Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Trivy - Container vulnerability scanning

Teppei Fukuda
September 05, 2019

Trivy - Container vulnerability scanning

Docker Meetup Tokyo #32での発表資料です

Teppei Fukuda

September 05, 2019
Tweet

More Decks by Teppei Fukuda

Other Decks in Programming

Transcript

  1. © 2019 Aqua Security Software Ltd., All Rights Reserved Teppei

    Fukuda (@knqyf263) Open Source Team Open Source Engineer Trivy Container vulnerability scanning Docker Meetup Tokyo #32 5 September 2019
  2. 2

  3. 4 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

    Vulnerability ID assigned • e.g. CVE-ID • Unknown vulnerabilities • Non-disclosure Designed by vvstudio / Freepik
  4. 5 Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities • Known vulnerabilities •

    Scanner Identifying components with known vulnerabilities • e.g. Trivy, Clair, Aqua Scanner • Unknown vulnerabilities • Web application vulnerability scanners , Fuzzing tool • e.g. OWASP ZAP, OSS-Fuzz Designed by vvstudio / Freepik Target
  5. 6 Your Vulnerabilities 3rd Party Vulnerabilities Vulnerabilities • Your vulnerabilities

    • Software written by you • 3rd Party vulnerabilities • Well-known software • e.g. OpenSSL, Nginx Your Vulnerabilities 3rd Party Vulnerabilities Designed by vvstudio / Freepik Target
  6. 8

  7. 11

  8. Image vulnerability scanning • Identify the packages & versions in

    the image • Cross-reference with vulnerability database Sounds Easy!
  9. 14 • The Linux Kernel is A Thing • And

    then there are distributions: kernel + • shell • init system • package manager • GUI • … Linux distributions
  10. 15 Linux distributions Debian Ubuntu OpenSUSE Alpine Arch Linux Default

    GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates
  11. 18 How does software get into a Linux distribution? ▪Enable

    / disable features ▪Link with libraries ▪Re-package 3rd-party developers write source Binary distribution Upstream Distribution ▪Fix bugs that aren’t in upstream ▪Apply security patches Compiled & packaged Package repository
  12. Case study: Debian - focus on stability • New versions

    may take months to reach the package repositories
 • Often don’t want to update to latest version for an upstream fix to a security vulnerability
 • Debian often backports security fixes to older versions and repackages them
  13. 20 • NVD reports this in Varnish HTTP Cache versions

    4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807
  14. 22

  15. 24 Case study: Alpine / busybox 1.27.2 Patches for the

    known vulnerabilities Other patches not known to NVD
  16. 25 Not all scanners are created equal Information sources /

    advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows
  17. 27 • Detect comprehensive vulnerabilities • Simple • Easy installation

    • High accuracy • DevSecOps Features https://github.com/aquasecurity/trivy
  18. 30 03 System Package Manager e.g. yum/apt 01 02 Application

    Package Manager e.g. npm, bundler Self- installation e.g. make How does software get into a server? Support Support
  19. 31 Architecture Security advisory ᶃ Fetch &
 Commit /day https://github.com/aquasecurity/vuln-list

    Container registry ᶅ Fetch images ᶄ Clone or pull Layer tar files ᶇ Extract files ᶉ Version comparison ᶆ Apply layers ᶈ Identify the packages & versions
  20. 33 Security advisory • Fetch and commit security advisories daily

    • Cron Jobs on Travis CI • Pros: • Stability Some APIs often return 500 • Fetch only the difference • History e.g. CVSS score update https://github.com/aquasecurity/vuln-list
  21. 34 Alpine Linux • No security advisory • Crawl all

    issues with security label • https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security • Check for differences (git diff) Discussing with developers
  22. 36 Fetch images • Dockerless mode • Download layers from

    container registries directly via HTTP(S) • Docker mode • When dockerd is installed • Communicate with Docker daemon Container registry dockerd HTTP(S) HTTP
  23. 43 List installed packages $ cat /var/lib/dpkg/status … Package: sed

    Essential: yes Status: install ok installed Priority: required Section: utils Installed-Size: 304 Architecture: amd64 Multi-Arch: foreign Version: 4.2.2-7 Depends: dpkg (>= 1.15.4) | install-info Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32) ※ Debian/Ubuntu
  24. 44 List installed libraries $ cat /app/Gemfile.lock … GEM remote:

    https://rubygems.org/ specs: actioncable (5.2.3) actionpack (= 5.2.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) ※ Bundler
  25. Installed 3.6.20-1.ab1 Affected version < 3.6.20-1.2 ≶ Version comparison Vulnerable?

    https://github.com/knqyf263/go-rpm-version https://github.com/knqyf263/go-deb-version
  26. 49 • Support Harbor • Server-Client mode • Support Redis

    • Reduce cache size • Support new OSes (Amazon Linux, Arch Linux, etc.) • Embed into Dockerfile • CircleCI Orbs / Jenkins plugin Future works