Check if a vulnerable component is really used by a container
Problem to solve
Container Scanning can tell you if your Docker image has vulnerable components in it.
That's great, but it may lead to false positives. Even if a tool, let's say grep
, is vulnerable, it doesn't mean that your app is using it in any way, or it allows arbitrary execution of it.
If the vulnerable tool is not accessible at all, the vulnerability is not a real threat and cannot impact security.
It would be useful to report if a vulnerable component is really used or not. Users may want to upgrade their containers only in this case.
Having the full list of vulnerabilities is still useful, but this property can give a better sorting for severity.
Target audience
- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
Further details
This is something similar to what is described in Determine if a vulnerable library call is used ... (#8575 - closed) for Dependency Scanning.
Proposal
Implement a process to check if vulnerable components found by Container Scanning can be leveraged by an attacker in the very specific scenario of that container. Show this information as part of the Container Scanning report.
Another option is to rely on dependency files, like Debian control files or CycloneDX SBOMs, to establish whether a component is a system-level dependency of the project being scanned. See Dismiss or mark vulnerabilities for OS packages... (#368615)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.