$30 off During Our Annual Pro Sale. View Details »

Trivy - Container vulnerability scanning

Teppei Fukuda
September 05, 2019
Programming
1
1.2k

Trivy - Container vulnerability scanning

Docker Meetup Tokyo #32での発表資料です

Teppei Fukuda

September 05, 2019
Tweet

More Decks by Teppei Fukuda

See All by Teppei Fukuda
Simplify Cloud Native Security with Trivy
knqyf263
2
4.4k
セキュリティ・キャンプ全国大会2020 オンライン B8 / seccamp2020-b8
knqyf263
5
1.3k
企業でOSS開発をするということ
knqyf263
0
20k
車輪の再発明 / reinventing the wheel
knqyf263
1
1.1k
HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker
knqyf263
7
2.4k
新機能 "Vuls Server" / Vuls Server
knqyf263
3
6k
OSSの脆弱性を探すためにやったこと
knqyf263
15
3.8k
今すぐVulsにContributeするべき5つの理由
knqyf263
1
690

Other Decks in Programming

See All in Programming
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
880
MTDDC Meetup TOKYO 2023
chinen
1
200
Python機械学習勉強会in新潟のロゴが無いので、生成AIで作ってみましょう / osc2023niigata
kasacchiful
0
210
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
2
1k
DIGGLEの分析基盤アーキテクチャ
zakky21
0
110
kube-proxy入門
bells17
7
900
ChatGPTをソフトウェア開発に活用する
fbei_ot
0
120
Angular 17 - Rainaissance
gregonnet
0
130
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
190
生成AI×ノーコード (スピーディーなアプリ開発の新時代)
knr109
3
4.3k
JavaScript なしで動作するモダンなコードの書き方
azukiazusa1
14
9.4k
Input object ではじめる入力値検証/input-value-validation-using-input-object
sanfrecce_osaka
0
200

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
223
17k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
The Pragmatic Product Professional
lauravandoore
23
5.4k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6.2k
Raft: Consensus for Rubyists
vanstee
130
6k
Designing for humans not robots
tammielis
246
24k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Web Components: a chance to create the future
zenorocha
304
41k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Faster Mobile Websites
deanohume
296
29k
Robots, Beer and Maslow
schacon
154
7.7k

Transcript

  1. © 2019 Aqua Security Software Ltd., All Rights Reserved
    Teppei Fukuda (@knqyf263)
    Open Source Team
    Open Source Engineer
    Trivy
    Container vulnerability scanning
    Docker Meetup Tokyo #32
    5 September 2019

    View Slide

  2. 2

    View Slide

  3. Software vulnerabilities

    View Slide

  4. 4
    Known
    Vulnerabilities
    Unknown
    Vulnerabilities
    Vulnerabilities
    ● Known vulnerabilities
    ● Vulnerability ID assigned
    ● e.g. CVE-ID
    ● Unknown vulnerabilities
    ● Non-disclosure
    Designed by vvstudio / Freepik

    View Slide

  5. 5
    Known
    Vulnerabilities
    Unknown
    Vulnerabilities
    Vulnerabilities
    ● Known vulnerabilities
    ● Scanner Identifying components
    with known vulnerabilities
    ● e.g. Trivy, Clair, Aqua Scanner
    ● Unknown vulnerabilities
    ● Web application vulnerability
    scanners , Fuzzing tool
    ● e.g. OWASP ZAP, OSS-Fuzz
    Designed by vvstudio / Freepik
    Target

    View Slide

  6. 6
    Your
    Vulnerabilities
    3rd Party
    Vulnerabilities
    Vulnerabilities
    ● Your vulnerabilities
    ● Software written by you
    ● 3rd Party vulnerabilities
    ● Well-known software
    ● e.g. OpenSSL, Nginx
    Your
    Vulnerabilities
    3rd Party
    Vulnerabilities
    Designed by vvstudio / Freepik
    Target

    View Slide

  7. 7
    Common Vulnerabilities & Exposures

    View Slide

  8. 8

    View Slide

  9. Heartbleed

    View Slide

  10. 10
    Containers, images and vulnerabilities
    Image
    registry
    Image
    Running containers

    View Slide

  11. 11

    View Slide

  12. Image vulnerability scanning
    ● Identify the packages & versions in the image
    ● Cross-reference with vulnerability database
    Sounds Easy!

    View Slide

  13. Linux, distributions & container images

    View Slide

  14. 14
    ● The Linux Kernel is A Thing
    ● And then there are distributions: kernel +
    • shell
    • init system
    • package manager
    • GUI
    • …
    Linux distributions

    View Slide

  15. 15
    Linux distributions
    Debian Ubuntu OpenSUSE Alpine Arch Linux
    Default GUI GNOME GNOME (prev.
    Unity)
    KDE None None
    Default Shell dash bash bash busybox sh bash
    Default Editor nano vim vim busybox vi vim
    Default Init
    System
    systemd (prev.
    SysV)
    systemd (prev.
    Upstart)
    systemd (prev.
    SysV)
    busybox init systemd (prev. SysV)
    Default Package
    Manager
    deb deb rpm apk pacman
    Release Model Fixed, infrequent
    updates
    Fixed, infrequent
    updates
    Fixed, frequent
    updates
    Fixed, relatively
    frequent
    Rolling, constant
    updates

    View Slide

  16. 16
    Container images /bin
    /lib
    /usr
    /opt
    /var
    /bin
    /lib
    /usr
    /var
    /bin
    /opt
    /usr
    /var

    View Slide

  17. Linux & software packages

    View Slide

  18. 18
    How does software get into a Linux distribution?
    ■Enable / disable features
    ■Link with libraries
    ■Re-package
    3rd-party
    developers
    write source
    Binary
    distribution
    Upstream
    Distribution
    ■Fix bugs that aren’t in upstream
    ■Apply security patches
    Compiled &
    packaged
    Package
    repository

    View Slide

  19. Case study: Debian - focus on stability
    ● New versions may take months to reach the package repositories

    ● Often don’t want to update to latest version for an upstream fix
    to a security vulnerability

    ● Debian often backports security fixes to older versions and
    repackages them

    View Slide

  20. 20
    ● NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0
    Case study: Debian / CVE-2017-8807

    View Slide

  21. 21
    Debian applied
    patch to 5.0.0

    View Slide

  22. 22

    View Slide

  23. 23
    Case study: Alpine / busybox 1.27.2

    View Slide

  24. 24
    Case study: Alpine / busybox 1.27.2
    Patches for the known
    vulnerabilities
    Other patches not
    known to NVD

    View Slide

  25. 25
    Not all scanners are created equal
    Information sources /
    advisories
    • NVD
    • Distributions
    • Vendors
    • (Commercial DBs)
    Scanning techniques
    • Layer-by-layer or image
    Detection techniques
    • Version comparison
    • Hash comparison
    Functionality
    • Malware
    • File scanning
    • Windows

    View Slide

  26. Trivy

    View Slide

  27. 27
    ● Detect comprehensive vulnerabilities
    ● Simple
    ● Easy installation
    ● High accuracy
    ● DevSecOps
    Features
    https://github.com/aquasecurity/trivy

    View Slide

  28. 28
    $ trivy [YOUR_IMAGE_NAME]
    Run
    Simple

    View Slide

  29. View Slide

  30. 30
    03
    System
    Package
    Manager
    e.g. yum/apt
    01
    02
    Application
    Package
    Manager
    e.g. npm, bundler
    Self-
    installation
    e.g. make
    How does software
    get into a server?
    Support
    Support

    View Slide

  31. 31
    Architecture
    Security advisory
    ᶃ Fetch &

    Commit
    /day
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶅ Fetch images
    ᶄ Clone or pull Layer tar files
    ᶇ Extract files
    ᶉ Version comparison
    ᶆ Apply layers
    ᶈ Identify
    the packages & versions

    View Slide

  32. 32
    Architecture
    Security advisory
    ᶃ Fetch &

    Commit
    /day
    https://github.com/aquasecurity/vuln-list

    View Slide

  33. 33
    Security advisory
    ● Fetch and commit security advisories daily
    ● Cron Jobs on Travis CI
    ● Pros:
    ● Stability
    Some APIs often return 500
    ● Fetch only the difference
    ● History
    e.g. CVSS score update
    https://github.com/aquasecurity/vuln-list

    View Slide

  34. 34
    Alpine Linux
    ● No security advisory
    ● Crawl all issues with security label
    ● https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security
    ● Check for differences (git diff)
    Discussing with developers

    View Slide

  35. 35
    Architecture
    Security advisory
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶅ Fetch images
    Layer tar files

    View Slide

  36. 36
    Fetch images
    ● Dockerless mode
    ● Download layers from
    container registries directly
    via HTTP(S)
    ● Docker mode
    ● When dockerd is installed
    ● Communicate with Docker
    daemon
    Container registry
    dockerd
    HTTP(S)
    HTTP

    View Slide

  37. Authentication
    https://docs.docker.com/registry/spec/auth/token/

    View Slide

  38. 38
    Architecture
    Security advisory
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶆ Apply layers

    View Slide

  39. 39
    Apply layers
    File1
    File2
    File4
    File3
    File3
    File2
    File2
    File4
    File1
    Apply

    View Slide

  40. 40
    Architecture
    Security advisory
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶇ Extract files

    View Slide

  41. 41
    Extract required files
    /app/Gemfile.lock
    /bin/ls
    /var/lib/dpkg/status
    /etc/hosts
    /var/log/message
    https://github.com/aquasecurity/fanal
    OS packages
    Application dependencies

    View Slide

  42. 42
    Architecture
    Security advisory
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶈ Identify
    the packages & versions

    View Slide

  43. 43
    List installed packages
    $ cat /var/lib/dpkg/status

    Package: sed
    Essential: yes
    Status: install ok installed
    Priority: required
    Section: utils
    Installed-Size: 304
    Architecture: amd64
    Multi-Arch: foreign
    Version: 4.2.2-7
    Depends: dpkg (>= 1.15.4) | install-info
    Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32) ※ Debian/Ubuntu

    View Slide

  44. 44
    List installed libraries
    $ cat /app/Gemfile.lock

    GEM
    remote: https://rubygems.org/
    specs:
    actioncable (5.2.3)
    actionpack (= 5.2.3)
    nio4r (~> 2.0)
    websocket-driver (>= 0.6.1)
    ※ Bundler

    View Slide

  45. 45
    Architecture
    Security advisory
    https://github.com/aquasecurity/vuln-list
    Container registry
    ᶉ Version comparison

    View Slide

  46. Version comparison
    Easy?

    View Slide

  47. Installed
    3.6.20-1.ab1
    Affected version
    < 3.6.20-1.2

    Version comparison
    Vulnerable?
    https://github.com/knqyf263/go-rpm-version
    https://github.com/knqyf263/go-deb-version

    View Slide

  48. 48
    ● Table
    ● JSON
    ● (HTML)
    ● (XML)
    Results

    View Slide

  49. 49
    ● Support Harbor
    ● Server-Client mode
    ● Support Redis
    ● Reduce cache size
    ● Support new OSes (Amazon Linux, Arch Linux, etc.)
    ● Embed into Dockerfile
    ● CircleCI Orbs / Jenkins plugin
    Future works

    View Slide

  50. Thank you for your attention
    https://github.com/aquasecurity/trivy

    View Slide