Check if a vulnerable component is really used by a container
Problem to solve
Container Scanning can tell you if your Docker image has vulnerable components in it.
That's great, but it may lead to false positives. Even if a tool, let's say
grep, is vulnerable, it doesn't mean that your app is using it in any way, or it allows arbitrary execution of it.
If the vulnerable tool is not accessible at all, the vulnerability is not a real threat and cannot impact security.
It would be useful to report if a vulnerable component is really used or not. Users may want to upgrade their containers only in this case.
Having the full list of vulnerabilities is still useful, but this property can give a better sorting for severity.
- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
This is something similar to what is described in https://gitlab.com/gitlab-org/gitlab-ee/issues/8575 for Dependency Scanning.
Implement a process to check if vulnerable components found by Container Scanning can be leveraged by an attacker in the very specific scenario of that container.
Show this information as part of the Container Scanning report.