CoreOS has released as open source technology that can scan the contents of containers for security vulnerabilities. The company also added this functionality, which it developed in-house, to its Quay private container registry, as a beta feature.
The software, called Clair, compares the contents of a container against a number of Linux distribution-specific CVE databases (currently those maintained by Red Hat, Ubuntu, and Debian). It then alerts the user if any of the software within the containers has known vulnerabilities. It also has a set of APIs, allowing the scanning service to be incorporated into larger automated detection and alerting processes.
“We believe that providing the list of vulnerabilities that affect containers and sending notifications as soon as a new vulnerability is released is a significant help and a step forward for better security,” wrote CoreOS software engineer Quentin Machu, in an e-mail. “Using these distribution-specific sources gives us confidence that Clair can take into consideration all the different package implementations and backports without ever reporting anything possibly inaccurate.”
Vulnerabilities within containers is a problem. For instance, the infamous Heartbleed, CVE-2014-0160, is still present 80 percent of the Docker images stored on Quay, according to CoreOS.
Keep in mind, Clair yet can’t identify vulnerabilities that are based on chains on interdependent software. “For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undergo deeper analysis as required,” Machu wrote, in a blog post announcing the new software.
Also keep in mind, Clair does not update the vulnerable package. That job is still the responsibility of the developer. Interestingly enough, such a capability would be possible, though would probably wreak havoc. “Quay could technically patch the containers but it would be really delicate as only the developer has the knowledge about their packages and dependencies,” Machu wrote, in the e-mail.
In any case, “Updating is a straightforward and simple step for the container maintainer,” he wrote.
Quay users can now test this feature, called Quay Security Scanning, now in beta, against their own repositories.
“In practice, every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification,” wrote CoreOS software engineer Joey Schorr, in a separate blog post. “It will include a level of the vulnerability — high, medium or low — with a description and packages that are installed. A link is included to the vulnerability’s source information, which generally includes steps required to patch the vulnerability.”
CoreOS will be demonstrating Clair, and its use in Quay at the Dockercon EU conference, next week in Barcelona.
CoreOS is a sponsor of The New Stack.
Featured Image via Pixabay.