As application designs become more intricate in today's digital age, they often form a complex web of interconnected dependencies. This can result in a daunting dependency tree that can be challenging to monitor and maintain.
Take the Equifax data breach in September 2017 as an example. Equifax, one of the major credit reporting agencies in the US, suffered a data breach due to a vulnerability in the Apache Strut framework (CVE-2017–5638) dependency, which is widely used for developing web applications in Java. The mishandling of uploaded files enabled hackers to execute remote code, exposing the personal data of 147 million people.
In Docker, dependencies are commonly associated with the services or libraries needed for a containerized application to function properly. These dependencies are outlined in the Dockerfile during the image creation phase. For instance, take a Python application with the following requirements:
Flask==1.1.2
NumPy==1.19.2
pandas==1.1.3
SQLAlchemy==1.3.19
Its Dockerfile will instruct the engine to install these requirements when a container run the image.
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y python3.8 python3-pip
WORKDIR /app
COPY requirements.txt .
RUN pip3 install -r requirements.txt
COPY . .
CMD [ "python3", "./app.py" ]
Despite their simplicity, such applications will also incorporate the following sub-dependencies, adding complexity and potential vulnerability points.
$ sudo docker scan gtrekter/training:1.0 --dependency-tree
docker-image|training @ 1.0
├─ adduser @ 3.118ubuntu2
│ └─ shadow/passwd @ 1:4.8.1-1ubuntu5.20.04.4
│ ├─ libsemanage/libsemanage1 @ 3.0-1build2
│ │ ├─ libsemanage/libsemanage-common @ 3.0-1build2
│ │ └─ libsepol/libsepol1 @ 3.0-1ubuntu0.1
│ ├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
│ │ ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
│ │ ├─ pam/libpam-modules-bin @ 1.3.1-5ubuntu4.6
│ │ │ └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
│ │ └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
│ └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
├─ apt @ 2.0.9
│ ├─ adduser @ 3.118ubuntu2
│ ├─ apt/libapt-pkg6.0 @ 2.0.9
│ │ ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ ├─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
│ │ ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
│ │ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ │ └─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
│ │ └─ systemd/libudev1 @ 245.4-4ubuntu3.21
│ ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ ├─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
│ │ └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
│ │ ├─ libidn2/libidn2-0 @ 2.2.0-2
│ │ │ └─ libunistring/libunistring2 @ 0.9.10-2
│ │ ├─ libtasn1-6 @ 4.16.0-2
│ │ ├─ libunistring/libunistring2 @ 0.9.10-2
│ │ ├─ nettle/libhogweed5 @ 3.5.1+really3.5.1-2ubuntu0.2
│ │ │ └─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
│ │ ├─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
│ │ └─ p11-kit/libp11-kit0 @ 0.23.20-1ubuntu0.1
│ │ └─ libffi/libffi7 @ 3.3-4
│ ├─ libseccomp/libseccomp2 @ 2.5.1-1ubuntu1~20.04.2
│ ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
│ └─ ubuntu-keyring @ 2020.02.11.4
├─ apt/libapt-pkg6.0 @ 2.0.9
├─ attr/libattr1 @ 1:2.4.48-5
├─ base-files @ 11ubuntu5.7
│ └─ mawk @ 1.3.4.20200120-2
├─ base-passwd @ 3.5.47
│ └─ cdebconf/libdebconfclient0 @ 0.251ubuntu1
├─ bash @ 5.0-6ubuntu1.2
│ ├─ base-files @ 11ubuntu5.7
│ └─ debianutils @ 4.9.1
├─ binutils @ 2.34-6ubuntu1.5
│ ├─ binutils/binutils-common @ 2.34-6ubuntu1.5
│ ├─ binutils/binutils-x86-64-linux-gnu @ 2.34-6ubuntu1.5
│ │ ├─ binutils/binutils-common @ 2.34-6ubuntu1.5
│ │ ├─ binutils/libbinutils @ 2.34-6ubuntu1.5
│ │ ├─ binutils/libctf-nobfd0 @ 2.34-6ubuntu1.5
│ │ ├─ binutils/libctf0 @ 2.34-6ubuntu1.5
│ │ │ └─ binutils/libbinutils @ 2.34-6ubuntu1.5
│ │ └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ └─ binutils/libbinutils @ 2.34-6ubuntu1.5
│ └─ binutils/binutils-common @ 2.34-6ubuntu1.5
├─ binutils/binutils-common @ 2.34-6ubuntu1.5
├─ binutils/binutils-x86-64-linux-gnu @ 2.34-6ubuntu1.5
├─ binutils/libbinutils @ 2.34-6ubuntu1.5
├─ binutils/libctf-nobfd0 @ 2.34-6ubuntu1.5
├─ binutils/libctf0 @ 2.34-6ubuntu1.5
├─ build-essential @ 12.8ubuntu1.1
│ ├─ dpkg/dpkg-dev @ 1.19.7ubuntu3.2
│ │ ├─ binutils @ 2.34-6ubuntu1.5
│ │ ├─ bzip2 @ 1.0.8-2
│ │ ├─ dpkg/libdpkg-perl @ 1.19.7ubuntu3.2
│ │ ├─ make-dfsg/make @ 4.2.1-1.2
│ │ ├─ patch @ 2.7.6-6
│ │ └─ xz-utils @ 5.2.4-1ubuntu1.1
│ ├─ gcc-defaults/g++ @ 4:9.3.0-1ubuntu2
│ │ ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ ├─ gcc-9/g++-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ gcc-9/libstdc++-9-dev @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ ├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
│ │ │ ├─ isl/libisl22 @ 0.22.1-1
│ │ │ ├─ mpclib3/libmpc3 @ 1.1.0-1
│ │ │ └─ mpfr4/libmpfr6 @ 4.0.2-1
│ │ ├─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
│ │ └─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
│ ├─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
│ │ ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ binutils @ 2.34-6ubuntu1.5
│ │ │ ├─ gcc-10/libcc1-0 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ │ │ ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ │ │ ├─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ ├─ gcc-10/libatomic1 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/libgomp1 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/libitm1 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/liblsan0 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/libquadmath0 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/libtsan0 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-10/libubsan1 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ │ └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
│ │ │ │ ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ └─ gcc-9/libasan5 @ 9.4.0-1ubuntu1~20.04.1
│ │ │ │ └─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ │ ├─ isl/libisl22 @ 0.22.1-1
│ │ │ ├─ mpclib3/libmpc3 @ 1.1.0-1
│ │ │ └─ mpfr4/libmpfr6 @ 4.0.2-1
│ │ └─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
│ │ └─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
│ │ ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
│ │ ├─ isl/libisl22 @ 0.22.1-1
│ │ ├─ mpclib3/libmpc3 @ 1.1.0-1
│ │ │ └─ mpfr4/libmpfr6 @ 4.0.2-1
│ │ └─ mpfr4/libmpfr6 @ 4.0.2-1
│ ├─ glibc/libc6-dev @ 2.31-0ubuntu9.9
│ │ ├─ glibc/libc-dev-bin @ 2.31-0ubuntu9.9
│ │ ├─ libxcrypt/libcrypt-dev @ 1:4.4.10-10ubuntu4
│ │ └─ linux/linux-libc-dev @ 5.4.0-150.167
│ └─ make-dfsg/make @ 4.2.1-1.2
├─ bzip2 @ 1.0.8-2
├─ cdebconf/libdebconfclient0 @ 0.251ubuntu1
├─ coreutils @ 8.30-3ubuntu2
│ └─ attr/libattr1 @ 1:2.4.48-5
├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-2ubuntu0.1
├─ cyrus-sasl2/libsasl2-modules @ 2.1.27+dfsg-2ubuntu0.1
│ └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
├─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-2ubuntu0.1
├─ dash @ 0.5.10.2-6
│ └─ debianutils @ 4.9.1
├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
├─ debianutils @ 4.9.1
├─ diffutils @ 1:3.7-3
├─ dpkg/dpkg-dev @ 1.19.7ubuntu3.2
├─ dpkg/libdpkg-perl @ 1.19.7ubuntu3.2
├─ e2fsprogs @ 1.45.5-2ubuntu1.1
│ ├─ e2fsprogs/libext2fs2 @ 1.45.5-2ubuntu1.1
│ ├─ e2fsprogs/libss2 @ 1.45.5-2ubuntu1.1
│ ├─ e2fsprogs/logsave @ 1.45.5-2ubuntu1.1
│ ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
│ └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
├─ e2fsprogs/libext2fs2 @ 1.45.5-2ubuntu1.1
├─ e2fsprogs/libss2 @ 1.45.5-2ubuntu1.1
├─ e2fsprogs/logsave @ 1.45.5-2ubuntu1.1
├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
│ ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
│ └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
├─ fakeroot @ 1.24-1
│ └─ fakeroot/libfakeroot @ 1.24-1
├─ fakeroot/libfakeroot @ 1.24-1
├─ file @ 1:5.38-4
│ └─ file/libmagic1 @ 1:5.38-4
│ └─ file/libmagic-mgc @ 1:5.38-4
├─ file/libmagic-mgc @ 1:5.38-4
├─ file/libmagic1 @ 1:5.38-4
├─ findutils @ 4.7.0-1ubuntu1
├─ gcc-10/libatomic1 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libcc1-0 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libgomp1 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libitm1 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/liblsan0 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libquadmath0 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libtsan0 @ 10.3.0-1ubuntu1~20.04
├─ gcc-10/libubsan1 @ 10.3.0-1ubuntu1~20.04
├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/g++-9 @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/libasan5 @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-9/libstdc++-9-dev @ 9.4.0-1ubuntu1~20.04.1
├─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
├─ gcc-defaults/g++ @ 4:9.3.0-1ubuntu2
├─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
├─ gdbm/libgdbm-compat4 @ 1.18.1-5
├─ gdbm/libgdbm6 @ 1.18.1-5
├─ glibc/libc-bin @ 2.31-0ubuntu9.9
├─ glibc/libc-dev-bin @ 2.31-0ubuntu9.9
├─ glibc/libc6-dev @ 2.31-0ubuntu9.9
├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
│ ├─ adduser @ 3.118ubuntu2
│ ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ └─ readline/libreadline8 @ 8.0-4
│ ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
│ ├─ init-system-helpers @ 1.57
│ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
│ ├─ lsb/lsb-base @ 11.1.0ubuntu2
│ ├─ npth/libnpth0 @ 1.6-1
│ └─ openldap/libldap-2.4-2 @ 2.4.49+dfsg-2ubuntu1.9
│ ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-2ubuntu0.1
│ │ └─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-2ubuntu0.1
│ │ └─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
│ ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
│ ├─ heimdal/libgssapi3-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ └─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ ├─ heimdal/libheimntlm0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ ├─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ ├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ ├─ heimdal/libhx509-5-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ │ ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ │ ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ │ ├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ │ └─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ ├─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ │ │ └─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
│ │ │ └─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ │ └─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ └─ openldap/libldap-common @ 2.4.49+dfsg-2ubuntu1.9
├─ gnupg2/gnupg @ 2.2.19-3ubuntu2.2
│ ├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
│ ├─ gnupg2/gnupg-l10n @ 2.2.19-3ubuntu2.2
│ ├─ gnupg2/gnupg-utils @ 2.2.19-3ubuntu2.2
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
│ │ └─ readline/libreadline8 @ 8.0-4
│ ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ ├─ readline/libreadline8 @ 8.0-4
│ │ └─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
│ ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
│ │ ├─ init-system-helpers @ 1.57
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ ├─ npth/libnpth0 @ 1.6-1
│ │ └─ pinentry/pinentry-curses @ 1.1.0-3build1
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ └─ ncurses/libncursesw6 @ 6.2-0ubuntu2
│ ├─ gnupg2/gpg-wks-client @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ ├─ gnupg2/gpg-wks-server @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
│ │ └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ ├─ gnupg2/gpgsm @ 2.2.19-3ubuntu2.2
│ │ ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
│ │ ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
│ │ ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
│ │ ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
│ │ └─ readline/libreadline8 @ 8.0-4
│ └─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
├─ gnupg2/gnupg-l10n @ 2.2.19-3ubuntu2.2
├─ gnupg2/gnupg-utils @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpg-wks-client @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpg-wks-server @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpgsm @ 2.2.19-3ubuntu2.2
├─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
├─ grep @ 3.4-1
│ └─ pcre3/libpcre3 @ 2:8.39-12ubuntu0.1
├─ gzip @ 1.10-0ubuntu4.1
├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libgssapi3-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libheimntlm0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libhx509-5-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
├─ hostname @ 3.23
├─ init-system-helpers @ 1.57
├─ isl/libisl22 @ 0.22.1-1
├─ libalgorithm-diff-perl @ 1.19.03-2
│ └─ perl @ 5.30.0-9ubuntu0.4
│ ├─ perl/libperl5.30 @ 5.30.0-9ubuntu0.4
│ │ ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
│ │ ├─ gdbm/libgdbm-compat4 @ 1.18.1-5
│ │ │ └─ gdbm/libgdbm6 @ 1.18.1-5
│ │ ├─ gdbm/libgdbm6 @ 1.18.1-5
│ │ └─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
│ └─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
├─ libalgorithm-diff-xs-perl @ 0.04-6
│ ├─ libalgorithm-diff-perl @ 1.19.03-2
│ └─ perl @ 5.30.0-9ubuntu0.4
├─ libalgorithm-merge-perl @ 0.08-3
│ ├─ libalgorithm-diff-perl @ 1.19.03-2
│ └─ perl @ 5.30.0-9ubuntu0.4
├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
├─ libffi/libffi7 @ 3.3-4
├─ libfile-fcntllock-perl @ 0.22-3build4
│ └─ perl @ 5.30.0-9ubuntu0.4
├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
├─ libidn2/libidn2-0 @ 2.2.0-2
├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
├─ liblocale-gettext-perl @ 1.07-4
├─ libseccomp/libseccomp2 @ 2.5.1-1ubuntu1~20.04.2
├─ libsemanage/libsemanage-common @ 3.0-1build2
├─ libsemanage/libsemanage1 @ 3.0-1build2
├─ libsepol/libsepol1 @ 3.0-1ubuntu0.1
├─ libtasn1-6 @ 4.16.0-2
├─ libunistring/libunistring2 @ 0.9.10-2
├─ libxcrypt/libcrypt-dev @ 1:4.4.10-10ubuntu4
├─ linux/linux-libc-dev @ 5.4.0-150.167
├─ lsb/lsb-base @ 11.1.0ubuntu2
├─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
├─ make-dfsg/make @ 4.2.1-1.2
├─ manpages @ 5.05-1
├─ manpages/manpages-dev @ 5.05-1
│ └─ manpages @ 5.05-1
├─ mawk @ 1.3.4.20200120-2
├─ meta-common-packages @ meta
│ ├─ acl/libacl1 @ 2.2.53-6
│ ├─ audit/libaudit-common @ 1:2.8.5-2ubuntu6
│ ├─ audit/libaudit1 @ 1:2.8.5-2ubuntu6
│ ├─ bzip2/libbz2-1.0 @ 1.0.8-2
│ ├─ debconf @ 1.5.73
│ ├─ dpkg @ 1.19.7ubuntu3.2
│ ├─ e2fsprogs/libcom-err2 @ 1.45.5-2ubuntu1.1
│ ├─ gcc-10/gcc-10-base @ 10.3.0-1ubuntu1~20.04
│ ├─ gcc-10/libgcc-s1 @ 10.3.0-1ubuntu1~20.04
│ ├─ glibc/libc6 @ 2.31-0ubuntu9.9
│ ├─ gmp/libgmp10 @ 2:6.2.0+dfsg-4ubuntu0.1
│ ├─ heimdal/libroken18-heimdal @ 7.7.0+dfsg-1ubuntu1.4
│ ├─ libcap-ng/libcap-ng0 @ 0.7.9-2.1build1
│ ├─ libgpg-error/libgpg-error0 @ 1.37-1
│ ├─ libselinux/libselinux1 @ 3.0-1build2
│ ├─ libxcrypt/libcrypt1 @ 1:4.4.10-10ubuntu4
│ ├─ libzstd/libzstd1 @ 1.4.4+dfsg-3ubuntu0.1
│ ├─ ncurses/libtinfo6 @ 6.2-0ubuntu2
│ ├─ pcre2/libpcre2-8-0 @ 10.34-7ubuntu0.1
│ ├─ perl/perl-base @ 5.30.0-9ubuntu0.4
│ ├─ tar @ 1.30+dfsg-7ubuntu0.20.04.3
│ ├─ xz-utils/liblzma5 @ 5.2.4-1ubuntu1.1
│ └─ zlib/zlib1g @ 1:1.2.11.dfsg-2ubuntu1.5
├─ mpclib3/libmpc3 @ 1.1.0-1
├─ mpfr4/libmpfr6 @ 4.0.2-1
├─ ncurses/libncurses6 @ 6.2-0ubuntu2
├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
├─ ncurses/ncurses-base @ 6.2-0ubuntu2
├─ ncurses/ncurses-bin @ 6.2-0ubuntu2
├─ netbase @ 6.1
├─ nettle/libhogweed5 @ 3.5.1+really3.5.1-2ubuntu0.2
├─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
├─ npth/libnpth0 @ 1.6-1
├─ openldap/libldap-2.4-2 @ 2.4.49+dfsg-2ubuntu1.9
├─ openldap/libldap-common @ 2.4.49+dfsg-2ubuntu1.9
├─ p11-kit/libp11-kit0 @ 0.23.20-1ubuntu0.1
├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
├─ pam/libpam-modules-bin @ 1.3.1-5ubuntu4.6
├─ pam/libpam-runtime @ 1.3.1-5ubuntu4.6
│ └─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
├─ pam/libpam0g @ 1.3.1-5ubuntu4.6
├─ patch @ 2.7.6-6
├─ pcre3/libpcre3 @ 2:8.39-12ubuntu0.1
├─ perl @ 5.30.0-9ubuntu0.4
├─ perl/libperl5.30 @ 5.30.0-9ubuntu0.4
├─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
├─ pinentry/pinentry-curses @ 1.1.0-3build1
├─ procps @ 2:3.3.16-1ubuntu2.3
│ ├─ init-system-helpers @ 1.57
│ ├─ lsb/lsb-base @ 11.1.0ubuntu2
│ ├─ ncurses/libncurses6 @ 6.2-0ubuntu2
│ ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
│ └─ procps/libprocps8 @ 2:3.3.16-1ubuntu2.3
├─ procps/libprocps8 @ 2:3.3.16-1ubuntu2.3
│ └─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
├─ python-pip/python3-pip @ 20.0.2-5ubuntu1.8
│ ├─ ca-certificates @ 20230311ubuntu0.20.04.1
│ │ └─ openssl @ 1.1.1f-1ubuntu2.19
│ │ └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
│ ├─ python-pip/python-pip-whl @ 20.0.2-5ubuntu1.8
│ │ └─ ca-certificates @ 20230311ubuntu0.20.04.1
│ ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
│ │ └─ python3-stdlib-extensions/python3-lib2to3 @ 3.8.10-0ubuntu1~20.04
│ ├─ setuptools/python3-setuptools @ 45.2.0-1ubuntu0.1
│ │ ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
│ │ └─ setuptools/python3-pkg-resources @ 45.2.0-1ubuntu0.1
│ └─ wheel/python3-wheel @ 0.34.2-1ubuntu0.1
├─ python3-defaults/libpython3-dev @ 3.8.2-0ubuntu2
│ └─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
│ ├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
│ ├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
│ │ ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
│ │ └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
│ └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
├─ python3-defaults/libpython3-stdlib @ 3.8.2-0ubuntu2
│ └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
├─ python3-defaults/python3 @ 3.8.2-0ubuntu2
│ ├─ python3-defaults/libpython3-stdlib @ 3.8.2-0ubuntu2
│ ├─ python3-defaults/python3-minimal @ 3.8.2-0ubuntu2
│ │ └─ python3.8/python3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
│ └─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
├─ python3-defaults/python3-dev @ 3.8.2-0ubuntu2
│ ├─ python3-defaults/libpython3-dev @ 3.8.2-0ubuntu2
│ ├─ python3-defaults/python3 @ 3.8.2-0ubuntu2
│ ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
│ └─ python3.8/python3.8-dev @ 3.8.10-0ubuntu1~20.04.8
│ ├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
│ ├─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
│ ├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
│ ├─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
│ └─ zlib/zlib1g-dev @ 1:1.2.11.dfsg-2ubuntu1.5
│ └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
├─ python3-defaults/python3-minimal @ 3.8.2-0ubuntu2
├─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
│ ├─ mime-support @ 3.64ubuntu1
│ ├─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
│ │ ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
│ │ ├─ libffi/libffi7 @ 3.3-4
│ │ ├─ mime-support @ 3.64ubuntu1
│ │ ├─ mpdecimal/libmpdec2 @ 2.4.2-3
│ │ ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
│ │ ├─ python3.8/libpython3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
│ │ ├─ readline/libreadline8 @ 8.0-4
│ │ │ └─ readline/readline-common @ 8.0-4
│ │ ├─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
│ │ └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
│ └─ python3.8/python3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
│ ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
│ └─ python3.8/libpython3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
│ └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
├─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
├─ python3.8/python3.8-dev @ 3.8.10-0ubuntu1~20.04.8
├─ sed @ 4.7-1
├─ sensible-utils @ 0.0.12+nmu1
├─ shadow/login @ 1:4.8.1-1ubuntu5.20.04.4
│ ├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
│ ├─ pam/libpam-runtime @ 1.3.1-5ubuntu4.6
│ └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
├─ shadow/passwd @ 1:4.8.1-1ubuntu5.20.04.4
├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
├─ systemd/libudev1 @ 245.4-4ubuntu3.21
├─ sysvinit/sysvinit-utils @ 2.96-2.1ubuntu1
│ ├─ init-system-helpers @ 1.57
│ ├─ lsb/lsb-base @ 11.1.0ubuntu2
│ └─ util-linux @ 2.34-0.1ubuntu9.3
├─ ubuntu-keyring @ 2020.02.11.4
├─ util-linux @ 2.34-0.1ubuntu9.3
├─ util-linux/bsdutils @ 1:2.34-0.1ubuntu9.3
│ └─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
├─ util-linux/fdisk @ 2.34-0.1ubuntu9.3
│ ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
│ ├─ util-linux/libfdisk1 @ 2.34-0.1ubuntu9.3
│ │ ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
│ │ └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
│ ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
│ │ └─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
│ └─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
├─ util-linux/libfdisk1 @ 2.34-0.1ubuntu9.3
├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
├─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
├─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
├─ util-linux/mount @ 2.34-0.1ubuntu9.3
│ ├─ util-linux @ 2.34-0.1ubuntu9.3
│ │ ├─ pam/libpam0g @ 1.3.1-5ubuntu4.6
│ │ ├─ shadow/login @ 1:4.8.1-1ubuntu5.20.04.4
│ │ ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
│ │ ├─ systemd/libudev1 @ 245.4-4ubuntu3.21
│ │ ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
│ │ ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
│ │ ├─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
│ │ └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
│ ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
│ ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
│ └─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
├─ xz-utils @ 5.2.4-1ubuntu1.1
└─ zlib/zlib1g-dev @ 1:1.2.11.dfsg-2ubuntu1.5
Can you ensure that none of these dependencies will introduce vulnerabilities into your software?
Dependency and vulnerability scanning
Tools for dependency and vulnerability scanning have existed for quite some time, including open-source and premium options. For instance, GitHub's Dependabot conducts regular vulnerability checks and suggests safer updates automatically. Similarly, WhiteSource identifies open-source vulnerabilities in real time and offers license compliance and governance tools. Docker, realizing the importance of such features, partnered with Snyk in late 2020 to enable Docker image vulnerability scanning via the docker scan command. However, this feature was retired in favor of the new Docker Scout.
Transitioning from Scanning to Scouting
Before diving into Docker's latest offering, it's worth revisiting the previously introduced feature to understand how it has evolved. The feature in question relies on Snyk, a cybersecurity firm based in Boston that has developed its security platform. Snyk's vulnerability database is continually updated with data from various sources, including the National Vulnerability Database (NVD) and the company's research.
Using this feature requires Docker's consent to utilize Snyk. The first time you trigger the docker scan command, you will be asked to grant that consent.
$ docker scan
Docker Scan relies upon access to Snyk, a third party provider, do you consent to proceed using Snyk? (y/N)
Once consent is given, Docker will download the Snyk image onto your machine, which is then executed during the Docker scan process.
gtrekter@vm-uks-01:~$ sudo docker image ls -a
REPOSITORY TAG IMAGE ID CREATED SIZE
gtrekter/training 1.0 76b54e901ebd 3 hours ago 585MB
nginx <none> f9c14fe76d50 2 weeks ago 143MB
snyk/snyk <none> 4db3fcadc7e4 6 months ago 213MB
However, because this image requires a Snyk API token stored in an environment variable called SNYK_TOKEN, you must log into Docker Hub first.
$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xxxxxxx
Password:
Login Succeeded
Afterward, you can initiate the scan, and Docker will execute a new container using the Snyk image, passing an environment variable called SNYK_DOCKER_TOKEN for Snyk's use.
The output is the streamlined results provided by Snyk.
$ sudo docker scan gtrekter/training:1.0
Testing gtrekter/training:1.0...
✗ Low severity vulnerability found in systemd/libsystemd0
Description: CVE-2023-26604
Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SYSTEMD-3339226
Introduced through: systemd/[email protected], [email protected], procps/libprocps8@2:3.3.16-1ubuntu2.3, util-linux/bsdutils@1:2.34-0.1ubuntu9.3, util-linux/[email protected], systemd/[email protected]
From: systemd/[email protected]
From: [email protected] > systemd/[email protected]
From: procps/libprocps8@2:3.3.16-1ubuntu2.3 > systemd/[email protected]
and 6 more...
Image layer: Introduced by your base image (ubuntu:20.04)
✗ Medium severity vulnerability found in gcc-defaults/cpp
Description: Information Exposure
Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GCCDEFAULTS-584255
Introduced through: gcc-defaults/cpp@4:9.3.0-1ubuntu2, [email protected], gcc-defaults/gcc@4:9.3.0-1ubuntu2, gcc-defaults/g++@4:9.3.0-1ubuntu2
From: gcc-defaults/cpp@4:9.3.0-1ubuntu2
From: [email protected] > gcc-defaults/g++@4:9.3.0-1ubuntu2 > gcc-defaults/cpp@4:9.3.0-1ubuntu2
From: [email protected] > gcc-defaults/gcc@4:9.3.0-1ubuntu2 > gcc-defaults/cpp@4:9.3.0-1ubuntu2
and 5 more...
Image layer: Introduced by your base image (ubuntu:20.04)
✗ Medium severity vulnerability found in gcc-9
Description: Information Exposure
Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GCC9-584247
Introduced through: [email protected]~20.04.1, [email protected], gcc-9/[email protected]~20.04.1, gcc-9/[email protected]~20.04.1, gcc-9/[email protected]~20.04.1, gcc-9/[email protected]~20.04.1, gcc-9/[email protected]~20.04.1, gcc-9/[email protected]~20.04.1
From: [email protected]~20.04.1
From: [email protected] > gcc-defaults/g++@4:9.3.0-1ubuntu2 > [email protected]~20.04.1
From: [email protected] > gcc-defaults/gcc@4:9.3.0-1ubuntu2 > [email protected]~20.04.1
and 20 more...
Image layer: Introduced by your base image (ubuntu:20.04)
Package manager: deb
Project name: docker-image|gtrekter/training
Docker image: gtrekter/training:1.0
Platform: linux/amd64
Base image: ubuntu:20.04
Tested 206 dependencies for known vulnerabilities, found 3 vulnerabilities.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVc
However, a significant drawback was tied to the licensing. The collaboration with Snyk limited the feature to just 100 scans per month, unless the user had a premium account. This limitation likely contributed to Docker's decision to create its own proprietary Vulnerability Database, leading to the introduction of Docker Scout in version 4.17.0 (released on February 27, 2023), and the subsequent retirement of the Docker scan feature.
Docker Scout
Unlike its predecessor, docker scout doesn't use third-party software and won't request consent or pull additional images.
At the time of this writing, Docker Scout it's still in early access, and to be able to use it, we will need to install its plugin by executing these instructions:
$ curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
$ sh install-scout.sh
If we inspect the shell script, we will see that it will download a zip file according to the OS and architecture from the docker official GitHub repository.
PROJECT_NAME="docker-scout"
OWNER=docker
REPO="scout-cli"
GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${REPO}
....
version=$(tag_to_version "${tag}")
os=$(uname_os)
arch=$(uname_arch)
format=$(get_format_name "${os}" "${arch}" "tar.gz")
binary=$(get_binary_name "${os}" "${arch}" "${BINARY}")
download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}"
...
download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"
Once we have installed the plugin, we can run the command CVEs to scan and output all vulnerabilities in the image.
gtrekter@vm-uks-01:~$ docker scout cves gtrekter/training:1.0
✓ Pulled
✓ SBOM of image already cached, 276 packages indexed
✗ Detected 9 vulnerable packages with a total of 10 vulnerabilities
0C 1H 0M 0L wheel 0.34.2
pkg:pypi/[email protected]
✗ HIGH CVE-2022-40898
https://dso.docker.com/cve/CVE-2022-40898
Affected range : <=0.37.1
Fixed version : 0.38.1
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 1H 0M 0L flask 1.1.2
pkg:pypi/[email protected]
✗ HIGH CVE-2023-30861 [Use of Persistent Cookies Containing Sensitive Information]
https://dso.docker.com/cve/CVE-2023-30861
Affected range : <2.2.5
Fixed version : 2.2.5
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0C 0H 1M 0L setuptools 45.2.0
pkg:pypi/[email protected]
✗ MEDIUM CVE-2022-40897
https://dso.docker.com/cve/CVE-2022-40897
Affected range : <65.5.1
Fixed version : 65.5.1
CVSS Score : 5.9
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 1M 0L pip 20.0.2
pkg:pypi/[email protected]
✗ MEDIUM CVE-2021-3572
https://dso.docker.com/cve/CVE-2021-3572
Affected range : <21.1
Fixed version : 21.1
CVSS Score : 5.7
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
0C 0H 1M 0L python3.8 3.8.10-0ubuntu1~20.04.8
pkg:deb/ubuntu/[email protected]~20.04.8?os_distro=focal&os_name=ubuntu&os_version=20.04
✗ MEDIUM CVE-2023-27043 [Improper Input Validation]
https://dso.docker.com/cve/CVE-2023-27043
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0C 0H 1M 0L numpy 1.19.2
pkg:pypi/[email protected]
✗ MEDIUM CVE-2021-34141 [Incorrect Comparison]
https://dso.docker.com/cve/CVE-2021-34141
Affected range : <1.22
Fixed version : 1.22
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0C 0H 0M 2L shadow 1:4.8.1-1ubuntu5.20.04.4
pkg:deb/ubuntu/shadow@1:4.8.1-1ubuntu5.20.04.4?os_distro=focal&os_name=ubuntu&os_version=20.04
✗ LOW CVE-2013-4235 [Time-of-check Time-of-use (TOCTOU) Race Condition]
https://dso.docker.com/cve/CVE-2013-4235
Affected range : >=0
Fixed version : not fixed
CVSS Score : 4.7
CVSS Vector : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
✗ LOW CVE-2023-29383 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
https://dso.docker.com/cve/CVE-2023-29383
Affected range : >=0
Fixed version : not fixed
CVSS Score : 3.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0C 0H 0M 1L pcre3 2:8.39-12ubuntu0.1
pkg:deb/ubuntu/pcre3@2:8.39-12ubuntu0.1?os_distro=focal&os_name=ubuntu&os_version=20.04
✗ LOW CVE-2017-11164 [Uncontrolled Recursion]
https://dso.docker.com/cve/CVE-2017-11164
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L glibc 2.31-0ubuntu9.9
pkg:deb/ubuntu/[email protected]?os_distro=focal&os_name=ubuntu&os_version=20.04
✗ LOW CVE-2016-20013 [Allocation of Resources Without Limits or Throttling]
https://dso.docker.com/cve/CVE-2016-20013
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
10 vulnerabilities found in 9 packages
LOW 4
MEDIUM 4
HIGH 2
CRITICAL 0
What's Next?
Know more about base image update recommendations → docker scout recommendations gtrekter/training:1.0
In this case, the output, instead of prompting a link to the Snyk Vulnerability Database, will redirect us to the Docker Image Vulnerability Database, which will contain the following:
- References to the National Vulnerability Database (NVD).
- A description of the vulnerability.
- A list of packages containing the vulnerability and links to possible exploits.
- A list of possible remediations
Default integration with Docker Hub
By moving the feature internally and not relying on third-party software, Docker was able to develop a strong integration with Docker Hub. By activating Advanced image analysis for a specific repository, you can make Docker Scout automatically analyze the image when you push to that repository. To enable Advanced image analysis, we have to:
- Browse and log into Docker Hub.
- Click Repositories and select the repository you want to allow the Advanced image analysis.
- Click Setting and select Advanced image analysis provided by Docker Scout.
- Click Save.
From this moment, every time we push an image to this repository, Docker Scout will analyze the image and publish the results in a readable on Docker Hub. The results will be associated with the tag that triggered the scan, and an overview will be visible on the Tags page.
To see the details of each vulnerability, we can click either the tag's name or any image details (digest, OS, vulnerability overview, last pull, or compressed size). This link will redirect us to the image details, listing all the vulnerabilities and allowing us to easily see the relationships between vulnerabilities and layers.
Wrapping Up
Docker Scout provides a unified view of the software supply chain, significantly enhancing visibility and control over security. With its unique ability to break down dependencies layer-by-layer, it not only identifies potential vulnerabilities but also recommends remediations. This integrated approach streamlines the process of maintaining security in the intricate web of dependencies within containerized applications.
Moreover, the future looks even more promising. After a quick chat with the Docker product designer, it has been revealed that Docker Scout will soon allow organizations to create custom policies to evaluate artifacts in your SDLC against your own set of standards. This forthcoming feature promises to add another layer of personalization and security, further strengthening Docker Scout's position as a crucial tool in software supply chain management.
References