Abstract
Container technology plays an essential role in many Information and Communications Technology (ICT) systems. However, containers face a diversity of threats caused by vulnerable packages within container images. Previous vulnerability scanning solutions for container images are inadequate. These solutions entirely depend on the information extracted from package managers. As a result, packages installed directly from the source code compilation, or packages downloaded from the repository, etc., are ignored. We introduce DAVS–A Dockerfile analysis-based vulnerability scanning framework for OCI-based container images to deal with the limitations of existing solutions. DAVS performs static analysis using file extraction based on Dockerfile information to obtain the list of Potentially Vulnerable Files (PVFs). The PVFs are then scanned to figure out the vulnerabilities in the target container image. The experimental shows the outperform of DAVS on detecting Common Vulnerabilities and Exposures (CVE) of 10 known vulnerable images compared to Clair– the most popular container image scanning project. Moreover, DAVS found that 68% of real-world container images are vulnerable from different image registries.
Highlights
Virtualization is applied to many fields in Information and Communication Technology (ICT)systems
This paper proposes DAVS-a framework to statically analyzes Dockerfile to extract Potentially Vulnerable Files (PVFs) that help detect known vulnerabilities in container images more efficiently
DAVS, with its PVFs filtering rules, keeps the high accuracy of detecting related Common Vulnerabilities and Exposures (CVE) of the target vulnerable image and significantly decreases the scanning time compared to all files scanning using CVE-Bin-Tool
Summary
Virtualization is applied to many fields in Information and Communication Technology (ICT). Current vulnerability analysis solutions for Docker containers are inadequate Scanning tools such as Trivy [4], Clair [5] entirely depend on the information extracted from package managers (e.g., dpkg, apk). The PVFs ingress into a Vulnerability Checking module for known CVEs (Common Vulnerabilities and Exposures) detection This procedure helps DAVS deal with the shortcoming of previous scanning solutions by focusing on in-build-time compiled, downloaded, and added packages that previous vulnerable scanning solutions have not done. This paper proposes DAVS-a framework to statically analyzes Dockerfile to extract Potentially Vulnerable Files (PVFs) that help detect known vulnerabilities (i.e., represented in the form of CVE metadata) in container images more efficiently. By pinpointing vulnerabilities in container images, DAVS helps to reduce security risks when deploying applications to the cloud or edge computing system.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
