Mitigating vulnerabilities in container images is, most of the time, a straight-forward task: update the base image, use a newer version of Node or Java, bump the patch version of a project dependency, etc. However, all useful pieces of software are complex and vulnerability scanning tools fall short on explaining why they are flagging some edge-cases.
This session walks you through mitigating critical vulnerabilities in popular container images like Java-based ones, from the obvious to the sneaky ones, and how to leverage layer explorer tools to narrow the search field for the latter. It is meant to be a hands-on session, first we will use Aqua’s Trivy scanner to analyze an image generated for a Spring Boot app and then wagoodman's Dive to explore in which layer we are introducing a version of a library with critical vulnerabilities, while Maven seems to tell us otherwise.
Find the slides ❯ here ❮
To get your environment ready for this playground you'll need:
- Docker ➞ Get Docker page.
- Alternatively, buildah can be used as well ➞ Installation Instructions README section.
And either...
- Java 16 ➞ Suggestion: SDKMAN! and
sdk install java 16.0.2-tem
. - Trivy ➞ Getting started - Installation page. Make sure to
install the
0.25.3
version because more recent ones includes a nice enhancement to the table output that will give us a spoiler. - Dive ➞ Installation README section.
- Run
source setup.sh
to unpack the vulnerabilities database* and set the required variables to build the container images and run the scans.
...or install Nix and get a ready to use shell environment running nix-shell
on the root folder.
*Trivy gets its vulnerability information from a database that is downloaded every now and then when you run a scan. This means that, as
time passes and more vulnerabilities are included in it, new vulnerabilities will be reported for this project. To keep it reproducible,
we'll use the database at /utils
downloaded from the trivy-db packages page.
Build the builder container image
docker build container-library/java-16/maven
Build the demo-service container image
cd demo-service && ./mvnw install && cd -
Run a Trivy scan
trivy image --severity CRITICAL --ignore-unfixed --format json demo-service-boot:0.1.0-SNAPSHOT
Run Dive
dive demo-service-boot:0.1.0-SNAPSHOT