Analyzing vulnerabilities in container images and more
Photo by FLY:D
Log4J is one of the most widely used Java libraries out there. It is developed and maintained by the Apache foundation and it is used by many products and other packages as well to log messages, so when its vulnerability was published we all knew it was going to be one of the biggest sources of exploits ever.
The exploit is very well described here and can be exploited from remote by an unauthenticated adversary to executed arbitrary code (remote code execution – RCE).
The vulnerability affecting Log4J, identified as CVE-2021-44228, as many other 0-day vulnerabilities, remind us as the importance of implementing secure development practices, as part of a DevSecOps strategy, that takes into account not only our own code, but also our whole software supply change, specially when it comes 3rd parties packages.
In this post I’d like to introduce two of the best vulnerability scanners available out there as open source projects: grype and trivy. They can be used as part of your CI/CD pipelines, typically included as part of the Static Application Security Testing (SAST) stage or as a stand-alone tools to be run whenever you need to.
Both are capable of analyzing any OCI compliant image, included Docker, as well as folders or languages specific packages (JARs, NPM, Wheel, etc.).
Grype
Grype is easy to install, just follow the instructions on its GitHub repository:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
it is als available as Homebrew package.
To use it just execute:
grype <image>
To scan all the image’s layers, including those that are part of the base image, which is specially interesting when you want to secure your whole software supply change. Let’s try to scan a widely use image:
grype nginx:1.21.4
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [143 packages]
✔ Scanned image [100 vulnerabilities]
On every scan Grype updates its local vulnerability database as needed as well as downloads the image to be scanned.
As describe in its documentation, this tool supports different outputs formats and it can also specify templates for the output. I find very useful the template to export data in CSV format (csv.tmpl):
"Package","Version Installed","Vulnerability ID","Severity"
"","","",""
That can be used by executing:
grype nginx:1.21.4 -o template -t csv.tmpl > results.csv
There are several options to work with Grype, like specifying matches to ignore, if the scan must fail on any given severity (useful for CI/CD pipelines), etc.
Tryvi
[Tryvi] can be installed in several Linux distributions, like Debian/Ubuntu, RHEL/CentOS or Arch. It also available through Homebrew and as a Docker image; I will use this method as it is the most portable one:
docker pull aquasec/trivy:0.21.3
To scan your image, just run:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:0.21.3 <image>
To follow the same example I used before:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:0.21.3 nginx:1.21.4
As Grype, Trivy also updates its vulnerability database with each run and its output format is quite nice, as we can see here:
nginx:1.21.4 (debian 11.2)
==========================
Total: 98 (UNKNOWN: 0, LOW: 83, MEDIUM: 5, HIGH: 6, CRITICAL: 4)
+------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | | 8.32-4 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-18018 | | | | coreutils: race condition |
| | | | | | vulnerability in chown and chgrp |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
+------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| curl | CVE-2021-22945 | CRITICAL | 7.74.0-1.3+deb11u1 | | curl: use-after-free and |
| | | | | | double-free in MQTT sending |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-22946 | HIGH | | | curl: Requirement to use |
| | | | | | TLS not properly enforced |
| | | | | | for IMAP, POP3, and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-22947 | MEDIUM | | | curl: Server responses |
...
