Member post originally published on the Fairwinds blog by Andy Suderman
One challenge everyone working with containers has experienced is worrying about common vulnerabilities and exposures (CVEs) putting your apps and services at risk of attack. The obvious solution is to scan your containers and there are a lot of great tools — open source and proprietary — that do that well. The downside is that when you start scanning containers with a vulnerability scanner you get a ton of information. Every version of every container — except maybe the container that you just built 10 minutes ago — contains known CVEs.
Making sense of how to prioritize those vulnerabilities is quite difficult. The first, typically, is to sort the CVEs by severity and then focus on the critical and high vulnerabilities first — the ones that cause the greatest risk to your apps and services. But you also need to know how to patch these critical and high risk vulns. To do that, it’s incredibly helpful to know what introduced that vulnerability into your codebase. For example, was it the base operating system, a package that got installed, or a library in the code that you’re running?
You can often patch a significant number of known CVEs by updating the base image (or the FROM statement) of your container. However, when you are updating a base image, you often don’t know how many vulnerabilities will be patched or whether there’s a new version of your base image available. Without access to the source code of the container, it may not be possible for you to determine this necessary (and useful) information.
Introducing Base Image Finder
That’s why we created Base Image Finder (affectionately called BIF), which is an open source utility that you can use to detect which of many popular base images was used to build the container. This utility shows if there is a new version of the container available and whether it includes patches for any of the CVEs in the original container. BIF provides you with upgrade recommendations for base images that are newer and less vulnerable, which allows you to choose the version that makes the most sense for your deployment. You can make an informed decision without needing to see the Dockerfile. The BIF API provides access to a continuously updated database of base image and CVE information, and use of the API is free up to 1000 uses per month.
If you’d like to use BIF, you can install Base Image Finder right now. If you want to learn more, I’ll walk you through how to get started.
Start Using Base Image Finder
To start using BIF, you need to request an API token. You can do this via the command line interface (CLI):
bif request-token
# Follow the prompt to enter your email address
You’ll receive your token via email. To automatically have BIF use this token, export it as INSIGHTS_OSS_TOKEN in your environment.
There are two ways to use BIF to find your base images.
Extract layers using Skopeo
Extract the image layers using Skopeo — like this:
bif find --image-layers $(skopeo inspect docker://us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0 | jq .Layers[] -rc)
Input: [sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8]
BASE IMAGE | LAST SCAN | CVE | SEVERITY | CVSS | FIXED IN
----------------+------------+----------------+----------+------+-----------------
alpine:3.16.0 | 2023-02-28 | CVE-2022-2097 | MEDIUM | 5.30 | 3.17.3, 3.16.5
| | CVE-2022-30065 | HIGH | 7.80 | 3.17.3, 3.16.5
| | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5
| | CVE-2022-4304 | MEDIUM | 5.90 | 3.17.3, 3.16.5
| | CVE-2022-4450 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0215 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0286 | HIGH | 7.40 | 3.17.3, 3.16.5
Use BIF with a publicly-available image
In this example we use Polaris, our open source policy engine for Kubernetes. Your results will look something like the below (depending on when you do it and the version number).
bif find --image us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0
Input: us-docker.pkg.dev/fairwinds-ops/oss/polaris 7.0.0
BASE IMAGE | LAST SCAN | CVE | SEVERITY | CVSS | FIXED IN
----------------+------------+----------------+----------+------+-----------------
alpine:3.16.0 | 2023-02-28 | CVE-2022-2097 | MEDIUM | 5.30 | 3.17.3, 3.16.5
| | CVE-2022-30065 | HIGH | 7.80 | 3.17.3, 3.16.5
| | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5
| | CVE-2022-4304 | MEDIUM | 5.90 | 3.17.3, 3.16.5
| | CVE-2022-4450 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0215 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0286 | HIGH | 7.40 | 3.17.3, 3.16.5
Troubleshooting
If you have any issues, try adding debug logging by adding the –debug flag. If that doesn’t help, reach out to us in our Community Slack channel or file a GitHub issue.
Accelerate Vulnerability Remediation
BIF might just become your BFF, because it helps you understand where a vulnerability was introduced in your containers. The quick identification of your base images helps you upgrade faster and solve a bunch of vulnerabilities quickly that would otherwise have been hard to track down and resolve from a long list of unique CVEs. We’d love to hear your questions and suggestions, so please reach out to help us make sure this project helps you improve the security of your containerized environments.