Aqua Security microscanner - a first look
I’m a big fan of baking testing into build and delivery pipelines so when a new tool pops up in that space I like to take a look at what features it brings to the table and how much effort it’s going to take to roll out. The Aqua Security microscanner, from a company you’ve probably seen at least one excellent tech talk from in the last year, is a quite a new release that surfaces vulnerable operating systems packages in your container builds.
To experiment with microscanner
I’m going to add it to my
simple Gemstash
Dockerfile.
FROM ubuntu:16.04
MAINTAINER dean.wilson@gmail.com
RUN apt-get update && \
apt-get -y upgrade && \
apt-get install -y \
build-essential \
ruby \
ruby-dev \
libsqlite3-dev \
curl \
&& gem install --no-ri --no-rdoc gemstash
EXPOSE 9292
HEALTHCHECK --interval=15s --timeout=3s \
CMD curl -f http://localhost:9292/ || exit 1
CMD ["gemstash", "start", "--no-daemonize"]
This is a conceptually simple Dockerfile
. We update the Ubuntu package
list, upgrade packages where needed, add dependencies required to build
our rubygems and then install gemstash. From this very boilerplate base
we only need to make a few changes for microscanner to run.
> git diff Dockerfile
diff --git a/gemstash/Dockerfile b/gemstash/Dockerfile
index 741838f..bab819a 100644
--- a/gemstash/Dockerfile
+++ b/gemstash/Dockerfile
@@ -2,7 +2,6 @@ FROM ubuntu:16.04
MAINTAINER dean.wilson@gmail.com
RUN apt-get update && \
- apt-get -y upgrade && \
apt-get install -y \
build-essential \
ruby \
@@ -11,6 +10,14 @@ RUN apt-get update && \
curl \
&& gem install --no-ri --no-rdoc gemstash
+ARG token
+RUN apt-get update && apt-get -y install ca-certificates wget && \
+ wget -O /microscanner https://get.aquasec.com/microscanner && \
+ chmod +x /microscanner && \
+ /microscanner ${token} && \
+ rm -rf /microscanner
+
Firstly we remove the package upgrade step, as we want to ensure
vulnerabilities are present in our container. We then use the newer
ARG
directive to tell Docker we will be passing a value named token
in
at build time. Lastly we attempt to add microscanner
and its
dependencies, in a single image layer. As we’re using the wget
and ca- certificates
packages it does have a small impact on container size but
microscanner
itself is added, used and removed without a trace.
You’ll notice we specify a token when running the scanner. This grants access to the Aqua scanning servers, and is rate limited. How do you get a token? You request it by calling out to the Aqua Security container with your email address:
docker run --rm -it aquasec/microscanner --register foo@mailinator.com
# ... snip ...
Aqua Security MicroScanner, version 2.6.4
Community Edition
Accept and proceed? Y/N:
y
Please check your email for the token.
Once you have the token (mine came through in seconds) you can build the container:
docker build --build-arg=token=A1A1Aaa1AaAaAAA1 --no-cache .
For this experiment I’ve taken the big hammer of --no-cache
to ensure
all the packages are tested on each build. This will have a build time
performance aspect and should be considered along with the other best
practices.
If your container has vulnerable package versions you’ll get a massive
dump of JSON in your build output. Individual packages will show their
vulnerabilities:
{
"resource": {
"format": "deb",
"name": "systemd",
"version": "229-4ubuntu21.1",
"arch": "amd64",
"cpe": "pkg:/ubuntu:16.04:systemd:229-4ubuntu21.1",
"name_hash": "2245b39c177e93fc015ba051be4e8574"
},
"scanned": true,
"vulnerabilities": [
{
"name": "CVE-2018-6954",
"description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.",
"nvd_score": 7.2,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"nvd_severity": "high",
"nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6954",
"vendor_score": 5,
"vendor_score_version": "Aqua",
"vendor_severity": "medium",
"vendor_url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6954.html",
"publish_date": "2018-02-13",
"modification_date": "2018-03-16",
"fix_version": "any in ubuntu 17.04",
"solution": "Upgrade operating system to ubuntu version 17.04 (includes fixed versions of systemd)"
}
}
You’ll also see some summary information, total number of issues, run time and container operating system values for example.
"vulnerability_summary": {
"total": 147,
"medium": 77,
"low": 70,
"negligible": 6,
"score_average": 4.047619,
"max_score": 5,
"max_fixable_score": 5,
"max_fixable_severity": "medium"
},
If any of the vulnerabilities are considering to be high in severity then the build should fail, preventing you from going live with known issues.
It’s very early days for microscanner
and there’s a certain amount of
inflexibility that will shake out over use, such as being able to fail
builds on medium or even low severity issues, or only show packages with
vulnerabilities, but it’s a very easy way to add this kind of safety net
to your containers and worth keeping an eye on.