owned this note
owned this note
Published
Linked with GitHub
---
tags: Blogs, Uncompleted
---
# Container Image Scanning (Vuln/SBOM) Challenge - Capturing the "main" program
Typically tools which enumerate software installed inside container images, for example vulnerability scanners or SBOM tools, use two main approaches
- Assess Operating system packages, using the tools provided by that operating system distribution
- Assess the packages installed by programming language tools via the package manifests (e.g. go.mod, Gemfile)
- There's a sub-section here in that for Golang specifically some tools can extract library information from the binaries themselves.
There's a potential gap here in that this may fail to capture programs not installed using either of these mechanisms, which can be the case for the main program in an image.
To give a worked example, lets use the `grafana/grafana` image from Docker Hub.
If we use an SBOM tool like [syft](https://github.com/anchore/syft) (**N.B.** this is just an example I don't think this is an issue with a specific tool) `grafana` itself doesn't appear in the package listing although some libraries from the project do (package list [here](https://hackmd.io/1I7Pdx0dTQSzxkNvn5O8HQ#Appendix-A---Syft-Package-List-for-grafanagrafana)).
This is also a problem with container vulnerability scanning tools. If we use [Trivy](https://github.com/aquasecurity/trivy) as an example and scan a version of this image with known vulnerabilities (e.g. version 8.3.4 which should be vulnerable to [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g)) we get back vulnerabilities from libraries included in grafana but not this CVE in the main program itself (vulnerability list [here](https://hackmd.io/1I7Pdx0dTQSzxkNvn5O8HQ#Appendix-B---Trivy-scan-of-grafanagrafana834)).
## Problem and possible solutions
So the problem is that the tools which inspect container images have a certain set of techniques to identify software and vulnerabilities, but these techniques don't account for every use case.
Specifically they don't account for software which is directly included in the image without using a Linux or language package manager. This is quite likely to be the case for the main program in the image.
In terms of solutions to this, one option would be for image owners to ensure that they use package managers to install their programs, but this would face several issues depending on base image used.
Alternatively tools could rely on the image name and tag, however this is probably not a good mechanism as these are mutable and unlikely to always reflect the package and version of the "main" program.
Another option could be for there to be a conventional place to record the version of the main program. this could either be as a file in the image in a conventional location , or as an annotation or metadata on the image. For metadata some of the [OCI annotations](https://github.com/opencontainers/image-spec/blob/main/annotations.md) could be useful.
This is not a new problem ofc so there have been discussions about how to solve it before like [this OSSF issue](https://github.com/ossf/wg-vulnerability-disclosures/issues/76)
For the Golang ecosystem specifically [this feature](https://github.com/golang/go/issues/50603) could improve matters.
### Appendix A - Syft Package List for grafana/grafana
```
NAME VERSION TYPE
alpine-baselayout 3.2.0-r18 apk
alpine-keys 2.4-r1 apk
apk-tools 2.12.7-r3 apk
bash 5.1.8-r0 apk
busybox 1.34.1-r3 apk
ca-certificates 20211220-r0 apk
ca-certificates-bundle 20191127-r7 apk
cloud.google.com/go v0.97.0 go-module
cloud.google.com/go/kms v1.1.0 go-module
cloud.google.com/go/storage v1.14.0 go-module
cuelang.org/go v0.4.0 go-module
github.com/Azure/azure-sdk-for-go v57.1.0+incompatible go-module
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0 go-module
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.10.0 go-module
github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0 go-module
github.com/Azure/go-autorest/autorest v0.11.20 go-module
github.com/Azure/go-autorest/autorest/adal v0.9.15 go-module
github.com/Azure/go-autorest/autorest/date v0.3.0 go-module
github.com/Azure/go-autorest/autorest/to v0.4.0 go-module
github.com/Azure/go-autorest/autorest/validation v0.3.1 go-module
github.com/Azure/go-autorest/logger v0.2.1 go-module
github.com/Azure/go-autorest/tracing v0.6.0 go-module
github.com/BurntSushi/toml v0.3.1 go-module
github.com/FZambia/eagle v0.0.1 go-module
github.com/FZambia/sentinel v1.1.0 go-module
github.com/Masterminds/semver v1.5.0 go-module
github.com/PuerkitoBio/purell v1.1.1 go-module
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 go-module
github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f go-module
github.com/alecthomas/units v0.0.0-20210912230133-d1bdfacee922 go-module
github.com/andybalholm/brotli v1.0.3 go-module
github.com/apache/arrow/go/arrow v0.0.0-20211112161151-bc219186db40 go-module
github.com/armon/go-metrics v0.3.8 go-module
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d go-module
github.com/aws/aws-sdk-go v1.40.37 go-module
github.com/beevik/etree v1.1.0 go-module
github.com/benbjohnson/clock v1.1.0 go-module
github.com/beorn7/perks v1.0.1 go-module
github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b go-module
github.com/buger/jsonparser v1.1.1 go-module
github.com/c2h5oh/datasize v0.0.0-20200112174442-28bbd4740fee go-module
github.com/cenkalti/backoff/v4 v4.1.1 go-module
github.com/centrifugal/centrifuge v0.19.0 go-module
github.com/centrifugal/protocol v0.7.6 go-module
github.com/cespare/xxhash/v2 v2.1.2 go-module
github.com/cheekybits/genny v1.0.0 go-module
github.com/cockroachdb/apd/v2 v2.0.2 go-module
github.com/cortexproject/cortex v1.10.1-0.20211014125347-85c378182d0d go-module
github.com/cpuguy83/go-md2man/v2 v2.0.0 go-module
github.com/davecgh/go-spew v1.1.1 go-module
github.com/deepmap/oapi-codegen v1.8.2 go-module
github.com/dennwc/varint v1.0.0 go-module
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f go-module
github.com/dlclark/regexp2 v1.4.1-0.20201116162257-a2a8dda75c91 go-module
github.com/docker/go-units v0.4.0 go-module
github.com/dop251/goja v0.0.0-20210804101310-32956a348b49 go-module
github.com/dustin/go-humanize v1.0.0 go-module
github.com/edsrzf/mmap-go v1.0.0 go-module
github.com/emicklei/proto v1.6.15 go-module
github.com/fatih/color v1.10.0 go-module
github.com/felixge/httpsnoop v1.0.2 go-module
github.com/gchaincl/sqlhooks v1.3.0 go-module
github.com/getsentry/sentry-go v0.10.0 go-module
github.com/go-kit/kit v0.11.0 go-module
github.com/go-kit/log v0.1.0 go-module
github.com/go-logfmt/logfmt v0.5.1 go-module
github.com/go-openapi/analysis v0.20.1 go-module
github.com/go-openapi/errors v0.20.0 go-module
github.com/go-openapi/jsonpointer v0.19.5 go-module
github.com/go-openapi/jsonreference v0.19.6 go-module
github.com/go-openapi/loads v0.20.2 go-module
github.com/go-openapi/runtime v0.19.29 go-module
github.com/go-openapi/spec v0.20.4 go-module
github.com/go-openapi/strfmt v0.20.2 go-module
github.com/go-openapi/swag v0.19.15 go-module
github.com/go-openapi/validate v0.20.2 go-module
github.com/go-redis/redis/v8 v8.11.4 go-module
github.com/go-sourcemap/sourcemap v2.1.3+incompatible go-module
github.com/go-sql-driver/mysql v1.6.0 go-module
github.com/go-stack/stack v1.8.0 go-module
github.com/gobwas/glob v0.2.3 go-module
github.com/gofrs/uuid v4.0.0+incompatible go-module
github.com/gogo/googleapis v1.4.1 go-module
github.com/gogo/protobuf v1.3.2 go-module
github.com/gogo/status v1.1.0 go-module
github.com/golang-jwt/jwt/v4 v4.0.0 go-module
github.com/golang-migrate/migrate/v4 v4.7.0 go-module
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe go-module
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b go-module
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da go-module
github.com/golang/mock v1.6.0 go-module
github.com/golang/protobuf v1.5.2 go-module
github.com/golang/snappy v0.0.4 go-module
github.com/gomodule/redigo v2.0.0+incompatible go-module
github.com/google/btree v1.0.1 go-module
github.com/google/flatbuffers v2.0.0+incompatible go-module
github.com/google/go-cmp v0.5.7 go-module
github.com/google/uuid v1.3.0 go-module
github.com/google/wire v0.5.0 go-module
github.com/googleapis/gax-go/v2 v2.1.1 go-module
github.com/gorilla/mux v1.8.0 go-module
github.com/gorilla/websocket v1.4.2 go-module
github.com/gosimple/slug v1.9.0 go-module
github.com/grafana/cuetsy v0.0.0-20211119211437-8c25464cc9bf go-module
github.com/grafana/dskit v0.0.0-20211011144203-3a88ec0b675f go-module
github.com/grafana/go-mssqldb v0.0.0-20210326084033-d0ce3c521036 go-module
github.com/grafana/grafana-aws-sdk v0.10.0 go-module
github.com/grafana/grafana-google-sdk-go v0.0.0-20211104130251-b190293eaf58 go-module
github.com/grafana/grafana-plugin-sdk-go v0.125.0 go-module
github.com/grafana/loki v1.6.2-0.20211015002020-7832783b1caa go-module
github.com/grafana/saml v0.0.0-20211007135653-aed1b2edd86b go-module
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 go-module
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 go-module
github.com/hashicorp/errwrap v1.0.0 go-module
github.com/hashicorp/go-hclog v0.16.1 go-module
github.com/hashicorp/go-immutable-radix v1.3.0 go-module
github.com/hashicorp/go-msgpack v0.5.5 go-module
github.com/hashicorp/go-multierror v1.1.0 go-module
github.com/hashicorp/go-plugin v1.4.3 go-module
github.com/hashicorp/go-sockaddr v1.0.2 go-module
github.com/hashicorp/go-version v1.3.0 go-module
github.com/hashicorp/golang-lru v0.5.4 go-module
github.com/hashicorp/memberlist v0.2.4 go-module
github.com/hashicorp/yamux v0.0.0-20210826001029-26ff87cf9493 go-module
github.com/igm/sockjs-go/v3 v3.0.1 go-module
github.com/influxdata/influxdb-client-go/v2 v2.6.0 go-module
github.com/influxdata/line-protocol v0.0.0-20210311194329-9aa0e372d097 go-module
github.com/jessevdk/go-flags v1.5.0 go-module
github.com/jmespath/go-jmespath v0.4.0 go-module
github.com/jonboulle/clockwork v0.2.2 go-module
github.com/josharian/intern v1.0.0 go-module
github.com/jpillora/backoff v1.0.0 go-module
github.com/json-iterator/go v1.1.12 go-module
github.com/jung-kurt/gofpdf v1.16.2 go-module
github.com/klauspost/compress v1.13.1 go-module
github.com/lib/pq v1.10.0 go-module
github.com/linkedin/goavro/v2 v2.10.0 go-module
github.com/m3db/prometheus_remote_client_golang v0.4.4 go-module
github.com/magefile/mage v1.11.0 go-module
github.com/mailru/easyjson v0.7.7 go-module
github.com/mattermost/xml-roundtrip-validator v0.1.0 go-module
github.com/mattetti/filebuffer v1.0.1 go-module
github.com/mattn/go-colorable v0.1.8 go-module
github.com/mattn/go-isatty v0.0.12 go-module
github.com/mattn/go-runewidth v0.0.9 go-module
github.com/mattn/go-sqlite3 v1.14.7 go-module
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 go-module
github.com/miekg/dns v1.1.43 go-module
github.com/mitchellh/go-testing-interface v1.14.0 go-module
github.com/mitchellh/mapstructure v1.4.1 go-module
github.com/mna/redisc v1.3.2 go-module
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd go-module
github.com/modern-go/reflect2 v1.0.2 go-module
github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de go-module
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f go-module
github.com/ohler55/ojg v1.12.9 go-module
github.com/oklog/run v1.1.0 go-module
github.com/oklog/ulid v1.3.1 go-module
github.com/olekukonko/tablewriter v0.0.5 go-module
github.com/opentracing-contrib/go-grpc v0.0.0-20210225150812-73cb765af46e go-module
github.com/opentracing-contrib/go-stdlib v1.0.0 go-module
github.com/opentracing/opentracing-go v1.2.0 go-module
github.com/patrickmn/go-cache v2.1.0+incompatible go-module
github.com/pierrec/lz4/v4 v4.1.8 go-module
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 go-module
github.com/pkg/errors v0.9.1 go-module
github.com/pmezard/go-difflib v1.0.0 go-module
github.com/prometheus/alertmanager v0.23.1-0.20211116083607-e2a10119aaf7 go-module
github.com/prometheus/client_golang v1.12.1 go-module
github.com/prometheus/client_model v0.2.0 go-module
github.com/prometheus/common v0.32.1 go-module
github.com/prometheus/common/sigv4 v0.1.0 go-module
github.com/prometheus/exporter-toolkit v0.7.0 go-module
github.com/prometheus/node_exporter v1.0.0-rc.0.0.20200428091818-01054558c289 go-module
github.com/prometheus/procfs v0.7.3 go-module
github.com/prometheus/prometheus v1.8.2-0.20211011171444-354d8d2ecfac go-module
github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc go-module
github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be go-module
github.com/robfig/cron v0.0.0-20180505203441-b41be1df6967 go-module
github.com/robfig/cron/v3 v3.0.1 go-module
github.com/rs/cors v1.8.0 go-module
github.com/russellhaering/goxmldsig v1.1.1 go-module
github.com/russross/blackfriday/v2 v2.0.1 go-module
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 go-module
github.com/segmentio/asm v1.1.1 go-module
github.com/segmentio/encoding v0.3.2 go-module
github.com/sercand/kuberesolver v2.4.0+incompatible go-module
github.com/sergi/go-diff v1.0.0 go-module
github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 go-module
github.com/shurcooL/sanitized_anchor_name v1.0.0 go-module
github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 go-module
github.com/sirupsen/logrus v1.8.1 go-module
github.com/stretchr/objx v0.2.0 go-module
github.com/stretchr/testify v1.7.0 go-module
github.com/teris-io/shortid v0.0.0-20171029131806-771a37caa5cf go-module
github.com/ua-parser/uap-go v0.0.0-20211112212520-00c877edfe0f go-module
github.com/uber/jaeger-client-go v2.29.1+incompatible go-module
github.com/uber/jaeger-lib v2.4.1+incompatible go-module
github.com/unknwon/com v1.0.1 go-module
github.com/urfave/cli/v2 v2.3.0 go-module
github.com/valyala/bytebufferpool v1.0.0 go-module
github.com/vectordotdev/go-datemath v0.1.1-0.20220110192739-f9ce83ec349f go-module
github.com/weaveworks/common v0.0.0-20210913144402-035033b78a78 go-module
github.com/weaveworks/promrus v1.2.0 go-module
github.com/yudai/gojsondiff v1.0.0 go-module
github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 go-module
glibc 2.30-r0 apk
glibc-bin 2.30-r0 apk
go.mongodb.org/mongo-driver v1.7.0 go-module
go.opencensus.io v0.23.0 go-module
go.opentelemetry.io/collector v0.31.0 go-module
go.opentelemetry.io/collector/model v0.31.0 go-module
go.opentelemetry.io/otel v1.2.0 go-module
go.opentelemetry.io/otel/exporters/jaeger v1.0.0 go-module
go.opentelemetry.io/otel/sdk v1.0.0 go-module
go.opentelemetry.io/otel/trace v1.2.0 go-module
go.uber.org/atomic v1.9.0 go-module
go.uber.org/goleak v1.1.10 go-module
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e go-module
golang.org/x/net v0.0.0-20211013171255-e13a2654a71e go-module
golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f go-module
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c go-module
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 go-module
golang.org/x/text v0.3.7 go-module
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac go-module
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 go-module
gonum.org/v1/gonum v0.9.3 go-module
google.golang.org/api v0.58.0 go-module
google.golang.org/genproto v0.0.0-20211018162055-cf77aa76bad2 go-module
google.golang.org/grpc v1.41.0 go-module
google.golang.org/protobuf v1.27.1 go-module
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d go-module
gopkg.in/ini.v1 v1.62.0 go-module
gopkg.in/ldap.v3 v3.1.0 go-module
gopkg.in/mail.v2 v2.3.1 go-module
gopkg.in/square/go-jose.v2 v2.5.1 go-module
gopkg.in/yaml.v2 v2.4.0 go-module
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b go-module
keyutils-libs 1.6.3-r0 apk
krb5-conf 1.0-r2 apk
krb5-libs 1.19.2-r4 apk
libaio 0.3.112-r1 apk
libc-utils 0.7.2-r3 apk
libcom_err 1.46.4-r0 apk
libcrypto1.1 1.1.1l-r7 apk
libgcc 10.3.1_git20211027-r0 apk
libintl 0.21-r0 apk
libnsl 1.3.0-r0 apk
libretls 3.3.4-r2 apk
libssl1.1 1.1.1l-r7 apk
libtirpc 1.3.2-r0 apk
libtirpc-conf 1.3.2-r0 apk
libverto 0.3.2-r0 apk
musl 1.2.2-r7 apk
musl-utils 1.2.2-r7 apk
ncurses-libs 6.3_p20220212-r0 apk
ncurses-terminfo-base 6.3_p20220212-r0 apk
openssl 1.1.1m-r2 apk
readline 8.1.1-r0 apk
scanelf 1.3.3-r0 apk
ssl_client 1.34.1-r3 apk
tzdata 2021e-r0 apk
xorm.io/builder v0.3.6 go-module
xorm.io/core v0.7.3 go-module
xorm.io/xorm v0.8.2 go-module
zlib 1.2.11-r3 apk
```
### Appendix B - Trivy scan of grafana/grafana:8.3.4
```
grafana/grafana:8.3.4 (alpine 3.15.0)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/share/grafana/bin/grafana-cli (gobinary)
============================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+--------------------------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+--------------------------------------+---------------+--------------------------------------+
| github.com/prometheus/prometheus | CVE-2019-3826 | MEDIUM | v1.8.2-0.20211011171444-354d8d2ecfac | v2.7.1 | prometheus: Stored DOM |
| | | | |
| cross-site scripting (XSS) |
| | | | |
| attack via crafted URL |
| | | | |
| -->avd.aquasec.com/nvd/cve-2019-3826 |
+----------------------------------+------------------+----------+--------------------------------------+---------------+--------------------------------------+
usr/share/grafana/bin/grafana-server (gobinary)
===============================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
| github.com/grafana/loki | CVE-2021-36156 | MEDIUM | v1.6.2-0.20211015002020-7832783b1caa | v2.3.0 | Path Traversal |
| | | | |
| -->avd.aquasec.com/nvd/cve-2021-36156 |
+----------------------------------+------------------+ +--------------------------------------+---------------+---------------------------------------+
| github.com/prometheus/prometheus | CVE-2019-3826 | | v1.8.2-0.20211011171444-354d8d2ecfac | v2.7.1 | prometheus: Stored DOM |
| | | | |
| cross-site scripting (XSS) |
| | | | |
| attack via crafted URL |
| | | | |
| -->avd.aquasec.com/nvd/cve-2019-3826 |
+----------------------------------+------------------+----------+--------------------------------------+---------------+---------------------------------------+
```