Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 13

ConPan: Analysing Packages Installed in Docker Containers

0

Share

Demonstration of the ConPan tool for analysing outdated packages and their security vulnerabilities in Docker containers. Developed by Ahmed Zerouali, Software Engineering Lab, University of Mons. In collaboration with Universidad Rey Juan Carlos and Bitergia, Madrid, Spain. Presented by Tom Mens at the MSR 2019 International Conference on Mining Software Repositories, May 2019, Montréal, Canada.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

ConPan: Analysing Packages Installed in Docker Containers

  1. 1. ConPan: Analyzing Packages Installed in Docker Containers Ahmed Zerouali, Valerio Cosentino, Jesus Gonzalez-Barahona, Gregorio Robles, Tom Mens Int’l Conf. Mining Software Repositories (MSR) Montreal, QC, Canada - May 26-27, 2019
  2. 2. Docker containers ● are isolated bundles of software packages ● facilitate deploying software applications in production environments ● are created by combining and modifying images from public (official or community) repositories
  3. 3. Motivation: Security vulnerabilities are main barrier to container adoption ClusterHQ, June 2015
  4. 4. Motivation: Security vulnerabilities are main barrier to container adoption FlawCheck, August 2015
  5. 5. Commercial tools for scanning Docker images
  6. 6. Commercial tools for scanning Docker images
  7. 7. “Systems with a low dependency freshness are more than four times as likely to contain security issues in these dependencies.” “Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015) "The number of vulnerabilities is moderately correlated with the number of outdated packages in a container” “On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs”, A. Zerouali et al. (SANER 2019) Outdatedness causes Security Vulnerabilities
  8. 8. ConPAn– Container Packages Analyzer Goal: combine information about outdatedness and security vulnerabilities
  9. 9. ConPan Installation $ git clone https://github.com/neglectos/ConPan $ python3 setup.py build $ python3 setup.py install
  10. 10. ConPan in action Through command-line interface: $ conpan -p debian -c <Docker image> -d path/to/data Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/
  11. 11. ConPan in action Through API:
  12. 12. ConPan in action Through API:
  13. 13. ConPan in action Through API:

Editor's Notes

  • So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
  • After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments.
    At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
  • Most of the tools available today are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
  • Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
  • In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is.
    More outdated dependencies have more vulnerabilities.


    Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
  • For this reason, we have developed ConPan.
    A python utility that helps to anlayze packages installed in Docker containers.

    The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of:
    (i) pulling and running Docker images;
    (ii) identifying the installed packages;
    (iii) tracking them back to their package managers;
    (iv) searching for their known vulnerability reports or other
    reported bugs and quality issues;
    (v) reporting the results in a specific output format.
    ConPan also provides general information about the analysed Docker Hub image, fetched
    from the Docker Hub registry using its API.
  • To install conpan
  • ×