A Study of Security Vulnerabilities on Docker Hub

Shu, Rui; Gu, Xiaohui; Enck, William

doi:10.1145/3029806.3029832

Cited by 139 publications

(90 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Comparing our results about vulnerabilities to previous observations [22], we found Debian-based Docker containers to have an average number of vulnerabilities (i.e., 460) that is above the average for all Docker containers (i.e., 120). However, the number of vulnerabilities depends on the number of installed packages found.…”

Section: Discussion and Actionable Resultssupporting

confidence: 73%

See 1 more Smart Citation

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Zerouali¹,

Mens²,

Robles

et al. 2019

2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Packaging software into containers is becoming a common practice when deploying services in cloud and other environments. Docker images are one of the most popular container technologies for building and deploying containers. A container image usually includes a collection of software packages, that can have bugs and security vulnerabilities that affect the container health. Our goal is to support container deployers by analysing the relation between outdated containers and vulnerable and buggy packages installed in them. We use the concept of technical lag of a container as the difference between a given container and the most up-to-date container that is possible with the most recent releases of the same collection of packages. For 7,380 official and community Docker images that are based on the Debian Linux distribution, we identify which software packages are installed in them and measure their technical lag in terms of version updates, security vulnerabilities and bugs. We have found, among others, that no release is devoid of vulnerabilities, so deployers cannot avoid vulnerabilities even if they deploy the most recent packages. We offer some lessons learned for container developers in regard to the strategies they can follow to minimize the number of vulnerabilities. We argue that Docker container scan and security management tools should improve their platforms by adding data about other kinds of bugs and include the measurement of technical lag to offer deployers information of when to update.

show abstract

Section: Discussion and Actionable Resultssupporting

confidence: 73%

“…Shu et al [22] performed a generic large scale study on the state of security vulnerabilities in both community and official Docker Hub repositories. They proposed the Docker Image Vulnerability Analysis (DIVA) framework to automatically discover, download, and analyze Docker images for security vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Zerouali¹,

Mens²,

Robles

et al. 2019

2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

show abstract

“…Image repositories can be searched based on keywords. Although Docker Hub does not provide the entire list of image repositories, Shu et al [22] show that a dictionary-based search method can collect the vast majority of public repositories on Docker Hub. Containers.…”

Section: Image Repositoriesmentioning

confidence: 99%

“…Prior studies on Docker images mostly focus on analyzing Dockerfiles as a special type of code [4] and the security implications of adopting Docker images [5,22,23]. Differently, our focus is not about how they were created and how secure to deploy them, but about the data and information that can be distilled from the images for the good and evil of software engineering research.…”

Section: Related Workmentioning

confidence: 99%

Mining container image repositories for software configuration and beyond

Marinov

2018

Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results

View full text Add to dashboard Cite

This paper introduces the idea of mining container image repositories for configuration and other deployment information of software systems. Unlike traditional software repositories (e.g., source code repositories and app stores), image repositories encapsulate the entire execution ecosystem for running target software, including its configurations, dependent libraries and components, and OS-level utilities, which contributes to a wealth of data and information. We showcase the opportunities based on concrete software engineering tasks that can benefit from mining image repositories. To facilitate future mining efforts, we summarize the challenges of analyzing image repositories and the approaches that can address these challenges. We hope that this paper will stimulate exciting research agenda of mining this emerging type of software repositories. CCS CONCEPTS• Software and its engineering → Software libraries and repositories; Software post-development issues; Software configuration management and version control systems;

show abstract

“…Improved support for container security is needed to deal with a large array of known security vulnerabilities at the level of container images [256] and container runtimes [257]. This aspect, therefore, covers features that an application manager must understand in order to manage sensitive information, manage passwords for getting access to private Docker repositories, and limiting the security attack interface of containers by limiting the access of containers towards the underlying Linux kernel.…”

Section: Securing Containersmentioning

confidence: 99%

A Comprehensive Feature Comparison Study of Open-Source Container Orchestration Frameworks

et al. 2019

View full text Add to dashboard Cite

(1) Background: Container orchestration frameworks provide support for management ofcomplex distributed applications. Different frameworks have emerged only recently, and they havebeen in constant evolution as new features are being introduced. This reality makes it difficult forpractitioners and researchers to maintain a clear view of the technology space. (2) Methods: wepresent a descriptive feature comparison study of the three most prominent orchestrationframeworks: Docker Swarm, Kubernetes, and Mesos, which can be combined with Marathon,Aurora or DC/OS. This study aims at (i) identifying the common and unique features of allframeworks, (ii) comparing these frameworks qualitatively ánd quantitatively with respect togenericity in terms of supported features, and (iii) investigating the maturity and stability of theframeworks as well as the pioneering nature of each framework by studying the historical evolutionof the frameworks on GitHub. (3) Results: (i) we have identified 124 common features and 54 uniquefeatures that we divided into a taxonomy of 9 functional aspects and 27 functional sub-aspects. (ii)Kubernetes supports the highest number of accumulated common and unique features for all 9functional aspects; however, no evidence has been found for significant differences in genericitywith Docker Swarm and DC/OS. (iii) Very little feature deprecations have been found and 15 out of27 sub-aspects have been identified as mature and stable. These are pioneered in descending orderby Kubernetes, Mesos, and Marathon. (4) Conclusion: there is a broad and mature foundation thatunderpins all container orchestration frameworks. Likely areas for further evolution and innovationinclude system support for improved cluster security and container security, performance isolationof GPU, disk and network resources, and network plugin architectures.

show abstract

A Study of Security Vulnerabilities on Docker Hub

Cited by 139 publications

References 16 publications

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Mining container image repositories for software configuration and beyond

A Comprehensive Feature Comparison Study of Open-Source Container Orchestration Frameworks

Contact Info

Product

Resources

About