Trivy - Container vulnerability scanning

by Teppei Fukuda

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Software vulnerabilities

Slide 4

Slide 4 text

4 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities ● Known vulnerabilities ● Vulnerability ID assigned ● e.g. CVE-ID ● Unknown vulnerabilities ● Non-disclosure Designed by vvstudio / Freepik

Slide 5

Slide 5 text

5 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities ● Known vulnerabilities ● Scanner Identifying components with known vulnerabilities ● e.g. Trivy, Clair, Aqua Scanner ● Unknown vulnerabilities ● Web application vulnerability scanners , Fuzzing tool ● e.g. OWASP ZAP, OSS-Fuzz Designed by vvstudio / Freepik Target

Slide 6

Slide 6 text

6 Your Vulnerabilities 3rd Party Vulnerabilities Vulnerabilities ● Your vulnerabilities ● Software written by you ● 3rd Party vulnerabilities ● Well-known software ● e.g. OpenSSL, Nginx Your Vulnerabilities 3rd Party Vulnerabilities Designed by vvstudio / Freepik Target

Slide 7

Slide 7 text

7 Common Vulnerabilities & Exposures

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Heartbleed

Slide 10

Slide 10 text

10 Containers, images and vulnerabilities Image registry Image Running containers

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Image vulnerability scanning ● Identify the packages & versions in the image ● Cross-reference with vulnerability database Sounds Easy!

Slide 13

Slide 13 text

Linux, distributions & container images

Slide 14

Slide 14 text

14 ● The Linux Kernel is A Thing ● And then there are distributions: kernel + • shell • init system • package manager • GUI • … Linux distributions

Slide 15

Slide 15 text

15 Linux distributions Debian Ubuntu OpenSUSE Alpine Arch Linux Default GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates

Slide 16

Slide 16 text

16 Container images /bin /lib /usr /opt /var /bin /lib /usr /var /bin /opt /usr /var

Slide 17

Slide 17 text

Linux & software packages

Slide 18

Slide 18 text

18 How does software get into a Linux distribution? ■Enable / disable features ■Link with libraries ■Re-package 3rd-party developers write source Binary distribution Upstream Distribution ■Fix bugs that aren’t in upstream ■Apply security patches Compiled & packaged Package repository

Slide 19

Slide 19 text

Case study: Debian - focus on stability ● New versions may take months to reach the package repositories  ● Often don’t want to update to latest version for an upstream fix to a security vulnerability  ● Debian often backports security fixes to older versions and repackages them

Slide 20

Slide 20 text

20 ● NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807

Slide 21

Slide 21 text

21 Debian applied patch to 5.0.0

Slide 22

Slide 22 text

Slide 23

Slide 23 text

23 Case study: Alpine / busybox 1.27.2

Slide 24

Slide 24 text

24 Case study: Alpine / busybox 1.27.2 Patches for the known vulnerabilities Other patches not known to NVD

Slide 25

Slide 25 text

25 Not all scanners are created equal Information sources / advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows

Slide 26

Slide 26 text

Trivy

Slide 27

Slide 27 text

27 ● Detect comprehensive vulnerabilities ● Simple ● Easy installation ● High accuracy ● DevSecOps Features https://github.com/aquasecurity/trivy

Slide 28

Slide 28 text

28 $ trivy [YOUR_IMAGE_NAME] Run Simple

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

30 03 System Package Manager e.g. yum/apt 01 02 Application Package Manager e.g. npm, bundler Self- installation e.g. make How does software get into a server? Support Support

Slide 31

Slide 31 text

31 Architecture Security advisory ᶃ Fetch &  Commit /day https://github.com/aquasecurity/vuln-list Container registry ᶅ Fetch images ᶄ Clone or pull Layer tar files ᶇ Extract files ᶉ Version comparison ᶆ Apply layers ᶈ Identify the packages & versions

Slide 32

Slide 32 text

32 Architecture Security advisory ᶃ Fetch &  Commit /day https://github.com/aquasecurity/vuln-list

Slide 33

Slide 33 text

33 Security advisory ● Fetch and commit security advisories daily ● Cron Jobs on Travis CI ● Pros: ● Stability Some APIs often return 500 ● Fetch only the difference ● History e.g. CVSS score update https://github.com/aquasecurity/vuln-list

Slide 34

Slide 34 text

34 Alpine Linux ● No security advisory ● Crawl all issues with security label ● https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security ● Check for differences (git diff) Discussing with developers

Slide 35

Slide 35 text

35 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶅ Fetch images Layer tar files

Slide 36

Slide 36 text

36 Fetch images ● Dockerless mode ● Download layers from container registries directly via HTTP(S) ● Docker mode ● When dockerd is installed ● Communicate with Docker daemon Container registry dockerd HTTP(S) HTTP

Slide 37

Slide 37 text

Authentication https://docs.docker.com/registry/spec/auth/token/

Slide 38

Slide 38 text

38 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶆ Apply layers

Slide 39

Slide 39 text

39 Apply layers File1 File2 File4 File3 File3 File2 File2 File4 File1 Apply

Slide 40

Slide 40 text

40 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶇ Extract files

Slide 41

Slide 41 text

41 Extract required files /app/Gemfile.lock /bin/ls /var/lib/dpkg/status /etc/hosts /var/log/message https://github.com/aquasecurity/fanal OS packages Application dependencies

Slide 42

Slide 42 text

42 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶈ Identify the packages & versions

Slide 43

Slide 43 text

43 List installed packages $ cat /var/lib/dpkg/status … Package: sed Essential: yes Status: install ok installed Priority: required Section: utils Installed-Size: 304 Architecture: amd64 Multi-Arch: foreign Version: 4.2.2-7 Depends: dpkg (>= 1.15.4) | install-info Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32) ※ Debian/Ubuntu

Slide 44

Slide 44 text

44 List installed libraries $ cat /app/Gemfile.lock … GEM remote: https://rubygems.org/ specs: actioncable (5.2.3) actionpack (= 5.2.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) ※ Bundler

Slide 45

Slide 45 text

45 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶉ Version comparison

Slide 46

Slide 46 text

Version comparison Easy?

Slide 47

Slide 47 text

Installed 3.6.20-1.ab1 Affected version < 3.6.20-1.2 ≶ Version comparison Vulnerable? https://github.com/knqyf263/go-rpm-version https://github.com/knqyf263/go-deb-version

Slide 48

Slide 48 text

48 ● Table ● JSON ● (HTML) ● (XML) Results

Slide 49

Slide 49 text

49 ● Support Harbor ● Server-Client mode ● Support Redis ● Reduce cache size ● Support new OSes (Amazon Linux, Arch Linux, etc.) ● Embed into Dockerfile ● CircleCI Orbs / Jenkins plugin Future works

Slide 50

Slide 50 text

Thank you for your attention https://github.com/aquasecurity/trivy