When a picture is worth 306 CVEs: New image vulnerability comparisons in Chainguard Academy
TL;DR: We now have Image Vulnerability Comparisons in Chainguard Academy!
Vulnerability management can be a real pain. It’s even more difficult to stay up to date with fixes when there’s a constant stream of CVEs in popular container images. Even when a new release of your latest and greatest application passes all your linting, QA, and CI/CD pipeline checks, an unpatched vulnerability in a build or production image can (and should!) stop a deployment in its tracks.
The problem is, many popular base images for programming languages like Go, Java, Node, Python, and even CI images like Jenkins contain hundreds of unpatched vulnerabilities for weeks or months at a time. If developers had to wait to deploy software using images that were vulnerability free, nothing would ever get deployed.
This is why, in the container ecosystem, we collectively add the obligatory `apt` or `apk` or `dnf` upgrade commands to our image build files. Some teams go the extra mile and add language-specific package manager commands like `npm` or `pip` or `gem` to their image files, ensuring that even if the upstream image isn’t fully patched, their application’s dependencies are at least up to date.
While these perfunctory approaches to updating may resolve some vulnerabilities, they are largely ineffective at mitigating the majority of vulnerabilities in images. Worse still, these kinds of updates can lead to a false sense of security or complacency. For example, our research into patching official Docker Hub images found that the average reduction in vulnerabilities for popular images was roughly 5.5% of the total. The collective approach of burying our heads in the sand and hoping for the best is an untenable approach to building and deploying secure software.
A dynamic vulnerability reference
To help developers, operations teams, project managers, SOC analysts, and CISOs manage the never-ending stream of vulnerabilities in popular images, we’ve built new reference pages on Chainguard Academy.
First, we have new Vulnerability Overview pages. Each page shows a bar chart with a moving window of 30 days’ worth of vulnerability scans for pairs of external and Chainguard Images. For example, the following chart is from our Node Vulnerability Comparison page:
The chart shows the last 30 days of vulnerability data for the official Docker Nodejs image and our Chainguard `node:latest` Image.
On the page, you’ll also be able to explore and search a table of all of the detected vulnerabilities across different packages in each of the scanned images. For example, as of writing, there are 306 unique vulnerabilities in the official Docker Nodejs image, including two critical OpenSSH Client vulnerabilities.
The highlighted August 1 bar shows 251 total vulnerabilities in the external image, and one single vulnerability in the Chainguard Image. Switch the table to the “Chainguard” view and examine the list of vulnerabilities over the last 30 days. You’ll find two there in total, both of which were resolved the same day they were detected.
However, just listing vulnerabilities that have been found in an image doesn’t give a complete picture to help analyze and mitigate a given vulnerability. We also added pages for each and every vulnerability that we’ve detected in the external images that we scan, and our Chainguard Images.
If you click on a detected vulnerability in either image, you’ll land on a page with more detailed information about the vulnerability, including all of the images that we have scanned that are or were affected by a vulnerability. For example, picking the first critical CVE-2023-38408 from the Nodejs comparison page will take you to a page like the following, where you can dynamically filter the list of images using the search box:
The information contained in the table shows the date when a vulnerability was first detected in our scans, the last date it was found, and the number of total days that an image has contained a given vulnerability.
Picking another vulnerability, consider CVE-2023-0687, which is marked Critical (although the vulnerability itself is disputed) and was first detected in our Chainguard Images on 2023-08-02. It was also patched that same day. Compare that with the affected external images, which were vulnerable for 33 days each.
Get started with our dynamic CVE information today
These image comparison and vulnerability specific pages are intended to reduce the burden of triaging and managing vulnerabilities for Chainguard customers, and anyone who wants to use secure-by-default container images. Having this information readily accessible will help with decision-making when choosing a base image for applications.
We’re excited to present this information in both visual and tabular formats, and think that the historical component adds great value to the data, giving deeper insight into vulnerabilities as we track them over time. Stay tuned as these pages will become more useful as our datasets grow to include more images and larger timeframes.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.