Virtualization enables information and communications technology industry to
better manage computing resources. In this regard, improvements in
virtualization approaches together with the need for consistent runtime
environment, lower overhead and smaller package size has led to the growing
adoption of containers. This is a technology, which packages an application,
its dependencies and Operating System (OS) to run as an isolated unit. However,
the pressing concern with the use of containers is its susceptibility to
security attacks. Consequently, a number of container scanning tools are
available for detecting container security vulnerabilities. Therefore, in this
study, we investigate the quality of existing container scanning tools by
proposing two metrics that reflects coverage and accuracy. We analyze 59
popular public container images for Java applications hosted on DockerHub using
different container scanning tools (such as Clair, Anchore, and Microscanner).
Our findings show that existing container scanning approach does not detect
application package vulnerabilities. Furthermore, existing tools do not have
high accuracy, since 34% vulnerabilities are being missed by the best
performing tool. Finally, we also demonstrate quality of Docker images for Java
applications hosted on DockerHub by assessing complete vulnerability landscape
i.e., number of vulnerabilities detected in images.

By admin