A Tool to Analyze Packages in Software Containers

Zerouali, Ahmed; Cosentino, Valerio; Robles, Gregorio; Gonzalez-Barahona, Jesus; Mens, Tom

Request a copy

Paper published in a journal (Scientific congresses and symposiums)

A Tool to Analyze Packages in Software Containers

Zerouali, Ahmed; Cosentino, Valerio; Robles, Gregorio et al.

2019

Permalink
https://hdl.handle.net/20.500.12907/25548

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

msr2019-ConPan-Zerouali.pdf

Author preprint (239.89 kB)

Request a copy

All documents in ORBi UMONS are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

[en] security vulnerability; [en] Docker

Abstract :

[en] Deploying software packages and services into containers is a popular software engineering practice that increases portability and reusability. Docker, the most popular containerization technology, helps DevOps practitioners in their daily activities. Despite being successfully and increasingly employed, containers may include buggy and vulnerable packages that put at risk the environments in which the containers have been deployed. Existing quality and security monitoring tools provide only limited support to analyze Docker containers, thus forcing practitioners to perform additional manual work or develop ad-hoc scripts when the analysis goes beyond security purposes. This limitation also affects researchers desiring to empirically study the evolution dynamics of Docker containers and their contained packages. To overcome this limitation, we present ConPan, an automated tool to inspect the characteristics of packages in Docker containers, such as their outdatedness and other possible flaws (e.g., bugs and security vulnerabilities). ConPan comes with a CLI and API, and the analysis results can be presented to the user in a variety of formats.

Disciplines :

Computer science
Electrical & electronics engineering

Author, co-author :

Zerouali, Ahmed ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Cosentino, Valerio

Robles, Gregorio

Gonzalez-Barahona, Jesus

Mens, Tom ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Language :

English

Title :

A Tool to Analyze Packages in Software Containers

Publication date :

07 June 2019

Event name :

IEEE Working Conference on Mining Software Repositories

Event place :

Montreal, Canada

Event date :

2019

Research unit :

S852 - Génie Logiciel

Research institute :

R300 - Institut de Recherche en Technologies de l'Information et Sciences de l'Informatique
R150 - Institut de Recherche sur les Systèmes Complexes

Name of the research project :

"Software ENgineering in Enterprise Cloud Applications systems" - Sources publiques européennes

Available on ORBi UMONS :

since 07 June 2019

Statistics

Number of views

14 (2 by UMONS)

Number of downloads

1 (1 by UMONS)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

J. Turnbull, The Docker Book: Containerization is the new virtualization. James Turnbull, 2014.
Docker Inc, "Docker-build, ship, and run any app, anywhere," https://www.docker.com/, accessed: 01/11/2018.
Red Hat, "Red hat global customer tech outlook 2019: Automation, cloud, and security lead funding priorities," https://www.redhat.com/en/blog/red-hat-global-customer-tech-outlook-2019-automation-cloud-security-lead-funding-priorities, accessed: 25/01/2019.
R. Shu, X. Gu, and W. Enck, "A study of security vulnerabilities on Docker Hub," in 7th ACM Conf on Data and Application Security and Privacy. ACM, 2017, pp. 269-280.
J. Gummaraju, T. Desikan, and Y. Turner, "Over 30% of official images in docker hub contain high priority security vulnerabilities," https://banyanops.com/blog/analyzing-docker-hub/, 2015.
Anchore. (2019, jan) Anchore.io. [Online]. Available: https://anchore. com/
E. Grande. (2019, jan) Dagda. [Online]. Available: https://github.com/ eliasgranderubio/dagda
OWASP. (2019, jan) Owasp. [Online]. Available: https://www.owasp.org
M. Wojcik, D. Proulx, J. Baker, and R. Roberge, "Introduction to oval," The MITRE Corporation, 2005.
ExploitDB. (2019, jan) Offensive security exploit database. [Online]. Available: https://www.exploit-db.com/
Snyk.io, "Synk.io," https://snyk.io/features/container-vulnerabilitymanagement/, March 2019, accessed: 10/03/2019.
K. Crowston, H. Annabi, and J. Howison, "Defining open source software project success," ICIS 2003 Proceedings, p. 28, 2003.
J. Cox E. Bouwers, M. van Eekelen, and J. Visser, "Measuring dependency freshness in software systems," in Int'l Conf. Software Engineering. IEEE Press, 2015, pp. 109-118.
T. Bui, "Analysis of docker security," arXiv preprint arXiv:1501.02967, 2015.
A. Martin, S. Raponi, T. Combe, and R. Di Pietro, "Docker ecosystem-vulnerability analysis," Computer Communications, vol. 122, pp. 30-43, 2018.
T. Xu and D. Marinov, "Mining container image repositories for software configuration and beyond," in Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results, 2018, pp. 49-52.
A. Zerouali, T. Mens, G. Robles, and J. Gonzalez-Barahona, "On the relation between outdated docker containers, severity vulnerabilities and bugs," arXiv preprint arXiv:1811.12874, 2018.
A. Zerouali, V. Cosentino, T. Mens, G. Robles, and J. M. Gonzalez-Barahona, "On the impact of outdated and vulnerable Javascript packages in docker images," in International Conference on Software Analysis, Evolution and Reengineering, 2019.
W. McKinney et al., "Data structures for statistical computing in python," in Proceedings of the 9th Python in Science Conference, vol. 445. Austin, TX, 2010, pp. 51-56.
Debian, "snapshot.debian.org," https://snapshot.debian.org/, accessed: 25/01/2019.
Debian, "Security bug tracker," https://securitytracker. debian.org/tracker/, accessed: 25/01/2019.
L. Nussbaum and S. Zacchiroli, "The ultimate Debian database: Consolidating bazaar metadata for quality assurance and data mining," in Working Conf. Mining Software Repositories (MSR), 2010, pp. 52-61.
J. D. Hunter, "Matplotlib: A 2d graphics environment," Computing in science &engineering, vol. 9, no. 3, pp. 90-95, 2007.
Michael Waskom, "seaborn: statistical data visualization," https://seaborn.pydata.org, accessed: 25/01/2019.
C. Gormley and Z. Tong, Elasticsearch: The Definitive Guide: A Distributed Real-Time Search and Analytics Engine. " O'Reilly Media, Inc.", 2015.
T. Kluyver, B. Ragan-Kelley, F. Ṕerez, B. E. Granger, M. Bussonnier, J. Frederic, K. Kelley, J. B. Hamrick, J. Grout, S. Corlay et al., "Jupyter notebooks-A publishing format for reproducible computational workflows." in ELPUB, 2016, pp. 87-90.
A. Zerouali, T. Mens, G. Robles, and J. M. Gonzalez-Barahona, "On the relation between outdated package containers, security vulnerabilities, and bugs," in International Conference on Software Analysis, Evolution and Reengineering, 2019.