Trivy - Container vulnerability scanning

3f2e97dc4e6a5daaf1cb8a406c533176?s=47 Teppei Fukuda
September 05, 2019

Trivy - Container vulnerability scanning

Docker Meetup Tokyo #32での発表資料です

3f2e97dc4e6a5daaf1cb8a406c533176?s=128

Teppei Fukuda

September 05, 2019
Tweet

Transcript

  1. © 2019 Aqua Security Software Ltd., All Rights Reserved Teppei

    Fukuda (@knqyf263) Open Source Team Open Source Engineer Trivy Container vulnerability scanning Docker Meetup Tokyo #32 5 September 2019
  2. 2

  3. Software vulnerabilities

  4. 4 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

    Vulnerability ID assigned • e.g. CVE-ID • Unknown vulnerabilities • Non-disclosure Designed by vvstudio / Freepik
  5. 5 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

    Scanner Identifying components with known vulnerabilities • e.g. Trivy, Clair, Aqua Scanner • Unknown vulnerabilities • Web application vulnerability scanners , Fuzzing tool • e.g. OWASP ZAP, OSS-Fuzz Designed by vvstudio / Freepik Target
  6. 6 Your Vulnerabilities 3rd Party Vulnerabilities Vulnerabilities • Your vulnerabilities

    • Software written by you • 3rd Party vulnerabilities • Well-known software • e.g. OpenSSL, Nginx Your Vulnerabilities 3rd Party Vulnerabilities Designed by vvstudio / Freepik Target
  7. 7 Common Vulnerabilities & Exposures

  8. 8

  9. Heartbleed

  10. 10 Containers, images and vulnerabilities Image registry Image Running containers

  11. 11

  12. Image vulnerability scanning • Identify the packages & versions in

    the image • Cross-reference with vulnerability database Sounds Easy!
  13. Linux, distributions & container images

  14. 14 • The Linux Kernel is A Thing • And

    then there are distributions: kernel + • shell • init system • package manager • GUI • … Linux distributions
  15. 15 Linux distributions Debian Ubuntu OpenSUSE Alpine Arch Linux Default

    GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates
  16. 16 Container images /bin /lib /usr /opt /var /bin /lib

    /usr /var /bin /opt /usr /var
  17. Linux & software packages

  18. 18 How does software get into a Linux distribution? ▪Enable

    / disable features ▪Link with libraries ▪Re-package 3rd-party developers write source Binary distribution Upstream Distribution ▪Fix bugs that aren’t in upstream ▪Apply security patches Compiled & packaged Package repository
  19. Case study: Debian - focus on stability • New versions

    may take months to reach the package repositories
 • Often don’t want to update to latest version for an upstream fix to a security vulnerability
 • Debian often backports security fixes to older versions and repackages them
  20. 20 • NVD reports this in Varnish HTTP Cache versions

    4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807
  21. 21 Debian applied patch to 5.0.0

  22. 22

  23. 23 Case study: Alpine / busybox 1.27.2

  24. 24 Case study: Alpine / busybox 1.27.2 Patches for the

    known vulnerabilities Other patches not known to NVD
  25. 25 Not all scanners are created equal Information sources /

    advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows
  26. Trivy

  27. 27 • Detect comprehensive vulnerabilities • Simple • Easy installation

    • High accuracy • DevSecOps Features https://github.com/aquasecurity/trivy
  28. 28 $ trivy [YOUR_IMAGE_NAME] Run Simple

  29. None
  30. 30 03 System Package Manager e.g. yum/apt 01 02 Application

    Package Manager e.g. npm, bundler Self- installation e.g. make How does software get into a server? Support Support
  31. 31 Architecture Security advisory ᶃ Fetch &
 Commit /day https://github.com/aquasecurity/vuln-list

    Container registry ᶅ Fetch images ᶄ Clone or pull Layer tar files ᶇ Extract files ᶉ Version comparison ᶆ Apply layers ᶈ Identify the packages & versions
  32. 32 Architecture Security advisory ᶃ Fetch &
 Commit /day https://github.com/aquasecurity/vuln-list

  33. 33 Security advisory • Fetch and commit security advisories daily

    • Cron Jobs on Travis CI • Pros: • Stability Some APIs often return 500 • Fetch only the difference • History e.g. CVSS score update https://github.com/aquasecurity/vuln-list
  34. 34 Alpine Linux • No security advisory • Crawl all

    issues with security label • https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security • Check for differences (git diff) Discussing with developers
  35. 35 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶅ Fetch images

    Layer tar files
  36. 36 Fetch images • Dockerless mode • Download layers from

    container registries directly via HTTP(S) • Docker mode • When dockerd is installed • Communicate with Docker daemon Container registry dockerd HTTP(S) HTTP
  37. Authentication https://docs.docker.com/registry/spec/auth/token/

  38. 38 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶆ Apply layers

  39. 39 Apply layers File1 File2 File4 File3 File3 File2 File2

    File4 File1 Apply
  40. 40 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶇ Extract files

  41. 41 Extract required files /app/Gemfile.lock /bin/ls /var/lib/dpkg/status /etc/hosts /var/log/message https://github.com/aquasecurity/fanal

    OS packages Application dependencies
  42. 42 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶈ Identify the

    packages & versions
  43. 43 List installed packages $ cat /var/lib/dpkg/status … Package: sed

    Essential: yes Status: install ok installed Priority: required Section: utils Installed-Size: 304 Architecture: amd64 Multi-Arch: foreign Version: 4.2.2-7 Depends: dpkg (>= 1.15.4) | install-info Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32) ※ Debian/Ubuntu
  44. 44 List installed libraries $ cat /app/Gemfile.lock … GEM remote:

    https://rubygems.org/ specs: actioncable (5.2.3) actionpack (= 5.2.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) ※ Bundler
  45. 45 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶉ Version comparison

  46. Version comparison Easy?

  47. Installed 3.6.20-1.ab1 Affected version < 3.6.20-1.2 ≶ Version comparison Vulnerable?

    https://github.com/knqyf263/go-rpm-version https://github.com/knqyf263/go-deb-version
  48. 48 • Table • JSON • (HTML) • (XML) Results

  49. 49 • Support Harbor • Server-Client mode • Support Redis

    • Reduce cache size • Support new OSes (Amazon Linux, Arch Linux, etc.) • Embed into Dockerfile • CircleCI Orbs / Jenkins plugin Future works
  50. Thank you for your attention https://github.com/aquasecurity/trivy