On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images

[en] Containerized applications, and in particular Docker images, are becoming a common solution in cloud environments to meet ever-increasing demands in terms of portability, reliability and fast deployment. A Docker image includes all environmental dependencies required to run it, such as specific versions of system and third-party packages. Leveraging on its modularity, an image can be easily embedded in other images, thus simplifying the way of sharing dependencies and building new software. However, the dependencies included in an image may be out of date due to backward compatibility requirements, endangering the environments where the image has been deployed with known vulnerabilities. While previous research efforts have focused on studying the impact of bugs and vulnerabilities of system packages within Docker images, no attention has been given to third-party packages. This paper empirically studies the impact of npm JavaScript package vulnerabilities in Docker images. We based our analysis on 961 images from three official repositories that use Node.js, and 1,099 security reports of packages available on npm, the most popular JavaScript package manager. Our results reveal that the presence of outdated npm packages in Docker images increases the risk of potential security vulnerabilities, suggesting that Docker maintainers should keep their installed JavaScript packages up to date.

Disciplines :

Computer science
Electrical & electronics engineering

Author, co-author :

Zerouali, Ahmed ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Cosentino, Valerio

Mens, Tom ; Université de Mons > Faculté des Sciences > Service de Génie Logiciel

Robles, Gregorio

Gonzalez-Barahona, Jesus

Language :

English

Title :

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images

Publication date :

24 February 2019

Event name :

IEEE International Conference on Software Analysis, Evolution, and Reengineering

Event place :

Hangzhou, China

Event date :

2019

Research unit :

S852 - Génie Logiciel

Research institute :

R300 - Institut de Recherche en Technologies de l'Information et Sciences de l'Informatique

Name of the research project :

Automated Assistance for Developing Software in Ecosystems of the Future - Fédération Wallonie Bruxelles

Available on ORBi UMONS :

since 22 January 2019

Statistics

Number of views

1 (0 by UMONS)

Number of downloads

0 (0 by UMONS)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

J. Turnbull, The Docker Book: Containerization is the new virtualization. James Turnbull, 2014.
Docker Inc, "Docker-build, ship, and run any app, anywhere, " https://www.docker.com/, accessed: 01/11/2018.
R. Shu, X. Gu, and W. Enck, "A study of security vulnerabilities on Docker Hub, " in 7th ACM Conf on Data and Application Security and Privacy. ACM, 2017, pp. 269-280.
J. Gummaraju, T. Desikan, and Y. Turner, "Over 30% of official images in docker hub contain high priority security vulnerabilities, " https://banyanops.com/blog/analyzing-docker-hub/, 2015.
A. Zerouali, T. Mens, G. Robles, and J. M. Gonzalez-Barahona, "On the relation between outdated package containers, security vulnerabilities, and bugs, " in SANER, 2019.
Business Wire, "npm, inc. report: State of javascript reveals most popular web development frameworks, " https://www.businesswire.com/news/home/20180104005052/en/npm-Report-State-JavaScript-Reveals-Popular-Web, accessed: 01/11/2018.
J. M. Gonzalez-Barahona, P. Sherwood, G. Robles, and D. Izquierdo, "Technical lag in software compilations: Measuring how outdated a software deployment is, " in ICOSS. Springer, 2017, pp. 182-192.
R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue, "Do developers update their library dependencies?" Empirical Software Engineering, vol. 23, no. 1, pp. 384-417, 2017.
A. Zerouali, E. Constantinou, T. Mens, G. Robles, and J. Gonźalez-Barahona, "An empirical analysis of technical lag in npm package dependencies, " in ICSR. Springer, 2018, pp. 95-110.
J. Cox, E. Bouwers, M. van Eekelen, and J. Visser, "Measuring dependency freshness in software systems, " in Intl Conf. Software Engineering. IEEE Press, 2015, pp. 109-118.
R. E. Zapata, R. G. Kula, B. Chinthanet, T. Ishio, K. Matsumoto, and A. Ihara, "Towards smoother library migrations: A look at vulnerable dependency migrations at function level for npm JavaScript packages, " in ICSME, Sep. 2018, pp. 559-563.
A. Decan, T. Mens, and E. Constantinou, "On the impact of security vulnerabilities in the npm package dependency network, " in Working Conf. Mining Software Repositories. IEEE, 2018.
T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda, "Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web, " in NDSS Symposium, 2017.
A. Nesbitt and B. Nickolls, "Libraries.io open source repository and dependency metadata, " March 2018. [Online]. Available: https://zenodo.org/record/1196312
S. Zaman, B. Adams, and A. E. Hassan, "Security versus performance bugs: A case study on Firefox, " in MSR. ACM, 2011, pp. 93-102.