ConPan: A Tool to Analyze Packages in Software Containers
•
0 j'aime•29 vues
This was given in MSR 2019 in Montreal co-located with ICSE
Recommandé
Recommandé
Contenu connexe
Similaire à ConPan: A Tool to Analyze Packages in Software Containers
Similaire à ConPan: A Tool to Analyze Packages in Software Containers (20)
Plus de Ahmed Zerouali
Plus de Ahmed Zerouali (16)
Dernier
Dernier (20)
ConPan: A Tool to Analyze Packages in Software Containers
- 1. ConPan: A Tool to Analyze Packages in Software Containers Ahmed Zerouali, Valerio Cosentino, Jesus Gonzalez Barahona, Gregorio Robles, Tom Mens Mining Software Repositories 2019 Montreal, QC, Canada - May 26-27, 2019
- 2. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
- 3. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
- 4. Motivation: Other main concerns for container adoption • Dependencies (required packages) • Bugs in third-party software • Outdated third-party software
- 5. Available tools scanning Docker images
- 6. “Systems with a low dependency freshness are more than four times as likely to contain security issues in these dependencies.” J. Cox et al. “Measuring Dependency Freshness in Software Systems”, ICSE 2015. "The number of vulnerabilities is moderately correlated with the number of outdated packages in a container” A. Zerouali, et al. “On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs”, Saner 2019. Are there any tools that combine information about outdatedness and security vulnerabilities? Motivation: Outdatedness causes Security vulnerabilities
- 7. ConPAn: ‘Container Packages Analyzer’
- 8. ConPan Installation: $ git clone https://github.com/neglectos/ConPan $ python3 setup.py build $ python3 setup.py install
- 9. ConPan in action: # Call ConPan from command line $ conpan -p debian -c <Docker image> -d path/to/data Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/
- 10. ConPan in action: # Call ConPan from command line $ conpan -p debian -c <Docker image> -d path/to/data Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/
- 11. ConPan in action: # Call ConPan from API
- 12. ConPan in action: # Call ConPan from API -> Results
- 13. ConPan in action: # Call ConPan from API -> Results
Notes de l'éditeur
- So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
- After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments. At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
- Moreover, later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was: “Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
- Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
- In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is. More outdated dependencies have more vulnerabilities. Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
- For this reason, we have developed ConPan. A python utility that helps to anlayze packages installed in Docker containers. The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of: (i) pulling and running Docker images; (ii) identifying the installed packages; (iii) tracking them back to their package managers; (iv) searching for their known vulnerability reports or other reported bugs and quality issues; (v) reporting the results in a specific output format. ConPan also provides general information about the analysed Docker Hub image, fetched from the Docker Hub registry using its API.
- To install conpan