SlideShare a Scribd company logo
1 of 26
Download to read offline
On the Relation between Outdated Docker
Containers, Severity Vulnerabilities, and Bugs
Ahmed Zerouali, Tom Mens,
Gregorio Robles, Jesus Gonzalez Barahona
IEEE Int’l Conf. Software Analysis, Evolution and Reengineering
Hangzhou, China February 24-27, 2019
On the Impact of Outdated and Vulnerable
Javascript Packages in Docker Images
Ahmed Zerouali, Valerio Cosentino, Tom Mens,
Gregorio Robles, Jesus Gonzalez Barahona
IEEE Int’l Conf. Software Analysis, Evolution and Reengineering
Hangzhou, China February 24-27, 2019
About Docker containers
● Containers are isolated bundles of software packages
● They are used to facilitate deploying software applications
● They are created by combining and modifying images from
public (official or community) repositories
● Docker is one of the main tools for containerisation
Motivation: Security vulnerabilities are main barrier to
container adoption in production environments
Motivation: Security vulnerabilities are main barrier to
container adoption in production environments
“1 out of 3 dependent npm packages never update their
dependency to a vulnerable npm package.”
A. Decan et al. “On the impact of security vulnerabilities in the npm package
dependency network”, MSR 2018.
“37% of websites include a JavaScript library
with a known open source vulnerability.”
T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated
JavaScript Libraries on the Web", NDSS 2017.
So what about Docker containers relying on npm packages?
Motivation: Security vulnerabilities in npm JavaScript
Motivation: Other main
concerns for container adoption
• Dependencies (required packages)
• Bugs in third-party software
• Outdated third-party software
Background: Technical Lag
Measures how outdated a software deployment (e.g. a deployed container)
is with respect to the ideal version of its bundled software packages.
Ideal depends on the purpose of the deployment
• latest available (most recent features)
• most stable (bug-free)
• most secure
• most compatible
• …
“A formal framework for measuring technical lag in
component repositories – and its application to npm.”
A. Zerouali, T. Mens, J. Gonzalez-Barahona,
A. Decan, E. Constantinou, G. Robles.
J. Software Evolution and Process, Wiley, February 2019
deployed
container
Included
Package
version
1.0.1 1.1.0 2.0.01.2.1 2.1.0
Ideal
Version
Background: Technical Lag
Technical lag
∆ time
∆ versions
∆ vulnerabilities
∆ bugs
Two Empirical Case Studies
containers based on Debian distributions
• 2453 images from official repositories
• 4927 images from community repositories
containers relying on npm Javascript packages
• 961 images from official repositories
Process
Case Study 1
Type of data Data source
Package metadata Debian Archive
Security vulnerabilities Debian Security Tracker
Bugs Ultimate Debian Database
Debian 10
# Docker images per
Debian distribution
Buster
(Debian 10 / Testing)
Stretch
(Debian 9 / Stable)
Jessie
(Debian 8 / Oldstable)
Official 150 620 1683
Community 86 1248 3593
How outdated are container packages?
How vulnerable are container packages?
To which extent do containers suffer from bugs in packages?
How long do bugs and security vulnerabilities remain unfixed?
Case Study 1: Research Questions
How outdated are container packages?
The majority of packages in Debian containers is up-to-date.
Debian testing (Buster) images have more outdated packages.
Outdated packages in Debian containers tend to have a small technical lag.
Actionable result:
Container deployers should be aware that the optimal update
frequency of their base images and installed packages depends
on the base Debian version.
How outdated are container packages?
How vulnerable are container packages?
Nearly half of the vulnerabilities have no fix.
96% of containers are affected by vulnerabilities of all severity categories.
Lesson learned:
No release is devoid of vulnerabilities, so deployers cannot
avoid them even if they deploy the most recent packages.
The number of vulnerabilities depends on the Debian release, and is
moderately correlated with the number of outdated packages in a container.
Actionable result:
If you prefer stability over new features, use Stable and
Oldstable releases as they include the major bug fixes and
security updates.
How vulnerable are container packages?
To which extent do containers suffer
from bugs in packages?
All containers have buggy packages. Half of all packages have bugs.
65% of all bugs have no fix
The number of bugs depends on the Debian release, and is weakly
correlated with the number of outdated packages in containers.
Actionable result:
Container deployers concerned with having as few bugs as
possible should upgrade to the Testing release, at the expense
of having a lower package stability.
To which extent do containers suffer
from bugs in packages?
How long do bugs and vulnerabilities remain unfixed?
High severity bugs are fixed much faster than other bugs.
High/medium severity vulnerabilities are fixed faster than low ones.
Bug survival analysisVulnerability survival analysis
Actionable result:
Continuous monitoring: Container deployers should be aware of
new available versions of their installed packages that fix severe
vulnerabilities and important bugs.
Case Study 2
Type of data Data source
Package metadata Libraries.io
Security vulnerabilities Snyk.io vulnerability database
(1099 vulnerability reports)
How outdated are npm packages in Docker images?
How vulnerable are npm packages in Docker images?
Case Study 2: Research Questions
Median version lag
= 1 patch
How outdated are npm packages in
Docker images?
At the time of the image’s last update, outdated npm packages were
mostly up to date.
At the date of the of the analysis (March 13th 2018):
Median version lag =
1 major + 1 minor + 4 patch
Docker deployers that use old Node.Js images might be missing updates.
How outdated are npm packages in
Docker images?
2014-05
2014-12
2015-08
2016-04
2016-11
2017-07
2018-03
Image last update
0
5
10
15
20
Vulnerabilities
high medium
How vulnerable are npm packages in Docker images?
Older images are more likely to have important vulnerabilities
due to outdated npm packages
Conclusion
Analysis of Debian and npm packages in Docker containers.
- All images have packages with vulnerabilities and bugs.
- Using third-party (npm) packages is a source of bugs and
vulnerabilities.
- Old images have more outdated packages.
- The more outdated packages the higher the risk of vulnerabilities.
- Docker deployers need to use package analysis and monitoring tools.

More Related Content

What's hot

ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...
ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...
ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...Tom Mens
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityJohn Willis
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDeborah Schalm
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
Analysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityAnalysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityShubham Dubey
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon
 
Continous Delivery and Continous Integration at IKERLAN
Continous Delivery and Continous Integration at IKERLANContinous Delivery and Continous Integration at IKERLAN
Continous Delivery and Continous Integration at IKERLANAngel Conde Manjon
 
Expert mining compsac-2014
Expert mining compsac-2014Expert mining compsac-2014
Expert mining compsac-2014GESSI UPC
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeGene Gotimer
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

What's hot (20)

ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...
ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...
ICSME 2016 keynote: An ecosystemic and socio-technical view on software maint...
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
Analysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityAnalysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux Security
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
 
Continous Delivery and Continous Integration at IKERLAN
Continous Delivery and Continous Integration at IKERLANContinous Delivery and Continous Integration at IKERLAN
Continous Delivery and Continous Integration at IKERLAN
 
Expert mining compsac-2014
Expert mining compsac-2014Expert mining compsac-2014
Expert mining compsac-2014
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Similar to On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Ahmed Zerouali
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
Technical Lag in Software Ecosystems
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software EcosystemsAhmed Zerouali
 
Technical Lag in Docker Containers
Technical Lag in Docker ContainersTechnical Lag in Docker Containers
Technical Lag in Docker ContainersAhmed Zerouali
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersAhmed Zerouali
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT AgilityAmazon Web Services
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...Fasten Project
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...South Tyrol Free Software Conference
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 

Similar to On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
Technical Lag in Software Ecosystems
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software Ecosystems
 
Technical Lag in Docker Containers
Technical Lag in Docker ContainersTechnical Lag in Docker Containers
Technical Lag in Docker Containers
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 

More from Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
 The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthTom Mens
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big DataTom Mens
 

More from Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
 The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big Data
 

Recently uploaded

Production technology of Brinjal -Solanum melongena
Production technology of Brinjal -Solanum melongenaProduction technology of Brinjal -Solanum melongena
Production technology of Brinjal -Solanum melongenajana861314
 
BACTERIAL SECRETION SYSTEM by Dr. Chayanika Das
BACTERIAL SECRETION SYSTEM by Dr. Chayanika DasBACTERIAL SECRETION SYSTEM by Dr. Chayanika Das
BACTERIAL SECRETION SYSTEM by Dr. Chayanika DasChayanika Das
 
AICTE activity on Water Conservation spreading awareness
AICTE activity on Water Conservation spreading awarenessAICTE activity on Water Conservation spreading awareness
AICTE activity on Water Conservation spreading awareness1hk20is002
 
Think Science: What Are Eclipses, by Craig Bobchin
Think Science: What Are Eclipses, by Craig BobchinThink Science: What Are Eclipses, by Craig Bobchin
Think Science: What Are Eclipses, by Craig BobchinNathan Cone
 
Presentation about adversarial image attacks
Presentation about adversarial image attacksPresentation about adversarial image attacks
Presentation about adversarial image attacksKoshinKhodiyar
 
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...Speed Breeding in Vegetable Crops- innovative approach for present era of cro...
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...jana861314
 
Food_safety_Management_pptx.pptx in microbiology
Food_safety_Management_pptx.pptx in microbiologyFood_safety_Management_pptx.pptx in microbiology
Food_safety_Management_pptx.pptx in microbiologyHemantThakare8
 
6.2 Pests of Sesame_Identification_Binomics_Dr.UPR
6.2 Pests of Sesame_Identification_Binomics_Dr.UPR6.2 Pests of Sesame_Identification_Binomics_Dr.UPR
6.2 Pests of Sesame_Identification_Binomics_Dr.UPRPirithiRaju
 
Timeless Cosmology: Towards a Geometric Origin of Cosmological Correlations
Timeless Cosmology: Towards a Geometric Origin of Cosmological CorrelationsTimeless Cosmology: Towards a Geometric Origin of Cosmological Correlations
Timeless Cosmology: Towards a Geometric Origin of Cosmological CorrelationsDanielBaumann11
 
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdf
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdfCDS Fundamentals of digital communication system UNIT 1 AND 2.pdf
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdfshubhangisonawane6
 
Science (Communication) and Wikipedia - Potentials and Pitfalls
Science (Communication) and Wikipedia - Potentials and PitfallsScience (Communication) and Wikipedia - Potentials and Pitfalls
Science (Communication) and Wikipedia - Potentials and PitfallsDobusch Leonhard
 
Environmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxEnvironmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxpriyankatabhane
 
Pests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPirithiRaju
 
Interpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTInterpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTAlexander F. Mayer
 
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPRPirithiRaju
 
DETECTION OF MUTATION BY CLB METHOD.pptx
DETECTION OF MUTATION BY CLB METHOD.pptxDETECTION OF MUTATION BY CLB METHOD.pptx
DETECTION OF MUTATION BY CLB METHOD.pptx201bo007
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learningvschiavoni
 

Recently uploaded (20)

Production technology of Brinjal -Solanum melongena
Production technology of Brinjal -Solanum melongenaProduction technology of Brinjal -Solanum melongena
Production technology of Brinjal -Solanum melongena
 
BACTERIAL SECRETION SYSTEM by Dr. Chayanika Das
BACTERIAL SECRETION SYSTEM by Dr. Chayanika DasBACTERIAL SECRETION SYSTEM by Dr. Chayanika Das
BACTERIAL SECRETION SYSTEM by Dr. Chayanika Das
 
AICTE activity on Water Conservation spreading awareness
AICTE activity on Water Conservation spreading awarenessAICTE activity on Water Conservation spreading awareness
AICTE activity on Water Conservation spreading awareness
 
Think Science: What Are Eclipses, by Craig Bobchin
Think Science: What Are Eclipses, by Craig BobchinThink Science: What Are Eclipses, by Craig Bobchin
Think Science: What Are Eclipses, by Craig Bobchin
 
Introduction Classification Of Alkaloids
Introduction Classification Of AlkaloidsIntroduction Classification Of Alkaloids
Introduction Classification Of Alkaloids
 
Presentation about adversarial image attacks
Presentation about adversarial image attacksPresentation about adversarial image attacks
Presentation about adversarial image attacks
 
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...Speed Breeding in Vegetable Crops- innovative approach for present era of cro...
Speed Breeding in Vegetable Crops- innovative approach for present era of cro...
 
Food_safety_Management_pptx.pptx in microbiology
Food_safety_Management_pptx.pptx in microbiologyFood_safety_Management_pptx.pptx in microbiology
Food_safety_Management_pptx.pptx in microbiology
 
6.2 Pests of Sesame_Identification_Binomics_Dr.UPR
6.2 Pests of Sesame_Identification_Binomics_Dr.UPR6.2 Pests of Sesame_Identification_Binomics_Dr.UPR
6.2 Pests of Sesame_Identification_Binomics_Dr.UPR
 
Timeless Cosmology: Towards a Geometric Origin of Cosmological Correlations
Timeless Cosmology: Towards a Geometric Origin of Cosmological CorrelationsTimeless Cosmology: Towards a Geometric Origin of Cosmological Correlations
Timeless Cosmology: Towards a Geometric Origin of Cosmological Correlations
 
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdf
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdfCDS Fundamentals of digital communication system UNIT 1 AND 2.pdf
CDS Fundamentals of digital communication system UNIT 1 AND 2.pdf
 
Science (Communication) and Wikipedia - Potentials and Pitfalls
Science (Communication) and Wikipedia - Potentials and PitfallsScience (Communication) and Wikipedia - Potentials and Pitfalls
Science (Communication) and Wikipedia - Potentials and Pitfalls
 
Environmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxEnvironmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptx
 
Bioenergetics and the role of ATP to drive the beats of life.
Bioenergetics and the role of ATP to drive the beats of life.Bioenergetics and the role of ATP to drive the beats of life.
Bioenergetics and the role of ATP to drive the beats of life.
 
Pests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPR
 
Battery Reasearch Reagents from TCI Chemicals
Battery Reasearch Reagents from TCI ChemicalsBattery Reasearch Reagents from TCI Chemicals
Battery Reasearch Reagents from TCI Chemicals
 
Interpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTInterpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWST
 
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
 
DETECTION OF MUTATION BY CLB METHOD.pptx
DETECTION OF MUTATION BY CLB METHOD.pptxDETECTION OF MUTATION BY CLB METHOD.pptx
DETECTION OF MUTATION BY CLB METHOD.pptx
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
 

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

  • 1. On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs Ahmed Zerouali, Tom Mens, Gregorio Robles, Jesus Gonzalez Barahona IEEE Int’l Conf. Software Analysis, Evolution and Reengineering Hangzhou, China February 24-27, 2019
  • 2. On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images Ahmed Zerouali, Valerio Cosentino, Tom Mens, Gregorio Robles, Jesus Gonzalez Barahona IEEE Int’l Conf. Software Analysis, Evolution and Reengineering Hangzhou, China February 24-27, 2019
  • 3. About Docker containers ● Containers are isolated bundles of software packages ● They are used to facilitate deploying software applications ● They are created by combining and modifying images from public (official or community) repositories ● Docker is one of the main tools for containerisation
  • 4. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
  • 5. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
  • 6. “1 out of 3 dependent npm packages never update their dependency to a vulnerable npm package.” A. Decan et al. “On the impact of security vulnerabilities in the npm package dependency network”, MSR 2018. “37% of websites include a JavaScript library with a known open source vulnerability.” T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web", NDSS 2017. So what about Docker containers relying on npm packages? Motivation: Security vulnerabilities in npm JavaScript
  • 7. Motivation: Other main concerns for container adoption • Dependencies (required packages) • Bugs in third-party software • Outdated third-party software
  • 8. Background: Technical Lag Measures how outdated a software deployment (e.g. a deployed container) is with respect to the ideal version of its bundled software packages. Ideal depends on the purpose of the deployment • latest available (most recent features) • most stable (bug-free) • most secure • most compatible • … “A formal framework for measuring technical lag in component repositories – and its application to npm.” A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. J. Software Evolution and Process, Wiley, February 2019
  • 9. deployed container Included Package version 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Ideal Version Background: Technical Lag Technical lag ∆ time ∆ versions ∆ vulnerabilities ∆ bugs
  • 10. Two Empirical Case Studies containers based on Debian distributions • 2453 images from official repositories • 4927 images from community repositories containers relying on npm Javascript packages • 961 images from official repositories
  • 12. Case Study 1 Type of data Data source Package metadata Debian Archive Security vulnerabilities Debian Security Tracker Bugs Ultimate Debian Database Debian 10 # Docker images per Debian distribution Buster (Debian 10 / Testing) Stretch (Debian 9 / Stable) Jessie (Debian 8 / Oldstable) Official 150 620 1683 Community 86 1248 3593
  • 13. How outdated are container packages? How vulnerable are container packages? To which extent do containers suffer from bugs in packages? How long do bugs and security vulnerabilities remain unfixed? Case Study 1: Research Questions
  • 14. How outdated are container packages? The majority of packages in Debian containers is up-to-date. Debian testing (Buster) images have more outdated packages.
  • 15. Outdated packages in Debian containers tend to have a small technical lag. Actionable result: Container deployers should be aware that the optimal update frequency of their base images and installed packages depends on the base Debian version. How outdated are container packages?
  • 16. How vulnerable are container packages? Nearly half of the vulnerabilities have no fix. 96% of containers are affected by vulnerabilities of all severity categories. Lesson learned: No release is devoid of vulnerabilities, so deployers cannot avoid them even if they deploy the most recent packages.
  • 17. The number of vulnerabilities depends on the Debian release, and is moderately correlated with the number of outdated packages in a container. Actionable result: If you prefer stability over new features, use Stable and Oldstable releases as they include the major bug fixes and security updates. How vulnerable are container packages?
  • 18. To which extent do containers suffer from bugs in packages? All containers have buggy packages. Half of all packages have bugs. 65% of all bugs have no fix
  • 19. The number of bugs depends on the Debian release, and is weakly correlated with the number of outdated packages in containers. Actionable result: Container deployers concerned with having as few bugs as possible should upgrade to the Testing release, at the expense of having a lower package stability. To which extent do containers suffer from bugs in packages?
  • 20. How long do bugs and vulnerabilities remain unfixed? High severity bugs are fixed much faster than other bugs. High/medium severity vulnerabilities are fixed faster than low ones. Bug survival analysisVulnerability survival analysis Actionable result: Continuous monitoring: Container deployers should be aware of new available versions of their installed packages that fix severe vulnerabilities and important bugs.
  • 21. Case Study 2 Type of data Data source Package metadata Libraries.io Security vulnerabilities Snyk.io vulnerability database (1099 vulnerability reports)
  • 22. How outdated are npm packages in Docker images? How vulnerable are npm packages in Docker images? Case Study 2: Research Questions
  • 23. Median version lag = 1 patch How outdated are npm packages in Docker images? At the time of the image’s last update, outdated npm packages were mostly up to date.
  • 24. At the date of the of the analysis (March 13th 2018): Median version lag = 1 major + 1 minor + 4 patch Docker deployers that use old Node.Js images might be missing updates. How outdated are npm packages in Docker images?
  • 25. 2014-05 2014-12 2015-08 2016-04 2016-11 2017-07 2018-03 Image last update 0 5 10 15 20 Vulnerabilities high medium How vulnerable are npm packages in Docker images? Older images are more likely to have important vulnerabilities due to outdated npm packages
  • 26. Conclusion Analysis of Debian and npm packages in Docker containers. - All images have packages with vulnerabilities and bugs. - Using third-party (npm) packages is a source of bugs and vulnerabilities. - Old images have more outdated packages. - The more outdated packages the higher the risk of vulnerabilities. - Docker deployers need to use package analysis and monitoring tools.

Editor's Notes

  1. In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of enterprises (>60%) said that security was the #1 barrier to putting containers in a production environment.
  2. After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments. At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed. Later on, A 2016 survey by DevOps.com and RedMonk, revealed that users who are more concerned by image security focused on scanning simple Common Vulnerabilities and Exposures (CVE) on the operating system.
  3. later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was: “Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
  4. later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was: “Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
  5. To do so, we relied on the concept of technical lag, the was introduced as the difference between the software version that is deployed and the ideal version available but not deployed yet.
  6. For the first case study, we decided to work with DockerHub images based on a Linux Debian distribution, because applications in them are usually installed using well-defined packages. We considered ALL official repositories. For the 30,000+ community repositories, we only selected those with more than 500 pulls (i.e. the most popular ones) For the second case study, we selected 961 official repositories on DockerHub for which we found presence of npm Javascript packages.
  7. The overall process, which we describe in detail below, is: (1) identification of Docker Hub base images for Debian, defining our base set; (2) identification of Docker Hub images in our dataset, including those derived from the base set; (3) analysis of all those images, matching their packages to a historical archive of all Debian packages; and (4) identification of bug and vulnerability reports for those packages, based on a historical database with those details for Debian packages.
  8. The median proportion of up-to-date packages per container is 82%. For images updated during 2018, the median is even MUCH HIGHER: 98% are more up-to-date.
  9. Outdated packages are lagging behind one version for Debian oldstable (Jessie) and stable (Strech). Outdated packages are lagging behind two versions for Debian testing (Buster). This is expected because stable Debian packages are not updated frequently, while this is much less the case for Debian testing release.
  10. - Nearly half of the vulnerabilities have no fix. - 96% of containers are affected by all types of vulnerabilities, except for the not assigned vulnerabilities.
  11. Deployers who prefer stability to new functionalities are recommended to use the Stable and Oldstable versions that include only the most important corrections or security updates. To have a lower number of severe vulnerabilities, container deployers using the Old- stable Debian release should upgrade to the Stable release.
  12. Stefano confirmed. Many bugs are present in Debian, but nobody cares if these bugs do not affect security. At any given point their may be thousands of known (and unresolved) bugs.
  13. , and is weakly correlated with the number of outdated packages in containers Except for the Buster release (i.e. the latest Debian Testing release, for which no correlation was found.
  14. - High severity bugs are fixed ten times faster than other kind of bugs. - Vulnerability reports upstream might have different severity downstream.
  15. At the time of the image’s last update, outdated npm packages were only missing one patch update
  16. All official node-based images have vulnerable npm packages, with an average of 16 security vulnerabilities per image.
  17. - We analyzed Debian and npm packages in Docker containers - Old images have more outdated packages. - All images have vulnerable and buggy packages. - Third-party packages are important and they should be considered when analyzing containers for vulnerabilities. - The number of outdated packages is correlated with the number of vulnerabilities. - Package update recommendation tools are needed in order to support Docker deployers.