Discovery: Suggested Solution (was Auto Remediation) support for Container Scanning
Problem to solve
Auto Remediation automatically fix vulnerabilities.
It currently supports Dependency Scanning findings. We should add Container Scanning results as well.
Target audience
- Sasha, Software Developer
- Sam, Security Analyst
Further details
We currently don't have solutions for Container Scanning, but Clair states to support them, so we need to investigate more.
Proposal
Provide patches for Container Scanning vulnerabilities. Once done, everything should follow the same flow of the existing Auto Remediation feature.
Conclusion
This discovery has resulted in at least the following two approaches to auto remediation, with a summary of each option provided below:
-
Basic auto-remediation process
Attempt to update all packages in the
Docker
base image to the most recent available versions. This may still result in vulnerabilities which are not possible to fix. -
Complex auto-remediation process
Perform the Basic auto-remediation process and if there are still unfixable vulnerabilities, then we attempt to fetch the next incremental version of the base docker image and re-run the process until either there are no more matching images or all vulnerabilities have been removed. The definition of next incremental version will need to be discussed. For example, if the current version of the image is
3.7.2
, then should we look at3.7.3
, followed by3.7.4
, or should we look at3.8
, then3.9
, etc.
My recommendation is to implement the Basic auto-remediation process first, since the logic will need to be used by the Complex auto-remediation process anyway.
What does success look like, and how can we measure that?
Number of Container Scanning vulnerabilities fixed by Auto Remediation.