ConPan: A Tool to Analyze Packages in Software Containers
1. ConPan: A Tool to Analyze Packages
in Software Containers
Ahmed Zerouali, Valerio Cosentino,
Jesus Gonzalez Barahona, Gregorio Robles,
Tom Mens
Mining Software Repositories 2019
Montreal, QC, Canada - May 26-27, 2019
6. “Systems with a low dependency freshness are more than four
times as likely to contain security issues in these dependencies.”
J. Cox et al. “Measuring Dependency Freshness in Software Systems”, ICSE 2015.
"The number of vulnerabilities is moderately correlated with the
number of outdated packages in a container”
A. Zerouali, et al. “On the Relation between Outdated Docker Containers, Severity
Vulnerabilities, and Bugs”, Saner 2019.
Are there any tools that combine information about outdatedness
and security vulnerabilities?
Motivation: Outdatedness causes Security vulnerabilities
So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments.
At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
Moreover, later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was:“Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is.
More outdated dependencies have more vulnerabilities.
Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
For this reason, we have developed ConPan.
A python utility that helps to anlayze packages installed in Docker containers.
The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of:
(i) pulling and running Docker images;
(ii) identifying the installed packages;
(iii) tracking them back to their package managers;
(iv) searching for their known vulnerability reports or other
reported bugs and quality issues;
(v) reporting the results in a specific output format.
ConPan also provides general information about the analysed Docker Hub image, fetched
from the Docker Hub registry using its API.