Author(s)
I never moved away from Docker Desktop.
For some time, after you use it to build an image, it prints a message:
What's Next? View a summary of image vulnerabilities and recommendations → docker scout quickview
I decided to give it a try. I'll use the root commit of my OpenTelemetry tracing demo. Let's execute the proposed command:
docker scout quickview otel-catalog:1.0
Here's the result:
✓ Image stored for indexing
✓ Indexed 272 packages
Target │ otel-catalog:1.0 │ 0C 2H 15M 23L
digest │ 7adfce68062e │
Base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L
Refreshed base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L
│ │
What's Next?
View vulnerabilities → docker scout cves otel-catalog:1.0
View base image update recommendations → docker scout recommendations otel-catalog:1.0
Include policy results in your quickview by supplying an organization → docker scout quickview otel-catalog:1.0 --org <organization>
Docker gives out exciting bits of information:
- The base image contains 15 middle-severity vulnerabilities and 23 low-severity ones
- The final image has an additional two high-level severity
- Ergo, our code introduced them!
Following Scout's suggestion, we can drill down the CVEs:
docker scout cves otel-catalog:1.0
This is the result:
✓ SBOM of image already cached, 272 packages indexed
✗ Detected 18 vulnerable packages with a total of 39 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────
Target │ otel-catalog:1.0
digest │ 7adfce68062e
platform │ linux/arm64
vulnerabilities │ 0C 2H 15M 23L
size │ 160 MB
packages │ 272
## Packages and Vulnerabilities
0C 1H 0M 0L org.yaml/snakeyaml 1.33
pkg:maven/org.yaml/[email protected]
✗ HIGH CVE-2022-1471 [Improper Input Validation]
https://scout.docker.com/v/CVE-2022-1471
Affected range : <=1.33
Fixed version : 2.0
CVSS Score : 8.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
0C 1H 0M 0L io.netty/netty-handler 4.1.100.Final
pkg:maven/io.netty/[email protected]
✗ HIGH CVE-2023-4586 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2023-4586
Affected range : >=4.1.0
: <5.0.0
Fixed version : not fixed
CVSS Score : 7.4
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
The original output is much longer, but I stopped at the exciting bit: the two high-severity CVEs, First, we see the one coming from Netty still needs to be fixed - tough luck. However, Snake YAML fixed its CVE from version 2.0 onward.
I'm not using Snake YAML directly; it's a Spring dependency brought by Spring. Because of this, no guarantee exists that a major version upgrade will be compatible. But we can surely try. Let's bump the dependency to the latest version:
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>2.2</version>
</dependency>
We can build the image again and check that it still works. Fortunately, it does. We can execute the process again:
docker scout quickview otel-catalog:1.0
Lo and behold, the high-severity CVE is no more!
✓ Image stored for indexing ✓ Indexed 273 packages Target │ local://otel-catalog:1.0-1 │ 0C 1H 15M 23L digest │ 9ddc31cdd304 │ Base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L
Conclusion
In this short post, we tried Docker Scout, the Docker image vulnerability detection tool. Thanks to it, we removed one high-level CVE we introduced in the code.
To go further:
Originally published at A Java Geek on January 14th, 2024
Step up your coding with the Continuous Feedback Udemy Course: Additional coupons are available
What do you know about the code changes that were just introduced into the codebase? When will you notice if something goes wrong?
Get Started Here!
-
5 Tips to Create Secure Docker Images for Java Applications
Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images.
Read More
-
8 Debugging Tips for IntelliJ IDEA Users You Never Knew Existed
As developers, we’re all familiar with debuggers. We use debugging tools on a daily basis – they’re an essential part of programming. But let’s be honest. Usually, we only use the breakpoint option. If we’re feeling frisky, we might use a conditional breakpoint.
But guess what, the IntelliJ IDEA debugger has many powerful and cutting-edge features that are useful for debugging more easily and efficiently.
Read More
-
A Case for Databases on Kubernetes from a Former Skeptic
Looking back at the pitfalls of running databases on Kubernetes I encountered several years ago, most of them have been resolved.
All of these problems are hard and require technical finesse and careful thinking. Without choosing the right pieces, we’ll end up resigning both databases and Kubernetes to niche roles in our infrastructure, as well as the innovative engineers who have invested so much effort in building out all of these pieces and runbooks.
Read More
[…] >> Kicking the Tires of Docker Scout [foojay.io] […]