As we move toward the Zero-Trust model for Infosecurity, concern over application-level security deployed on containers is raised by the security experts. Recently, a vulnerability CVE-2022-0811 identified in the CRI container runtime engine has turned this fact into reality.
For those who are not aware, as per CrowdStrike, when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Read more about this here, https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
Docker provides a default in-built docker scan plugin to scan images directly from the registries.
Docker Scan Plugin
If your host doesn’t have scan plugin installed by default, you may install it from the preferred package-manager utility of your environment. Once installed you can login to your remote repo and provide the image name of your container.
[centos@centos7 ~]$ docker scan centos
Testing centos...
✗ Low severity vulnerability found in vim-minimal
Description: NULL Pointer Dereference
Info: https://snyk.io/vuln/SNYK-CENTOS8-VIMMINIMAL-1939917
Introduced through: vim-minimal@2:8.0.1763-15.el8
From: vim-minimal@2:8.0.1763-15.el8
✗ Low severity vulnerability found in vim-minimal
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-CENTOS8-VIMMINIMAL-1972443
Introduced through: vim-minimal@2:8.0.1763-15.el8
From: vim-minimal@2:8.0.1763-15.el8
.
.
.
.
.
Package manager: rpm
Project name: docker-image|centos
Docker image: centos
Platform: linux/amd64
Base image: centos:centos8.4.2105
Tested 180 dependencies for known vulnerabilities, found 298 vulnerabilities.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcpSYFT for SBOM
SYFT developed by Anchore, provides the CLI based utility work with Docker scan plugin, and provide the list of dependencies used as part of image build in SBOM or Software Bill of Materials.
Let me share the installation and use of SYFT with the Docker container runtime engine.
Installation of SYFT
To use SYFT in our environment, we first need to get SYFT software from the official git branch.
[root@centos7 ~]# curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
[info] [0m fetching release script for tag='v0.44.1'
[info] [0m using release tag='v0.44.1' version='0.44.1' os='linux' arch='amd64'
[info] [0m installed /usr/local/bin/syftUsage
To test the SYFT, we can use call SYFT binary file and provide the container image to be scanned. Below example, I ran it for the CentOS latest image.
[root@centos7 bin]# /usr/local/bin/syft centos
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [183 packages]
NAME VERSION TYPE
acl 2.2.53-1.el8 rpm
audit-libs 3.0-0.17.20191104git1c2f876.el8 rpm
basesystem 11-5.el8 rpm
bash 4.4.19-14.el8 rpm
bind-export-libs 32:9.11.26-3.el8 rpm
binutils 2.30-93.el8 rpm
bzip2-libs 1.0.6-26.el8 rpm
ca-certificates 2020.2.41-80.0.el8_2 rpm
centos-gpg-keys 1:8-2.el8 rpm
centos-linux-release 8.4-1.2105.el8 rpm
centos-linux-repos 8-2.el8 rpm
chkconfig 1.13-2.el8 rpm
coreutils-single 8.30-8.el8 rpm
cpio 2.12-10.el8 rpm
cracklib 2.9.6-15.el8 rpm
cracklib-dicts 2.9.6-15.el8 rpm
crypto-policies 20210209-1.gitbfb6bed.el8_3 rpm
cryptsetup-libs 2.3.3-4.el8 rpm
curl 7.61.1-18.el8 rpm
cyrus-sasl-lib 2.1.27-5.el8 rpm
dbus 1:1.12.8-12.el8 rpm
device-mapper 8:1.02.175-5.el8 rpm
device-mapper-libs 8:1.02.175-5.el8 rpm
dhcp-client 12:4.3.6-44.0.1.el8 rpm
dhcp-common 12:4.3.6-44.0.1.el8 rpm
dhcp-libs 12:4.3.6-44.0.1.el8 rpm
dnf 4.4.2-11.el8 rpm
dnf-data 4.4.2-11.el8 rpm
dracut 049-135.git20210121.el8 rpm
dracut-network 049-135.git20210121.el8 rpm
dracut-squash 049-135.git20210121.el8 rpm
elfutils-default-yama-scope 0.182-3.el8 rpm
elfutils-libelf 0.182-3.el8 rpm
elfutils-libs 0.182-3.el8 rpm
ethtool 2:5.8-5.el8 rpm
expat 2.2.5-4.el8 rpm
file-libs 5.33-16.el8_3.1 rpm
filesystem 3.8-3.el8 rpm
findutils 1:4.6.0-20.el8 rpm
gawk 4.2.1-2.el8 rpm
gdbm 1:1.18-1.el8 rpm
gdbm-libs 1:1.18-1.el8 rpm
glib2 2.56.4-9.el8 rpm
glibc 2.28-151.el8 rpm
glibc-common 2.28-151.el8 rpm
glibc-minimal-langpack 2.28-151.el8 rpm
gmp 1:6.1.2-10.el8 rpm
gnupg2 2.2.20-2.el8 rpm
gnutls 3.6.14-7.el8_3 rpm
gpg 1.13.1 python
gpgme 1.13.1-7.el8 rpm
grep 3.1-6.el8 rpm
gzip 1.9-12.el8 rpm
hostname 3.20-6.el8 rpm
hwdata 0.314-8.8.el8 rpm
ima-evm-utils 1.3.2-12.el8 rpm
info 6.5-6.el8 rpm
ipcalc 0.2.4-4.el8 rpm
iproute 5.9.0-4.el8 rpm
iptables-libs 1.8.4-17.el8 rpm
iputils 20180629-7.el8 rpm
json-c 0.13.1-0.4.el8 rpm
kexec-tools 2.0.20-46.el8 rpm
keyutils-libs 1.5.10-6.el8 rpm
kmod 25-17.el8 rpm
kmod-libs 25-17.el8 rpm
krb5-libs 1.18.2-8.el8 rpm
langpacks-en 1.0-12.el8 rpm
less 530-1.el8 rpm
libacl 2.2.53-1.el8 rpm
libarchive 3.3.3-1.el8 rpm
libassuan 2.5.1-3.el8 rpm
libattr 2.4.48-3.el8 rpm
libblkid 2.32.1-27.el8 rpm
libcap 2.26-4.el8 rpm
libcap-ng 0.7.9-5.el8 rpm
libcom_err 1.45.6-1.el8 rpm
libcomps 0.1.11-5.el8 rpm
libcurl-minimal 7.61.1-18.el8 rpm
libdb 5.3.28-40.el8 rpm
libdb-utils 5.3.28-40.el8 rpm
libdnf 0.55.0-7.el8 rpm
libfdisk 2.32.1-27.el8 rpm
libffi 3.1-22.el8 rpm
libgcc 8.4.1-1.el8 rpm
libgcrypt 1.8.5-4.el8 rpm
libgpg-error 1.31-1.el8 rpm
libibverbs 32.0-4.el8 rpm
libidn2 2.2.0-1.el8 rpm
libkcapi 1.2.0-2.el8 rpm
libkcapi-hmaccalc 1.2.0-2.el8 rpm
libksba 1.3.5-7.el8 rpm
libmetalink 0.1.3-7.el8 rpm
lzo 2.08-14.el8 rpm
mpfr 3.1.6-1.el8 rpm
ncurses-base 6.1-7.20180224.el8 rpm
ncurses-libs 6.1-7.20180224.el8 rpm
nettle 3.4.1-2.el8 rpm
npth 1.5-4.el8 rpm
openldap 2.4.46-16.el8 rpm
openssl-libs 1:1.1.1g-15.el8_3 rpm
p11-kit 0.23.22-1.el8 rpm
p11-kit-trust 0.23.22-1.el8 rpm
pam 1.3.1-14.el8 rpm
pciutils 3.7.0-1.el8 rpm
pciutils-libs 3.7.0-1.el8 rpm
pcre 8.42-4.el8 rpm
pcre2 10.32-2.el8 rpm
platform-python 3.6.8-37.el8 rpm
platform-python-setuptools 39.2.0-6.el8 rpm
popt 1.18-1.el8 rpm
procps-ng 3.3.15-6.el8 rpm
python3-dnf 4.4.2-11.el8 rpm
python3-libs 3.6.8-37.el8 rpm
python3-pip-wheel 9.0.3-19.el8 rpm
python3-rpm 4.14.3-13.el8 rpm
python3-setuptools-wheel 39.2.0-6.el8 rpm
rdma-core 32.0-4.el8 rpm
readline 7.0-10.el8 rpm
rootfiles 8.1-22.el8 rpm
rpm 4.14.3 python
rpm 4.14.3-13.el8 rpm
rpm-build-libs 4.14.3-13.el8 rpm
rpm-libs 4.14.3-13.el8 rpm
sed 4.5-2.el8 rpm
setup 2.12.2-6.el8 rpm
setuptools 39.2.0 python
shadow-utils 2:4.6-12.el8 rpm
snappy 1.1.8-3.el8 rpm
sqlite-libs 3.26.0-13.el8 rpm
squashfs-tools 4.3-20.el8 rpm
systemd 239-45.el8 rpm
systemd-libs 239-45.el8 rpm
systemd-pam 239-45.el8 rpm
systemd-udev 239-45.el8 rpm
tar 2:1.30-5.el8 rpm
tpm2-tss 2.3.2-3.el8 rpm
tzdata 2021a-1.el8 rpm
util-linux 2.32.1-27.el8 rpm
vim-minimal 2:8.0.1763-15.el8 rpm
xz 5.2.4-3.el8 rpm
xz-libs 5.2.4-3.el8 rpm
yum 4.4.2-11.el8 rpm
zlib 1.2.11-17.el8 rpmDocker SBOM (Under Development) with SYFT
Excerpts from docs.docker.com “The experimental docker sbom command allows you to generate the SBOM of a container image. Today, it does this by scanning the layers of the image using the Syft project but in the future, it may read the SBOM from the image itself or elsewhere.”
$ docker sbom centos
Syft v0.43.0
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [183 packages]
NAME VERSION TYPE
acl 2.2.53-1.el8 rpm
audit-libs 3.0-0.17.20191104git1c2f876.el8 rpm
.
.
TechnoKofe 