containers.
The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of:
(i) pulling and running Docker images;
(ii) identifying the installed packages;
(iii) tracking them back to their package managers;
(iv) searching for their known vulnerability reports or other
reported bugs and quality issues;
(v) reporting the results in a specific output format.
ConPan also provides general information about the analysed Docker Hub image, fetched
from the Docker Hub registry using its API.