ConPan: Analysing Packages Installed in Docker Containers
•
0 gefällt mir•436 views
ConPan is a tool that analyzes software packages installed in Docker containers to identify outdated and vulnerable packages. It combines information about outdatedness and known security vulnerabilities. ConPan works by scanning Docker images and comparing package information to vulnerability databases. The goal is to help identify security risks from outdated and vulnerable packages in container images to improve container security.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie ConPan: Analysing Packages Installed in Docker Containers
Ähnlich wie ConPan: Analysing Packages Installed in Docker Containers (20)
Mehr von Tom Mens
Mehr von Tom Mens (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
ConPan: Analysing Packages Installed in Docker Containers
- 1. ConPan: Analyzing Packages Installed in Docker Containers Ahmed Zerouali, Valerio Cosentino, Jesus Gonzalez-Barahona, Gregorio Robles, Tom Mens Int’l Conf. Mining Software Repositories (MSR) Montreal, QC, Canada - May 26-27, 2019
- 2. Docker containers ● are isolated bundles of software packages ● facilitate deploying software applications in production environments ● are created by combining and modifying images from public (official or community) repositories
- 3. Motivation: Security vulnerabilities are main barrier to container adoption ClusterHQ, June 2015
- 4. Motivation: Security vulnerabilities are main barrier to container adoption FlawCheck, August 2015
- 5. Commercial tools for scanning Docker images
- 6. Commercial tools for scanning Docker images
- 7. “Systems with a low dependency freshness are more than four times as likely to contain security issues in these dependencies.” “Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015) "The number of vulnerabilities is moderately correlated with the number of outdated packages in a container” “On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs”, A. Zerouali et al. (SANER 2019) Outdatedness causes Security Vulnerabilities
- 8. ConPAn– Container Packages Analyzer Goal: combine information about outdatedness and security vulnerabilities
- 9. ConPan Installation $ git clone https://github.com/neglectos/ConPan $ python3 setup.py build $ python3 setup.py install
- 10. ConPan in action Through command-line interface: $ conpan -p debian -c <Docker image> -d path/to/data Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/
- 11. ConPan in action Through API:
- 12. ConPan in action Through API:
- 13. ConPan in action Through API:
Hinweis der Redaktion
- So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
- After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments. At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
- Most of the tools available today are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
- Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
- In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is. More outdated dependencies have more vulnerabilities. Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
- For this reason, we have developed ConPan. A python utility that helps to anlayze packages installed in Docker containers. The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of: (i) pulling and running Docker images; (ii) identifying the installed packages; (iii) tracking them back to their package managers; (iv) searching for their known vulnerability reports or other reported bugs and quality issues; (v) reporting the results in a specific output format. ConPan also provides general information about the analysed Docker Hub image, fetched from the Docker Hub registry using its API.
- To install conpan