On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs

[en] Packaging software into containers is becoming a common practice when deploying services in cloud and other environments. Docker images are one of the most popular container technologies for building and deploying containers. A container image usually includes a collection of software packages, that can have bugs and security vulnerabilities that affect the container health. Our goal is to support container deployers by analysing the relation between outdated containers and vulnerable and buggy packages installed in them. We use the concept of technical lag of a container as the difference between a given container and the most up-to-date container that is possible with the most recent releases of the same collection of packages. For 7,380 official and community Docker images that are based on the Debian Linux distribution, we identify which software packages are installed in them and measure their technical lag in terms of version updates, security vulnerabilities and bugs. We have found, among others, that no release is devoid of vulnerabilities, so deployers cannot avoid vulnerabilities even if they deploy the most recent packages. We offer some lessons learned for container developers in regard to the strategies they can follow to minimize the number of vulnerabilities. We argue that Docker container scan and security management tools should improve their platforms by adding data about other kinds of bugs and include the measurement of technical lag to offer deployers information of when to update.

Disciplines :

Computer science
Electrical & electronics engineering

Author, co-author :

Zerouali, Ahmed ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Mens, Tom ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Robles, Gregorio

Gonzalez-Barahona, Jesus

Language :

English

Title :

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs

Publication date :

24 February 2019

Event name :

IEEE International Conference on Software Analysis, Evolution, and Reengineering

Event place :

Hangzhou, China

Event date :

2019

Research unit :

S852 - Génie Logiciel

Research institute :

R300 - Institut de Recherche en Technologies de l'Information et Sciences de l'Informatique

Name of the research project :

Automated Assistance for Developing Software in Ecosystems of the Future - Fédération Wallonie Bruxelles

Available on ORBi UMONS :

since 14 December 2018

Statistics

Number of views

4 (0 by UMONS)

Number of downloads

0 (0 by UMONS)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

Anchore.io. Snapshot of the container ecosystem. https://anchore.com/wp-content/uploads/2017/04/Anchore-Container-Survey-5.pdf, April 2017. accessed: 01/01/2018.
D. Bernstein. Containers and cloud: From LXC to Docker to Kubernetes. IEEE Cloud Computing, 1(3):81-84, 2014.
A. Bettini. Vulnerability exploitation in Docker container environments. https://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environmentswp.pdf, 2015. accessed: 01/01/2018.
C. Boettiger. An introduction to Docker for reproducible research. ACM SIGOPS Operating Systems Review, 49(1):71-79, 2015.
J. Cito, G. Schermann, J. E. Wittern, P. Leitner, S. Zumberi, and H. C. Gall. An empirical analysis of the Docker container ecosystem on GitHub. In 14th Intl Conf on Mining Software Repositories, pages 323-333. IEEE Press, 2017.
J. Cox, E. Bouwers, M. van Eekelen, and J. Visser. Measuring dependency freshness in software systems. In International Conference on Software Engineering, pages 109-118. IEEE Press, 2015.
A. Decan, T. Mens, and E. Constantinou. On the evolution of technical lag in the npm package dependency network. In Intl Conf. Software Maintenance and Evolution (ICSME), pages 404-414. IEEE, September 2018.
A. Decan, T. Mens, and E. Constantinou. On the impact of security vulnerabilities in the npm package dependency network. In International Conference on Mining Software Repositories, 2018.
Fintan Ryan. Containers in production-is security a barrier? A dataset from Anchore. http://redmonk.com/fryan/2016/12/01/containers-inproduction-is-security-A-barrier-A-dataset-from-Anchore/, December 2016. accessed: 01/01/2018.
M. K. Goel, P. Khanna, and J. Kishore. Understanding survival analysis: Kaplan-meier estimate. International journal of Ayurveda research, 1(4):274, 2010.
J. M. Gonzalez-Barahona, G. Robles, M. Michlmayr, J. J. Amor, and D. M. German. Macro-level software evolution: A case study of a large software compilation. Empirical Software Engineering, 14(3):262-285, 2009.
J. M. Gonzalez-Barahona, P. Sherwood, G. Robles, and D. Izquierdo. Technical lag in software compilations: Measuring how outdated a software deployment is. In IFIP International Conference on Open Source Systems, pages 182-192. Springer, 2017.
Jeremy Valance. Improving open source security with anchore and snyk. https://anchore.com/blog/improving-open-source-security-withanchore-snyk. accessed: 21/12/2018.
R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue. Do developers update their library dependencies? Empirical Software Engineering, 23(1):384-417, 2017.
T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda. Thou shalt not depend on me: Analysing the use of outdated JavaScript libraries on the web. In NDSS Symposium, 2017.
B. Lin, G. Robles, and A. Serebrenik. Developer turnover in global, industrial open source projects: Insights from applying survival analysis. In International Conference on Global Software Engineering, pages 66-75. IEEE, 2017.
D. Merkel. Docker: lightweight Linux containers for consistent development and deployment. Linux Journal, 2014(239):2, 2014.
A. Mouat. Using Docker: Developing and Deploying Software with Containers. OReilly Media, Inc., 2015.
A. Zerouali, T. Mens, G. Robles, and J. Gonzalez-Barahona. On the relation between outdated docker containers, severity vulnerabilities and bugs. arXiv preprint arXiv:1811.12874, 2018.
L. Nussbaum and S. Zacchiroli. The ultimate Debian database: Consolidating bazaar metadata for quality assurance and data mining. In Working Conference on Mining Software Repositories, pages 52-61, 2010.
I. Samoladas, L. Angelis, and I. Stamelos. Survival analysis on the duration of open source projects. Information and Software Technology, 52(9):902-922, 2010.
G. Scanniello. Source code survival with the Kaplan Meier estimator. In International Conference on Software Maintenance and Evolution, pages 524-527. IEEE, 2011.
R. Shu, X. Gu, and W. Enck. A study of security vulnerabilities on Docker Hub. In International Conference on Data and Application Security and Privacy, pages 269-280. ACM, 2017.
J. Turnbull. The Docker Book: Containerization is the new virtualization. 2014.
S. Zaman, B. Adams, and A. E. Hassan. Security versus performance bugs: A case study on Firefox. In 8th Working Conference on Mining Software Repositories, pages 93-102. ACM, 2011.
A. Zerouali, E. Constantinou, T. Mens, G. Robles, and J. Gonźalez-Barahona. An empirical analysis of technical lag in npm package dependencies. In International Conference on Software Reuse, pages 95-110. Springer, 2018.