Detect vulnerabilities in container images and take action

0

The innovation of tools and technologies for developers over the past few years has generated a multitude of choices and options for formulating solutions. However, even with advances in our tool stack, we must still maintain awareness of safe engineering practices, including limiting attack vectors. It sounds simple, but in reality, for production-level software and any modern software, we face any of the following possible attack vectors:

Operating system (OS) vulnerabilities: libraries and operating system components not fixed, vulnerable versions of the kernel (the kernel) and vulnerable versions of the network library;

Configuration vulnerabilities: unsecured operating system settings, such as passwords or logins, as well as network configuration, including root access permission, absence of IP address whitelist and lack of Secure Shell (SSH);

Application weaknesses: XSS, data overflow and SQL injection.

Containerization has dramatically improved the ability to develop repeatable and reusable software. However, there is still a common concern as to how we can prevent the transmission of these threats to container consumers. With containerization, this concern is increased, as each layer in the container is only one link in the chain. The containers you produce can be used as a base for another container, and so on, with all links in that chain susceptible to attack and threat vectors.

This code standard includes sample code for using the Application Programming Interface (API) for Vulnerability Advisor, a powerful service in the IBM Cloud Container Registry that ensures and maintains the security of containers. The Vulnerability Advisor checks layers and the configuration of a Docker image and can detect image and configuration vulnerabilities for anything in the registry, as well as for running images. The purpose of this code standard is to make this data available and actionable.

Description

This code pattern demonstrates how to use the Vulnerability Advisor APIs to retrieve and process results in real time for containers that are scanned. This information is displayed in a sample dashboard application that uses the Vulnerability Advisor APIs, showing how to interact with the APIs and perform actions based on the Vulnerability Advisor data.

For general information, see the Vulnerability Advisor documentation. In addition, for more information about using the API, see the Vulnerability Advisor API documentation.

When loaded into the IBM Cloud Container Registry, the containers are scanned automatically by the Vulnerability Advisor (although you can initiate an assessment via the API if you wish). You can recover data from these scans in several ways.

Account data available through the Vulnerability Advisor APIs provides vital assessment information for an IBM Cloud account. Your IBM Cloud account is used to upload images to the container record, and you can view these assessments as an aggregate from the account view. This view helps to group and list all images belonging to the account. For each image, you can create a link to a panel for a specific image (the link that the application user selects), where evaluation information is presented in greater detail for that specific image.

The GET / va / api / v3 / report / account API returns vulnerability analysis for all resources in the account. The return data for this API can consist of a series of evaluations (one for each container or image belonging to the account). This assessment consists of the following data:

Configuration problems identified, such as necessary corrective actions, description of the problem, if the problem is exempt according to defined policies, and the type of verification in which the problem failed;

The assessment ID;

A timestamp for scanning the image;

A list of Common Vulnerabilities and Exposures (CVE) identified for the image: whether it is exempt or not, the CVE ID, information about security warnings and a summary of the vulnerability;

An overall image status based on vulnerabilities, identified configuration issues and applied exemptions.

For this sample code, the scan ID, timestamp and overall status are displayed on the panel.

Similar to the report / account API, GET / va / api / v3 / report / account / status returns useful cumulative evaluation results for the images belonging to the account for each image. You move the results to the panel’s sample application. The results include several of the following problems:

Problems found;

Exempt problems encountered;

Vulnerabilities;

Exempted vulnerabilities;

Configuration problems;

C problems

GET / va / api / v3 / exemptions / image / {resource} returns a list of all exemptions in effect for an image. Exemptions are vulnerabilities that can be identified when found in a scan by the Vulnerability Advisor. They do not affect the status of the assessment, as they are not applicable or critical as a hypothetical example. There are two ways to create exemptions: exemptions that apply to a specific image (which are returned by this API) and exemptions that apply to all images in an account (see the next API call).

The GET API / va / api / v3 / exempt / image returns a list of all exemptions defined at the account level for all images belonging to it. The data returned includes:

Account ID;

Problem ID;

Kind of problem.

GET / va / api / v3 / report / image / {name} returns the vulnerability assessment for the specified image. The data returned is similar to the account rating described earlier, but for a specific image, so only one rating is returned. GET / va / api / v3 / report / image / {name} and GET / va / api / v3 / report / account share the same assessment data.

GET / va / api / v3 / report / image / status / {name} is similar to the aggregated vulnerability status returned for an account, except that the scope of this API is for the image specified in the API call. The data returned is similar to the evaluation data obtained from GET / va / api / v3 / report / account / status. Again, a single row of aggregated data is returned.

GET / va / api / v3 / report / image / {name} / containers returns the list of images that are being executed as instantiated containers owned and created by the account. The data returned for this call consists of data to help identify the pods and the location of the runtimes for the container images:

Predecessor name;

Predecessor type;

Cluster;

ID;

Name;

Pod.

The IBM Cloud APIs used in this code standard are protected by IBM authentication services, which require the account ID and authorization token as input parameters. The sample code is made available through the use of a sample account ID and the retrieval of the bearer token using ibmcloud iam oauth-tokens. Implement more robust solutions for production environments.

Flow

The panel’s sample application assumes that some containers have been submitted to the container register and that Vulnerability Advisor assessments have been completed.

1. The panel consists of two parts. The first part is the main panel that makes two API calls to the Vulnerability Advisor APIs:

/ va / api / v3 / report / account e

/ va / api / v3 / report / account / status.

2. These APIs return an aggregate of container status and vulnerabilities for all containers belonging to the account. The panel applies a repetition structure for each image returned in the list and displays the corresponding information. Each image is created as a link to the container details page.

3. If application users select an image link on the dashboard, they will be directed to a page for details on the selected container using the following API calls:

/ va / api / v3 / exemptions / image / {resource}

/ va / api / v3 / exempt / image

/ va / api / v3 / report / image / {name}

/ va / api / v3 / report / image / status / {name}

/ va / api / v3 / report / image / {name} / containers

Instructions

Ready to try this code pattern? Get detailed instructions in the README file.

Clone the repository;

Retrieve the oauth token and login;

Complete additional configuration steps;

Run the application and go to the top directory to run node app.js.

Want to read more specialized programming content? Discover the IBM Blue Profile and get access to exclusive materials, new knowledge journeys and personalized tests. Check it out right now, get the badges and upgrade your career!


LEAVE A REPLY

Please enter your comment!
Please enter your name here