Virtualization enables information and communications technology industry to better manage computing resources. In this regard, improvements in virtualization approaches together with the need for consistent runtime environment, lower overhead and smaller package size has led to the growing adoption of containers. This is a technology, which packages an application, its dependencies and Operating System (OS) to run as an isolated unit. However, the pressing concern with the use of containers is its susceptibility to security attacks. Consequently, a number of container scanning tools are available for detecting container security vulnerabilities. Therefore, in this study, we investigate the quality of existing container scanning tools by proposing two metrics that reflects coverage and accuracy. We analyze 59 popular public container images for Java applications hosted on DockerHub using different container scanning tools (such as Clair, Anchore, and Microscanner). Our findings show that existing container scanning approach does not detect application package vulnerabilities. Furthermore, existing tools do not have high accuracy, since 34% vulnerabilities are being missed by the best performing tool. Finally, we also demonstrate quality of Docker images for Java applications hosted on DockerHub by assessing complete vulnerability landscape i.e., number of vulnerabilities detected in images.
翻译:虚拟化使信息和通信技术产业能够更好地管理计算资源。在这方面,虚拟化方法的改进,加上需要持续运行的环境、较低的间接费用和较小的包件尺寸,导致集装箱的采用增多。这是一种技术,将一个应用程序、其依赖性和操作系统(OS)包成一个孤立的单元,但使用集装箱的迫切关切是其容易受到安全攻击。因此,有一些集装箱扫描工具可用于检测集装箱安全弱点。因此,在本研究中,我们通过提出反映覆盖面和准确性的两种衡量标准,调查现有集装箱扫描工具的质量。我们利用不同的集装箱扫描工具(如Clair、Anchore和Microsscanner),为DockerHub托管的Java应用程序分析了59个受欢迎的公共集装箱图像。我们的调查结果显示,现有集装箱扫描方法没有检测到应用程序弱点。此外,现有工具并不具有很高的准确性,因为34%的弱点被最佳性工具所忽略。最后,我们还通过评估完整的脆弱性景观(即所检测到的图像中的脆弱性数目),为Docker应用Dava系统展示了Docker图像的质量。
相关内容
微信扫码咨询专知VIP会员