Presentation by Tom Mens of SANER 2019 paper that was awarded as best paper. The topic concerns Docker containers, and more in particular the relation between outdated packages, technical lag, security vulnerabilities and bugs.
GENERAL PHYSICS 2 REFRACTION OF LIGHT SENIOR HIGH SCHOOL GENPHYS2.pptx
On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs
1. On the Relation between Outdated Docker
Containers, Severity Vulnerabilities, and Bugs
Ahmed Zerouali, Tom Mens,
Gregorio Robles, Jesus Gonzalez Barahona
IEEE Int’l Conf. Software Analysis, Evolution and Reengineering
Hangzhou, China February 24-27, 2019
2. On the Impact of Outdated and Vulnerable
Javascript Packages in Docker Images
Ahmed Zerouali, Valerio Cosentino, Tom Mens,
Gregorio Robles, Jesus Gonzalez Barahona
IEEE Int’l Conf. Software Analysis, Evolution and Reengineering
Hangzhou, China February 24-27, 2019
3. About Docker containers
● Containers are isolated bundles of software packages
● They are used to facilitate deploying software applications
● They are created by combining and modifying images from
public (official or community) repositories
● Docker is one of the main tools for containerisation
6. “1 out of 3 dependent npm packages never update their
dependency to a vulnerable npm package.”
A. Decan et al. “On the impact of security vulnerabilities in the npm package
dependency network”, MSR 2018.
“37% of websites include a JavaScript library
with a known open source vulnerability.”
T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated
JavaScript Libraries on the Web", NDSS 2017.
So what about Docker containers relying on npm packages?
Motivation: Security vulnerabilities in npm JavaScript
7. Motivation: Other main
concerns for container adoption
• Dependencies (required packages)
• Bugs in third-party software
• Outdated third-party software
8. Background: Technical Lag
Measures how outdated a software deployment (e.g. a deployed container)
is with respect to the ideal version of its bundled software packages.
Ideal depends on the purpose of the deployment
• latest available (most recent features)
• most stable (bug-free)
• most secure
• most compatible
• …
“A formal framework for measuring technical lag in
component repositories – and its application to npm.”
A. Zerouali, T. Mens, J. Gonzalez-Barahona,
A. Decan, E. Constantinou, G. Robles.
J. Software Evolution and Process, Wiley, February 2019
10. Two Empirical Case Studies
containers based on Debian distributions
• 2453 images from official repositories
• 4927 images from community repositories
containers relying on npm Javascript packages
• 961 images from official repositories
12. Case Study 1
Type of data Data source
Package metadata Debian Archive
Security vulnerabilities Debian Security Tracker
Bugs Ultimate Debian Database
Debian 10
# Docker images per
Debian distribution
Buster
(Debian 10 / Testing)
Stretch
(Debian 9 / Stable)
Jessie
(Debian 8 / Oldstable)
Official 150 620 1683
Community 86 1248 3593
13. How outdated are container packages?
How vulnerable are container packages?
To which extent do containers suffer from bugs in packages?
How long do bugs and security vulnerabilities remain unfixed?
Case Study 1: Research Questions
14. How outdated are container packages?
The majority of packages in Debian containers is up-to-date.
Debian testing (Buster) images have more outdated packages.
15. Outdated packages in Debian containers tend to have a small technical lag.
Actionable result:
Container deployers should be aware that the optimal update
frequency of their base images and installed packages depends
on the base Debian version.
How outdated are container packages?
16. How vulnerable are container packages?
Nearly half of the vulnerabilities have no fix.
96% of containers are affected by vulnerabilities of all severity categories.
Lesson learned:
No release is devoid of vulnerabilities, so deployers cannot
avoid them even if they deploy the most recent packages.
17. The number of vulnerabilities depends on the Debian release, and is
moderately correlated with the number of outdated packages in a container.
Actionable result:
If you prefer stability over new features, use Stable and
Oldstable releases as they include the major bug fixes and
security updates.
How vulnerable are container packages?
18. To which extent do containers suffer
from bugs in packages?
All containers have buggy packages. Half of all packages have bugs.
65% of all bugs have no fix
19. The number of bugs depends on the Debian release, and is weakly
correlated with the number of outdated packages in containers.
Actionable result:
Container deployers concerned with having as few bugs as
possible should upgrade to the Testing release, at the expense
of having a lower package stability.
To which extent do containers suffer
from bugs in packages?
20. How long do bugs and vulnerabilities remain unfixed?
High severity bugs are fixed much faster than other bugs.
High/medium severity vulnerabilities are fixed faster than low ones.
Bug survival analysisVulnerability survival analysis
Actionable result:
Continuous monitoring: Container deployers should be aware of
new available versions of their installed packages that fix severe
vulnerabilities and important bugs.
21. Case Study 2
Type of data Data source
Package metadata Libraries.io
Security vulnerabilities Snyk.io vulnerability database
(1099 vulnerability reports)
22. How outdated are npm packages in Docker images?
How vulnerable are npm packages in Docker images?
Case Study 2: Research Questions
23. Median version lag
= 1 patch
How outdated are npm packages in
Docker images?
At the time of the image’s last update, outdated npm packages were
mostly up to date.
24. At the date of the of the analysis (March 13th 2018):
Median version lag =
1 major + 1 minor + 4 patch
Docker deployers that use old Node.Js images might be missing updates.
How outdated are npm packages in
Docker images?
26. Conclusion
Analysis of Debian and npm packages in Docker containers.
- All images have packages with vulnerabilities and bugs.
- Using third-party (npm) packages is a source of bugs and
vulnerabilities.
- Old images have more outdated packages.
- The more outdated packages the higher the risk of vulnerabilities.
- Docker deployers need to use package analysis and monitoring tools.
Editor's Notes
In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of enterprises (>60%) said that security was the #1 barrier to putting containers in a production environment.
After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments.
At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
Later on, A 2016 survey by DevOps.com and RedMonk, revealed that users who are more concerned by image security focused on scanning simple Common Vulnerabilities and Exposures (CVE) on the operating system.
later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was:“Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was:“Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
To do so, we relied on the concept of technical lag, the was introduced as the difference between the software version that is deployed and the ideal version available but not deployed yet.
For the first case study, we decided to work with DockerHub images based on a Linux Debian distribution, because applications in them are usually installed using well-defined packages. We considered ALL official repositories. For the 30,000+ community repositories, we only selected those with more than 500 pulls (i.e. the most popular ones)
For the second case study, we selected 961 official repositories on DockerHub for which we found presence of npm Javascript packages.
The overall process, which we describe in detail below, is:
(1) identification of Docker Hub base images for Debian, defining our base set;
(2) identification of Docker Hub images in our dataset, including those derived from the base set;
(3) analysis of all those images, matching their packages to a historical archive of all Debian packages; and
(4) identification of bug and vulnerability reports for those packages, based on a historical database with those details for Debian packages.
The median proportion of up-to-date packages per container is 82%.
For images updated during 2018, the median is even MUCH HIGHER: 98% are more up-to-date.
Outdated packages are lagging behind one version for Debian oldstable (Jessie) and stable (Strech).
Outdated packages are lagging behind two versions for Debian testing (Buster).
This is expected because stable Debian packages are not updated frequently, while this is much less the case for Debian testing release.
- Nearly half of the vulnerabilities have no fix. - 96% of containers are affected by all types of vulnerabilities, except for the not assigned vulnerabilities.
Deployers who prefer stability to new functionalities are recommended to use the Stable and Oldstable versions that include only the most important corrections or security updates. To have a lower number of severe vulnerabilities, container deployers using the Old- stable Debian release should upgrade to the Stable release.
Stefano confirmed. Many bugs are present in Debian, but nobody cares if these bugs do not affect security. At any given point their may be thousands of known (and unresolved) bugs.
, and is weakly correlated with the number of outdated packages in containers
Except for the Buster release (i.e. the latest Debian Testing release, for which no correlation was found.
- High severity bugs are fixed ten times faster than other kind of bugs.
- Vulnerability reports upstream might have different severity downstream.
At the time of the image’s last update, outdated npm packages were only missing one patch update
All official node-based images have vulnerable npm packages, with an average of 16 security vulnerabilities per image.
- We analyzed Debian and npm packages in Docker containers
- Old images have more outdated packages.
- All images have vulnerable and buggy packages.
- Third-party packages are important and they should be considered when analyzing containers for vulnerabilities.
- The number of outdated packages is correlated with the number of vulnerabilities.
- Package update recommendation tools are needed in order to support Docker deployers.