Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Kicking the Tires of Docker Scout

  • February 08, 2024
  • 5034 Unique Views
  • 2 min read
Table of Contents
Conclusion

I never moved away from Docker Desktop.

For some time, after you use it to build an image, it prints a message:

What's Next?
  View a summary of image vulnerabilities and recommendations → docker scout quickview

I decided to give it a try. I'll use the root commit of my OpenTelemetry tracing demo. Let's execute the proposed command:

docker scout quickview otel-catalog:1.0

Here's the result:

    ✓ Image stored for indexing
    ✓ Indexed 272 packages
  Target               │  otel-catalog:1.0        │    0C     2H    15M    23L
    digest             │  7adfce68062e            │
  Base image           │  eclipse-temurin:21-jre  │    0C     0H    15M    23L
  Refreshed base image │  eclipse-temurin:21-jre  │    0C     0H    15M    23L
                       │                          │
What's Next?
  View vulnerabilities → docker scout cves otel-catalog:1.0
  View base image update recommendations → docker scout recommendations otel-catalog:1.0
  Include policy results in your quickview by supplying an organization → docker scout quickview otel-catalog:1.0 --org <organization>

Docker gives out exciting bits of information:

  • The base image contains 15 middle-severity vulnerabilities and 23 low-severity ones
  • The final image has an additional two high-level severity
  • Ergo, our code introduced them!

Following Scout's suggestion, we can drill down the CVEs:

docker scout cves otel-catalog:1.0

This is the result:

    ✓ SBOM of image already cached, 272 packages indexed
    ✗ Detected 18 vulnerable packages with a total of 39 vulnerabilities
## Overview
                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  otel-catalog:1.0
    digest          │  7adfce68062e
    platform        │ linux/arm64
    vulnerabilities │    0C     2H    15M    23L
    size            │ 160 MB
    packages        │ 272
## Packages and Vulnerabilities
   0C     1H     0M     0L  org.yaml/snakeyaml 1.33
pkg:maven/org.yaml/[email protected]
    ✗ HIGH CVE-2022-1471 [Improper Input Validation]
      https://scout.docker.com/v/CVE-2022-1471
      Affected range : <=1.33
      Fixed version  : 2.0
      CVSS Score     : 8.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
   0C     1H     0M     0L  io.netty/netty-handler 4.1.100.Final
pkg:maven/io.netty/[email protected]
    ✗ HIGH CVE-2023-4586 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2023-4586
      Affected range : >=4.1.0
                     : <5.0.0
      Fixed version  : not fixed
      CVSS Score     : 7.4
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

The original output is much longer, but I stopped at the exciting bit: the two high-severity CVEs, First, we see the one coming from Netty still needs to be fixed - tough luck. However, Snake YAML fixed its CVE from version 2.0 onward.

I'm not using Snake YAML directly; it's a Spring dependency brought by Spring. Because of this, no guarantee exists that a major version upgrade will be compatible. But we can surely try. Let's bump the dependency to the latest version:

<dependency>
    <groupId>org.yaml</groupId>
    <artifactId>snakeyaml</artifactId>
    <version>2.2</version>
</dependency>

We can build the image again and check that it still works. Fortunately, it does. We can execute the process again:

docker scout quickview otel-catalog:1.0

Lo and behold, the high-severity CVE is no more!

  ✓ Image stored for indexing
  ✓ Indexed 273 packages
Target     │  local://otel-catalog:1.0-1  │    0C     1H    15M    23L
  digest   │  9ddc31cdd304                │
Base image │  eclipse-temurin:21-jre      │    0C     0H    15M    23L

Conclusion

In this short post, we tried Docker Scout, the Docker image vulnerability detection tool. Thanks to it, we removed one high-level CVE we introduced in the code.

To go further:

Originally published at A Java Geek on January 14th, 2024

Sponsored Content

State of Java 2026 Webinar

Wednesday, 18 February Azul’s Simon Ritter and Frank Delporte will break down trends across Java adoption, cloud costs, licensing, DevOps productivity, and AI in production.

Register Here!

Avatar photo

Nicolas Frankel

Author

Technologist focusing on cloud-native technologies, DevOps, CI/CD pipelines, and system observability. His focus revolves around creating technical content, delivering talks, and engaging with developer communities to promote the adoption of modern software practices. With a strong background in software, he has worked extensively with the JVM, applying his expertise across various industries. In addition to his technical work, he is the author of several books and regularly shares insights through his blog and open-source contributions.

Avatar photo

Nicolas Frankel

Author

Technologist focusing on cloud-native technologies, DevOps, CI/CD pipelines, and system observability. His focus revolves around creating technical content, delivering talks, and engaging with developer communities to promote the adoption of modern software practices. With a strong background in software, he has worked extensively with the JVM, applying his expertise across various industries. In addition to his technical work, he is the author of several books and regularly shares insights through his blog and open-source contributions.

Learn more

Thanks to our Sponsors!

Azul logo
Azul
Platinum Sponsor
Redis logo
Redis
Gold Sponsor
CodeRabbit logo
CodeRabbit
Gold Sponsor
Reo logo
Reo
Silver Sponsor
Zencoder logo
Zencoder
Silver Sponsor
Payara logo
Payara
Silver Sponsor
Digma logo
Digma
Bronze Sponsor
adesso logo
adesso
Bronze Sponsor

Trending

Week Month All

A Visual Diff of Java’s Evolution: Inside java.evolved

The Triforce That Slays Legacy Java Myths – Happy 40th Zelda!

How to Customize JaCoCo Report Styling in Your Java Project

Understanding MCP Through Raw STDIO Communication

Service Layer Pattern in Java With Spring Boot

Stop Writing YAML: Automating Your Repo with Plain Natural Language

The Ultimate 10 Years Java Garbage Collection Guide (2016–2026) – Choosing the Right GC for Every Workload

Enabling AI Agents to Use a Real Debugger Instead of Logging

A Dissection of Java JDBC to PostgreSQL Connections

The Speed Test: Comparing Map.of() and new HashMap<>() in Java

foojay: A Place for Friends of OpenJDK

Dashboard for OpenJDK Update Release Details

JDK14: New Features and Enhancements

Fun with Flags: My Top 10 Resources for JVM Flags

Performance of Modern Java on Data-Heavy Workloads: Real-Time Streaming

Performance of Modern Java on Data-Heavy Workloads: Batch Processing

How does Java handle different Images and ColorSpaces – Part 1

How does Java handle different Images and ColorSpaces – Part 2

How does Java handle different Images and ColorSpaces – Part 3

How does Java handle different Images and ColorSpaces – Part 4

Indexing all of Wikipedia, on a laptop

Working with Multiple Carets in IntelliJ IDEA

Clean Shutdown of Spring Boot Applications

Project Panama for Newbies (Part 1)

Java 17 on the Raspberry Pi

How to Create Mobile Apps with JavaFX (Part 1)

Beginning JavaFX Applications with IntelliJ IDE

SpringBoot 3.2 + CRaC

Foojay Slack: bit.ly/join-foojay-slack

Preparing for Spring Framework 7 and Spring Boot 4

5 Tips to Create Secure Docker Images for Java Applications

Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images.

Dec 25 8,2K
Brian Vermeer
Security
8 Debugging Tips for IntelliJ IDEA Users You Never Knew Existed

As developers, we’re all familiar with debuggers. We use debugging tools on a daily basis – they’re an essential part of programming. But let’s be honest. Usually, we only use the breakpoint option. If we’re feeling frisky, we might use a conditional breakpoint.

But guess what, the IntelliJ IDEA debugger has many powerful and cutting-edge features that are useful for debugging more easily and efficiently.

Sep 09 8,4K
Noga Badhav
+1
Shai Almog
Shai Almog
IntelliJ IDEA
1
Tutorials
A Case for Databases on Kubernetes from a Former Skeptic

Looking back at the pitfalls of running databases on Kubernetes I encountered several years ago, most of them have been resolved.

All of these problems are hard and require technical finesse and careful thinking. Without choosing the right pieces, we’ll end up resigning both databases and Kubernetes to niche roles in our infrastructure, as well as the innovative engineers who have invested so much effort in building out all of these pieces and runbooks.

Jul 13 2,7K
Christopher Bradford
Kubernetes
4
DevOps Databases DataStax Apache Cassandra
Authenticate with OpenID Connect and Apache APISIX

Externalizing your authentication process to a third party may be sensible, but you want to avoid binding your infrastructure to its proprietary process.

Mar 09 5,3K
Nicolas Frankel
Security
2
Tools Cloud
APISIX: An API Gateway the Apache Way

Starting with Apache APISIX as your API Gateway is easy as pie. Use Docker, with the APISIX and etcd images, and off you go.

Mar 28 3,7K
Nicolas Frankel
Release Notes

Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Related Articles

5 Tips to Create Secure Docker Images for Java Applications

Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images.

Dec 25 8,2K
Brian Vermeer
Security
8 Debugging Tips for IntelliJ IDEA Users You Never Knew Existed

As developers, we’re all familiar with debuggers. We use debugging tools on a daily basis – they’re an essential part of programming. But let’s be honest. Usually, we only use the breakpoint option. If we’re feeling frisky, we might use a conditional breakpoint.

But guess what, the IntelliJ IDEA debugger has many powerful and cutting-edge features that are useful for debugging more easily and efficiently.

Sep 09 8,4K
Noga Badhav
+1
Shai Almog
Shai Almog
IntelliJ IDEA
1
Tutorials
A Case for Databases on Kubernetes from a Former Skeptic

Looking back at the pitfalls of running databases on Kubernetes I encountered several years ago, most of them have been resolved.

All of these problems are hard and require technical finesse and careful thinking. Without choosing the right pieces, we’ll end up resigning both databases and Kubernetes to niche roles in our infrastructure, as well as the innovative engineers who have invested so much effort in building out all of these pieces and runbooks.

Jul 13 2,7K
Christopher Bradford
Kubernetes
4
DevOps Databases DataStax Apache Cassandra
Run a Java Lambda Function From a Docker image

Table of Contents PrerequisitesDevelopmentMaven ArchetypeLambdaDockerBuilding the projectDeploymentSupporting AWS InfrastructureUpload DockerLambda DeploymentSAM Deployment (Alternative)TestingLocal TestingRemote TestingReferences Have you ever wanted to deploy a Java Serverless function, but package it with a Docker Image? That is possible now with AWS new Container …

Dec 11 7,8K
Charl Fasching
Cloud
3
Microservices Java DevOps

Comments (1)

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Java Weekly, Issue 529 | Baeldung

2 years ago

[…] >> Kicking the Tires of Docker Scout [foojay.io] […]

20

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Mastodon

Set Event Reminder

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard