On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

Zerouali, Ahmed; Mens, Tom; Robles, Gregório; González-Barahona, Jesús M.

doi:10.1109/saner.2019.8668013

Cited by 53 publications

(28 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They offer isolation, portability and reusability by providing all needed artifacts and dependencies shipped in one package. However, as shown in previous research [4], [27], [18], Docker containers may contain vulnerable and outdated packages that may put at risk the environments where the containers are deployed. Nevertheless, little support is given to practitioners and researchers desiring to assess the status of their containers, thus forcing them to resort to the tedious task of writing error-prone ad-hoc scripts.…”

Section: Discussionmentioning

confidence: 86%

“…The dataset contains different information related to software packages installed in containers, thus providing a powerful basis to perform empirical studies. As an example, we have used ConPan in previous work [27], where we empirically analyzed installed system packages in a large dataset of Docker Hub images that are based on the Debian Linux distribution.…”

Section: Reportingmentioning

confidence: 99%

“…If practitioners wish to evaluate other aspects than security vulnerabilities, such as evaluating the outdatedness or quality issues of a container (e.g., in terms of the bugs [12] and available releases [13] of its system and third-party packages), they are forced to develop ad-hoc scripts which may be time-consuming and error-prone. This limitation also affects empirical research in software container mining [14], [15], [16], [17], [18], requiring scholars to reinvent the wheel because of the need to retrieve and analyse the data by themselves.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

ConPan: A Tool to Analyze Packages in Software Containers

Zerouali

Cosentino²,

Robles

et al. 2019

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

Self Cite

View full text Add to dashboard Cite

Deploying software packages and services into containers is a popular software engineering practice that increases portability and reusability. Docker, the most popular containerization technology, helps DevOps practitioners in their daily activities. Despite being successfully and increasingly employed, containers may include buggy and vulnerable packages that put at risk the environments in which the containers have been deployed. Existing quality and security monitoring tools provide only limited support to analyze Docker containers, thus forcing practitioners to perform additional manual work or develop adhoc scripts when the analysis goes beyond security purposes. This limitation also affects researchers desiring to empirically study the evolution dynamics of Docker containers and their contained packages. To overcome this limitation, we present ConPan, an automated tool to inspect the characteristics of packages in Docker containers, such as their outdatedness and other possible flaws (e.g., bugs and security vulnerabilities). ConPan comes with a CLI and API, and the analysis results can be presented to the user in a variety of formats.

show abstract

Section: Discussionmentioning

confidence: 86%

Section: Reportingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

ConPan: A Tool to Analyze Packages in Software Containers

Zerouali

Cosentino²,

Robles

et al. 2019

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

Self Cite

View full text Add to dashboard Cite

show abstract

“…The list of these official projects is available on GitHub, with 138 official projects, as of March 2019. 10 Some of these projects share a same Github repository. For example, InfluxDB and Chronograf are maintained in the same GitHub repository.…”

Section: A Repositoriesmentioning

confidence: 99%

“…They also indicate that the RUN instruction is the most commonly used instruction in Dockerfiles which can be linked to our results in Section V-A where we indicate that RUN instructions are the most frequently duplicated. Zerouali et al [10] perform an empirical analysis on 7,380 official and community Docker images that are based on the Debian Linux distribution. They look at the relation between outdated containers and vulnerable and buggy packages.…”

Section: Related Workmentioning

confidence: 99%

Handling Duplicates in Dockerfiles Families: Learning from Experts

Oumaziz¹,

Falleri²,

Blanc³

et al. 2019

2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)

View full text Add to dashboard Cite

Docker is becoming a popular tool used by developers and end-users to deploy and run software applications. Dockerfiles are now found alongside projects' source code. Several projects are even starting to maintain families of Dockerfiles, like the Python project that maintains a family of 43 Dockerfiles, each for a specific Python version on a specific Linux distribution. In some situations, Dockerfiles family maintainers have to propagate a change to several, if not all, Dockerfiles of the family (for instance a bugfix applying on all Dockerfiles targeting Python 2.7). This need to propagate changes is usually due to the presence of duplicates between several Dockerfiles of the family. In this paper, our goal is to provide practitioners a clear explanation for why Dockerfile duplicates arise in projects, and what are the different means to handle duplicates with their pros and cons. To perform a grounded analysis, we observe the practices of expert Dockerfile maintainers of Official Docker projects, which are setting the best-practices for Dockerfile maintenance. We show that duplicates in Dockerfiles are frequent in our corpus, that maintainers are aware of their existence, are frequently facing them and have a mixed opinion regarding them (error-prone when not using any tool, but easy to maintain with the right tools). Finally, we describe and analyse the tools used by maintainers to handle duplicates.

show abstract