Trivy - Container vulnerability scanning

Transcript

1. © 2019 Aqua Security Software Ltd., All Rights Reserved Teppei

   Fukuda (@knqyf263) Open Source Team Open Source Engineer Trivy Container vulnerability scanning Docker Meetup Tokyo #32 5 September 2019

2. 2

3. Software vulnerabilities

4. 4 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

   Vulnerability ID assigned • e.g. CVE-ID • Unknown vulnerabilities • Non-disclosure Designed by vvstudio / Freepik

5. 5 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

   Scanner Identifying components with known vulnerabilities • e.g. Trivy, Clair, Aqua Scanner • Unknown vulnerabilities • Web application vulnerability scanners , Fuzzing tool • e.g. OWASP ZAP, OSS-Fuzz Designed by vvstudio / Freepik Target

6. 6 Your Vulnerabilities 3rd Party Vulnerabilities Vulnerabilities • Your vulnerabilities

   • Software written by you • 3rd Party vulnerabilities • Well-known software • e.g. OpenSSL, Nginx Your Vulnerabilities 3rd Party Vulnerabilities Designed by vvstudio / Freepik Target

7. 7 Common Vulnerabilities & Exposures

8. 8

9. Heartbleed

10. 10 Containers, images and vulnerabilities Image registry Image Running containers

11. 11

12. Image vulnerability scanning • Identify the packages & versions in

    the image • Cross-reference with vulnerability database Sounds Easy!

13. Linux, distributions & container images

14. 14 • The Linux Kernel is A Thing • And

    then there are distributions: kernel + • shell • init system • package manager • GUI • … Linux distributions

15. 15 Linux distributions Debian Ubuntu OpenSUSE Alpine Arch Linux Default

    GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates

16. 16 Container images /bin /lib /usr /opt /var /bin /lib

    /usr /var /bin /opt /usr /var

17. Linux & software packages

18. 18 How does software get into a Linux distribution? ▪Enable

    / disable features ▪Link with libraries ▪Re-package 3rd-party developers write source Binary distribution Upstream Distribution ▪Fix bugs that aren’t in upstream ▪Apply security patches Compiled & packaged Package repository

19. Case study: Debian - focus on stability • New versions

    may take months to reach the package repositories
 • Often don’t want to update to latest version for an upstream fix to a security vulnerability
 • Debian often backports security fixes to older versions and repackages them

20. 20 • NVD reports this in Varnish HTTP Cache versions

    4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807

21. 21 Debian applied patch to 5.0.0

22. 22

23. 23 Case study: Alpine / busybox 1.27.2

24. 24 Case study: Alpine / busybox 1.27.2 Patches for the

    known vulnerabilities Other patches not known to NVD

25. 25 Not all scanners are created equal Information sources /

    advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows

26. Trivy

27. 27 • Detect comprehensive vulnerabilities • Simple • Easy installation

    • High accuracy • DevSecOps Features https://github.com/aquasecurity/trivy

28. 28 $ trivy [YOUR_IMAGE_NAME] Run Simple

29. None

30. 30 03 System Package Manager e.g. yum/apt 01 02 Application

    Package Manager e.g. npm, bundler Self- installation e.g. make How does software get into a server? Support Support

31. 31 Architecture Security advisory ᶃ Fetch &
 Commit /day https://github.com/aquasecurity/vuln-list

    Container registry ᶅ Fetch images ᶄ Clone or pull Layer tar files ᶇ Extract files ᶉ Version comparison ᶆ Apply layers ᶈ Identify the packages & versions

32. 32 Architecture Security advisory ᶃ Fetch &
 Commit /day https://github.com/aquasecurity/vuln-list

33. 33 Security advisory • Fetch and commit security advisories daily

    • Cron Jobs on Travis CI • Pros: • Stability Some APIs often return 500 • Fetch only the difference • History e.g. CVSS score update https://github.com/aquasecurity/vuln-list

34. 34 Alpine Linux • No security advisory • Crawl all

    issues with security label • https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security • Check for differences (git diff) Discussing with developers

35. 35 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶅ Fetch images

    Layer tar files

36. 36 Fetch images • Dockerless mode • Download layers from

    container registries directly via HTTP(S) • Docker mode • When dockerd is installed • Communicate with Docker daemon Container registry dockerd HTTP(S) HTTP

37. Authentication https://docs.docker.com/registry/spec/auth/token/

38. 38 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶆ Apply layers

39. 39 Apply layers File1 File2 File4 File3 File3 File2 File2

    File4 File1 Apply

40. 40 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶇ Extract files

41. 41 Extract required files /app/Gemfile.lock /bin/ls /var/lib/dpkg/status /etc/hosts /var/log/message https://github.com/aquasecurity/fanal

    OS packages Application dependencies

42. 42 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶈ Identify the

    packages & versions

43. 43 List installed packages $ cat /var/lib/dpkg/status … Package: sed

    Essential: yes Status: install ok installed Priority: required Section: utils Installed-Size: 304 Architecture: amd64 Multi-Arch: foreign Version: 4.2.2-7 Depends: dpkg (>= 1.15.4) | install-info Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32) ※ Debian/Ubuntu

44. 44 List installed libraries $ cat /app/Gemfile.lock … GEM remote:

    https://rubygems.org/ specs: actioncable (5.2.3) actionpack (= 5.2.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) ※ Bundler

45. 45 Architecture Security advisory https://github.com/aquasecurity/vuln-list Container registry ᶉ Version comparison

46. Version comparison Easy?

47. Installed 3.6.20-1.ab1 Affected version < 3.6.20-1.2 ≶ Version comparison Vulnerable?

    https://github.com/knqyf263/go-rpm-version https://github.com/knqyf263/go-deb-version

48. 48 • Table • JSON • (HTML) • (XML) Results

49. 49 • Support Harbor • Server-Client mode • Support Redis

    • Reduce cache size • Support new OSes (Amazon Linux, Arch Linux, etc.) • Embed into Dockerfile • CircleCI Orbs / Jenkins plugin Future works

50. Thank you for your attention https://github.com/aquasecurity/trivy