In today’s digital age, software applications and systems are vulnerable to a wide range of security threats. These threats can compromise sensitive information, cause system downtime, and result in financial losses for businesses. To prevent security breaches, it’s important to use vulnerability test tools that can detect and remediate vulnerabilities before attackers exploit them.
In this blog, we will discuss two popular vulnerability test tools — Clair and Trivy — that are specifically designed to scan container images for security issues. We will explore the key features of these tools, their benefits, and how to use them to ensure secure containers.
By the end of this blog, you will have a better understanding of how Clair and Trivy can help you identify and remediate security vulnerabilities in your container images, and how you can integrate them into your CI/CD pipeline for automated vulnerability scanning.
Importance of vulnerability testing
Vulnerability testing is important because it helps organizations identify and fix security weaknesses in their systems and software. By doing so, they can prevent attacks, comply with regulatory requirements, improve their overall security posture, and detect vulnerabilities early. Doing a vulnerability test prior to our release of applications will give us confidence that our application is vulnerable-free and we can get our customer’s trust as well. Ultimately, vulnerability testing is essential for protecting an organization’s sensitive information and reducing the risk of successful attacks.
Benefits of using Clair and Trivy:
How to use Trivy:
In this blog, I will use RHEL to show trivy usage.
We can use the below content can be used to configure the yum repo.
# cat /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/8/$basearch/
gpgcheck=0
enabled=1
####
# yum install trivy -y
If we need to install trivy in another OS, then refer to Installing Trivy documentation.
Let’s have a look at how to check vulnerabilities in an image using trivy.
#we can use below command to check vulnerabilities
[root@test-machine ~]# trivy image docker.io/library/nginx
2023-02-22T20:38:12.426+0530 INFO Vulnerability scanning is enabled
2023-02-22T20:38:12.426+0530 INFO Secret scanning is enabled
2023-02-22T20:38:12.426+0530 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-22T20:38:12.426+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-22T20:38:19.817+0530 INFO JAR files found
2023-02-22T20:38:19.817+0530 INFO Downloading the Java DB...
407.54 MiB / 407.54 MiB [----------------------------------------------------------------------------------------------------] 100.00% 12.29 MiB p/s 33s
2023-02-22T20:38:56.518+0530 INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-02-22T20:38:56.519+0530 INFO Analyzing JAR files takes a while...
2023-02-22T20:38:56.532+0530 INFO Detected OS: debian
2023-02-22T20:38:56.532+0530 INFO Detecting Debian vulnerabilities...
2023-02-22T20:38:56.564+0530 INFO Number of language-specific files: 0
docker.io/library/nginx (debian 11.6)
Total: 131 (UNKNOWN: 0, LOW: 87, MEDIUM: 24, HIGH: 19, CRITICAL: 1)
┌──────────────────┬──────────────────┬──────────┬─────────────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ apt │ CVE-2011-3374 │ LOW │ 2.2.4 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ correctly... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ bash │ CVE-2022-3715 │ HIGH │ 5.1-2+deb11u1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ bsdutils │ CVE-2022-0563 │ LOW │ 2.36.1-8+deb11u1 │ │ util-linux: partial disclosure of arbitrary files in chfn │
│ │ │ │ │ │ and chsh when compiled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ 8.32-4 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-18018 │ │ │ │ coreutils: race condition vulnerability in chown and chgrp │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-18018 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2022-42916 │ HIGH │ 7.74.0-1.3+deb11u5 │ │ curl: HSTS bypass via IDN │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42916 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-43551 │ │ │ │ curl: HSTS bypass via IDN │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-43551 │
│ ├──────────────────┼──────────┤ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23916 │ MEDIUM │ │ │ [curl: HTTP multi-header compression denial of service] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23916 │
│ ├──────────────────┼──────────┤ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22922 │ LOW │ │ │ curl: Content not matching hash in Metalink is not being │
│ │ │ │ │ │ discarded │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22922 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22923 │ │ │ │ curl: Metalink download sends credentials │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22923 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23914 │ │ │ │ [curl: HSTS ignored on multiple requests] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23914 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23915 │ │ │ │ [curl: HSTS amnesia with --parallel] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23915 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ e2fsprogs │ CVE-2022-1304 │ HIGH │ 1.46.2-2 │ │ e2fsprogs: out-of-bounds read/write via crafted filesystem │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1304 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ libapt-pkg6.0 │ CVE-2011-3374 │ LOW │ 2.2.4 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ correctly... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ util-linux │ CVE-2022-0563 │ │ 2.36.1-8+deb11u1 │ │ util-linux: partial disclosure of arbitrary files in chfn │
│ │ │ │ │ │ and chsh when compiled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
└──────────────────┴──────────────────┴──────────┴─────────────────────────┴─────────────────┴──────────────────────────────────────────────────────
Using the above command will show vulnerabilities and secret scanning if we want to do only vulnerability checks we can use the command:
# trivy image docker.io/library/nginx --scanners vuln
It will only show vulnerabilities, so we can focus on vulnerabilities and resolve the same with the help of the fix mentioned by the tool itself. It will tell the severity and the fixed version in which that vulnerability can be fixed and also provides information about the vulnerability by reference link.
In my upcoming blog, I will explain the usage of Clair and also CI/CD integration of Trivy or Clair using Jenkins.
Comparison of Clair and Trivy:
But all these things depend upon use cases and which tool is best suited for your requirements.
Let’s have a look at best practices for vulnerability testing
In conclusion, securing container images is critical for maintaining the integrity and security of your applications and systems. With the help of vulnerability test tools like Clair and Trivy, you can scan your container images for security vulnerabilities and remediate them before they are exploited by attackers.
While both tools have their unique features and advantages, they are both powerful and effective at detecting vulnerabilities. By integrating them into your CI/CD pipeline, you can automate the vulnerability scanning process and ensure that your container images are always secure.
We hope that this blog has provided you with a comprehensive understanding of Clair and Trivy vulnerability test tools and how they can help you ensure the security of your container images. If you have any questions or comments, please feel free to leave them in the comments section below.
Refer below link for more information.
Disclaimer:
The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.
Tags: clair · devopssecurity · dockersecurity · kubernetes · kubernetessecurity · opensource · secops · trivy · vulnerabilityscanning
Nikhil Kumar
Nikhil Kumar is a DevOps Engineer with 5years of experience in the field. Alongside a successful career in technology, he has also cultivated a passion for writing, having authored several articles and blogs on the subjects of DevOps and the Cloud. With a keen interest in exploring the intersection of technology and the written word, he brings a unique perspective to the conversation.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Leave a Reply