Skip to content

pablogalegoc/kubecon2022-playground

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
container-library
container-library
 
 
demo-service-plugins
demo-service-plugins
 
 
demo-service
demo-service
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
setup.sh
setup.sh
 
 
shell.nix
shell.nix
 
 

Repository files navigation

Digging Into Your App's Container Image Layers for Sneaky Vulnerabilities

KubeCon EU 2022 - 101 track session playground

Summary

Mitigating vulnerabilities in container images is, most of the time, a straight-forward task: update the base image, use a newer version of Node or Java, bump the patch version of a project dependency, etc. However, all useful pieces of software are complex and vulnerability scanning tools fall short on explaining why they are flagging some edge-cases.

This session walks you through mitigating critical vulnerabilities in popular container images like Java-based ones, from the obvious to the sneaky ones, and how to leverage layer explorer tools to narrow the search field for the latter. It is meant to be a hands-on session, first we will use Aqua’s Trivy scanner to analyze an image generated for a Spring Boot app and then wagoodman's Dive to explore in which layer we are introducing a version of a library with critical vulnerabilities, while Maven seems to tell us otherwise.

Find the slides ❯ here

Requirements

To get your environment ready for this playground you'll need:

And either...

  • Java 16 ➞ Suggestion: SDKMAN! and sdk install java 16.0.2-tem.
  • Trivy ➞ Getting started - Installation page. Make sure to install the 0.25.3 version because more recent ones includes a nice enhancement to the table output that will give us a spoiler.
  • Dive ➞ Installation README section.
  • Run source setup.sh to unpack the vulnerabilities database* and set the required variables to build the container images and run the scans.

...or install Nix and get a ready to use shell environment running nix-shell on the root folder.

*Trivy gets its vulnerability information from a database that is downloaded every now and then when you run a scan. This means that, as time passes and more vulnerabilities are included in it, new vulnerabilities will be reported for this project. To keep it reproducible, we'll use the database at /utils downloaded from the trivy-db packages page.

Quick command reference

Build the builder container image

docker build container-library/java-16/maven

Build the demo-service container image

cd demo-service && ./mvnw install && cd -

Run a Trivy scan

trivy image --severity CRITICAL --ignore-unfixed --format json demo-service-boot:0.1.0-SNAPSHOT

Run Dive

dive demo-service-boot:0.1.0-SNAPSHOT

About

Playground for KubeCon 2022 101 session

kccnceu2022.sched.com/event/ytpK/digging-into-your-apps-container-image-layers-for-sneaky-vulnerabilities-pablo-galego-vmware?iframe=no

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages