How to use docker scout cves command to find vulnerabilities

Introduction

In this lab, you will learn how to effectively use the docker scout cves command to identify vulnerabilities within your Docker images and related artifacts. We will begin by analyzing vulnerabilities directly in a Docker image, demonstrating how to pull a vulnerable image and utilize a security scanner like Trivy to find potential issues.

Following this, you will explore how to analyze vulnerabilities from a docker save tarball and an OCI directory, showcasing the flexibility of the docker scout cves command across different formats. Finally, you will learn how to export the vulnerability report to a SARIF JSON file for further processing and how to display vulnerabilities with their associated EPSS scores to prioritize remediation efforts.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker(("Docker")) -.-> docker/ImageOperationsGroup(["Image Operations"]) docker(("Docker")) -.-> docker/VolumeOperationsGroup(["Volume Operations"]) docker/ContainerOperationsGroup -.-> docker/ls("List Containers") docker/ImageOperationsGroup -.-> docker/pull("Pull Image from Repository") docker/ImageOperationsGroup -.-> docker/images("List Images") docker/ImageOperationsGroup -.-> docker/save("Save Image") docker/VolumeOperationsGroup -.-> docker/cp("Copy Data Between Host and Container") subgraph Lab Skills docker/ls -.-> lab-555202{{"How to use docker scout cves command to find vulnerabilities"}} docker/pull -.-> lab-555202{{"How to use docker scout cves command to find vulnerabilities"}} docker/images -.-> lab-555202{{"How to use docker scout cves command to find vulnerabilities"}} docker/save -.-> lab-555202{{"How to use docker scout cves command to find vulnerabilities"}} docker/cp -.-> lab-555202{{"How to use docker scout cves command to find vulnerabilities"}} end

Analyze vulnerabilities in a Docker image

In this step, we will learn how to analyze vulnerabilities in a Docker image using Trivy. Trivy is a comprehensive and versatile security scanner. It can detect vulnerabilities in operating system packages (Alpine, RHEL, CentOS, Debian, Ubuntu, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). In addition, Trivy supports various scan targets, such as container images, filesystems, and Git repositories.

First, let's pull a vulnerable Docker image that we will use for analysis. We will use the library/ubuntu:18.04 image, which is known to have some vulnerabilities.

docker pull library/ubuntu:18.04

You should see output indicating that the image is being pulled and downloaded.

18.04: Pulling from library/ubuntu
...
Status: Downloaded newer image for ubuntu:18.04
docker.io/library/ubuntu:18.04

Now that we have the image, we need to install Trivy. Since Trivy is not pre-installed in the LabEx environment, we will download and install it. We will download the latest release from the official GitHub repository.

wget https://github.com/aquasecurity/trivy/releases/download/v0.50.1/trivy_0.50.1_Linux-64bit.deb

This command downloads the Trivy Debian package. You should see output similar to this:

--2023-10-27 08:00:00--  https://github.com/aquasecurity/trivy/releases/download/v0.50.1/trivy_0.50.1_Linux-64bit.deb
Resolving github.com (github.com)... 140.82.113.4
Connecting to github.com (github.com)|140.82.113.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/140000000/...?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=... [following]
--2023-10-27 08:00:00--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/140000000/...
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50000000 (48M) [application/octet-stream]
Saving to: ‘trivy_0.50.1_Linux-64bit.deb’

trivy_0.50.1_Linux-64bit.deb 100%[=================================================>]  47.68M  --.-MB/s    in 0.5s

2023-10-27 08:00:01 (95.3 MB/s) - ‘trivy_0.50.1_Linux-64bit.deb’ saved [50000000/50000000]

Now, install the downloaded package using dpkg.

sudo dpkg -i trivy_0.50.1_Linux-64bit.deb

You should see output indicating the installation process.

Selecting previously unselected package trivy.
(Reading database ... 100000 files and directories currently installed.)
Preparing to unpack trivy_0.50.1_Linux-64bit.deb ...
Unpacking trivy (0.50.1) ...
Setting up trivy (0.50.1) ...

With Trivy installed, we can now scan the library/ubuntu:18.04 Docker image for vulnerabilities.

trivy image library/ubuntu:18.04

Trivy will start scanning the image. This might take a few moments as it downloads vulnerability databases and analyzes the image layers. You will see output showing the progress and then a detailed report of the vulnerabilities found.

2023-10-27T08:00:05.000+0000    INFO    Need to update DB
2023-10-27T08:00:05.000+0000    INFO    Downloading DB...
...
2023-10-27T08:00:10.000+0000    INFO    Detected OS: ubuntu
2023-10-27T08:00:10.000+0000    INFO    Detecting Ubuntu vulnerabilities...
...
library/ubuntu:18.04 (ubuntu 18.04)
===================================
Total: 100 (UNKNOWN: 0, LOW: 50, MEDIUM: 30, HIGH: 15, CRITICAL: 5)

┌───────────────────────────────────────────────────┬─────────────────────────────────┬──────────┬───────────────────┬───────────────────────────────────────────────────────────┐
│                 Library/Package                   │              Vulnerability              │ Severity │ Installed Version │                       Fixed Version                       │
├───────────────────────────────────────────────────┼─────────────────────────────────┼──────────┼───────────────────┼───────────────────────────────────────────────────────────┤
│ apt                                               │ CVE-YYYY-XXXX                   │ HIGH     │ 1.6.12            │ 1.6.14                                                    │
│ ...                                               │ ...                             │ ...      │ ...               │ ...                                                       │
└───────────────────────────────────────────────────┴─────────────────────────────────┴──────────┴───────────────────┴───────────────────────────────────────────────────────────┘

The output provides a summary of the total vulnerabilities found, categorized by severity (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL). It then lists each vulnerability with details like the affected package, the vulnerability ID (e.g., CVE-YYYY-XXXX), the severity level, the installed version of the package, and the fixed version if available. This report helps you understand the security posture of your Docker image and identify areas that need remediation.

Analyze vulnerabilities from a docker save tarball

In this step, we will learn how to analyze vulnerabilities from a Docker image saved as a tarball file. This is useful when you need to scan an image that is not directly available in a Docker registry or on the local Docker daemon, but you have the image saved as a file.

First, we need to save the library/ubuntu:18.04 Docker image that we pulled in the previous step into a tarball file. We can use the docker save command for this.

docker save library/ubuntu:18.04 -o ubuntu_18.04.tar

This command saves the library/ubuntu:18.04 image to a file named ubuntu_18.04.tar in your current directory (~/project). The -o flag specifies the output file.

You should see output indicating the image layers being saved.

The image 'library/ubuntu:18.04' is being saved to a tar file.
...

Now that we have the image saved as a tarball, we can use Trivy to scan this file. We will use the trivy image command again, but this time we will specify the tarball file as the target.

trivy image --input ubuntu_18.04.tar

The --input flag tells Trivy to scan an image from a tarball file instead of pulling it from a registry or scanning a local image by name. Trivy will read the image data from the ubuntu_18.04.tar file and perform the vulnerability analysis, similar to scanning a local image directly.

You will see output showing Trivy loading the image from the tarball and then the vulnerability scanning process and report, just like in the previous step.

2023-10-27T08:05:00.000+0000    INFO    Loading image from ubuntu_18.04.tar...
2023-10-27T08:05:05.000+0000    INFO    Detected OS: ubuntu
2023-10-27T08:05:05.000+0000    INFO    Detecting Ubuntu vulnerabilities...
...
ubuntu_18.04.tar (ubuntu 18.04)
==============================
Total: 100 (UNKNOWN: 0, LOW: 50, MEDIUM: 30, HIGH: 15, CRITICAL: 5)

┌───────────────────────────────────────────────────┬─────────────────────────────────┬──────────┬───────────────────┬───────────────────────────────────────────────────────────┐
│                 Library/Package                   │              Vulnerability              │ Severity │ Installed Version │                       Fixed Version                       │
├───────────────────────────────────────────────────┼─────────────────────────────────┼──────────┼───────────────────┼───────────────────────────────────────────────────────────┤
│ apt                                               │ CVE-YYYY-XXXX                   │ HIGH     │ 1.6.12            │ 1.6.14                                                    │
│ ...                                               │ ...                             │ ...      │ ...               │ ...                                                       │
└───────────────────────────────────────────────────┴─────────────────────────────────┴──────────┴───────────────────┴───────────────────────────────────────────────────────────┘

This demonstrates how Trivy can analyze Docker images even when they are not loaded into the Docker daemon, by scanning the tarball created with docker save. This is a flexible way to integrate vulnerability scanning into workflows where images are transferred as files.

Analyze vulnerabilities from an OCI directory

In this step, we will explore how to analyze vulnerabilities from an image stored in the Open Container Initiative (OCI) layout format. The OCI Image Format Specification defines a standard for packaging container images. Tools like Skopeo and Buildah can be used to create and manage images in this format. Trivy can directly scan images stored in an OCI directory.

First, we need to create an OCI directory from our library/ubuntu:18.04 Docker image. We will use the skopeo command-line utility for this. Since skopeo is not pre-installed, we need to install it.

sudo apt update
sudo apt install -y skopeo

This will update the package list and install skopeo. You will see output showing the installation process.

Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
...
Setting up skopeo (1.2.3-3) ...

Now that skopeo is installed, we can copy the Docker image to an OCI directory. We will create a directory named ubuntu_oci in our ~/project directory and copy the image into it using skopeo copy.

mkdir ubuntu_oci
skopeo copy docker-daemon:library/ubuntu:18.04 oci:ubuntu_oci:18.04

The skopeo copy command is used to transfer images between different storage locations and formats.

docker-daemon:library/ubuntu:18.04 specifies the source image, which is library/ubuntu:18.04 located in the local Docker daemon.
oci:ubuntu_oci:18.04 specifies the destination format and location. oci: indicates the OCI format, ubuntu_oci is the directory where the OCI image will be stored, and 18.04 is the tag for the image within that OCI directory.

You will see output indicating the copying process.

Getting image source signatures
Copying blob sha256:...
...
Copying config sha256:...
Writing manifest to image destination
Storing signatures

Now you should have a directory named ubuntu_oci containing the OCI image data. You can list the contents of this directory to see the OCI layout files.

ls ubuntu_oci

You will see files and directories like oci-layout, index.json, and blobs.

blobs  index.json  oci-layout

Finally, we can use Trivy to scan this OCI directory for vulnerabilities. We will use the trivy image command and specify the OCI directory path.

trivy image oci:ubuntu_oci:18.04

Trivy will recognize the oci: prefix and scan the image located in the ubuntu_oci directory with the tag 18.04. It will analyze the image layers and report any vulnerabilities found, similar to scanning a Docker image directly.

You will see output showing Trivy scanning the OCI image and then the vulnerability report.

2023-10-27T08:10:00.000+0000    INFO    Detected OS: ubuntu
2023-10-27T08:10:00.000+0000    INFO    Detecting Ubuntu vulnerabilities...
...
oci:ubuntu_oci:18.04 (ubuntu 18.04)
==================================
Total: 100 (UNKNOWN: 0, LOW: 50, MEDIUM: 30, HIGH: 15, CRITICAL: 5)

┌───────────────────────────────────────────────────┬─────────────────────────────────┬──────────┬───────────────────┬───────────────────────────────────────────────────────────┐
│                 Library/Package                   │              Vulnerability              │ Severity │ Installed Version │                       Fixed Version                       │
├───────────────────────────────────────────────────┼─────────────────────────────────┼──────────┼───────────────────┼───────────────────────────────────────────────────────────┤
│ apt                                               │ CVE-YYYY-XXXX                   │ HIGH     │ 1.6.12            │ 1.6.14                                                    │
│ ...                                               │ ...                             │ ...      │ ...               │ ...                                                       │
└───────────────────────────────────────────────────┴─────────────────────────────────┴──────────┴───────────────────┴───────────────────────────────────────────────────────────┘

This demonstrates Trivy's capability to scan images stored in the OCI format, providing flexibility in how you manage and scan your container images.

Export vulnerability report to a SARIF JSON file

In this step, we will learn how to export the vulnerability report generated by Trivy to a SARIF JSON file. SARIF (Static Analysis Results Interchange Format) is a standard format for the output of static analysis tools. Exporting reports in SARIF format makes it easier to integrate vulnerability scanning results into other tools and workflows, such as CI/CD pipelines or security dashboards.

We will scan the library/ubuntu:18.04 Docker image again, but this time we will use Trivy's formatting options to output the result in SARIF format and save it to a file.

trivy image --format sarif --output report.sarif library/ubuntu:18.04

Let's break down this command:

trivy image library/ubuntu:18.04: This is the standard command to scan the specified Docker image.
--format sarif: This flag tells Trivy to format the output as SARIF JSON.
--output report.sarif: This flag redirects the output to a file named report.sarif in your current directory (~/project).

Trivy will perform the scan and save the results to the specified file. You won't see the detailed report printed to the console, only progress information.

2023-10-27T08:15:00.000+0000    INFO    Detected OS: ubuntu
2023-10-27T08:15:00.000+0000    INFO    Detecting Ubuntu vulnerabilities...
...

After the command finishes, you should have a file named report.sarif in your ~/project directory. You can verify its existence using the ls command.

ls report.sarif

You should see the filename printed, confirming that the file was created.

report.sarif

You can also view the content of the SARIF file using a command-line tool like cat or less. The content will be in JSON format, following the SARIF specification.

cat report.sarif

You will see the JSON output, which can be quite long depending on the number of vulnerabilities found.

{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Trivy",
          "version": "0.50.1",
          ...
        }
      },
      "results": [
        {
          "ruleId": "CVE-YYYY-XXXX",
          "level": "error",
          "message": {
            "text": "apt: CVE-YYYY-XXXX (HIGH)"
          },
          ...
        },
        ...
      ]
    }
  ]
}

Exporting reports in SARIF format is a powerful way to integrate vulnerability scanning into automated security workflows and leverage tools that understand the SARIF standard.

Display vulnerabilities with EPSS scores

In this step, we will learn how to display vulnerabilities along with their Exploit Prediction Scoring System (EPSS) scores using Trivy. EPSS is a data-driven effort to estimate the likelihood of a vulnerability being exploited in the wild. Including EPSS scores in vulnerability reports can help prioritize remediation efforts by focusing on vulnerabilities that are more likely to be actively exploited.

Trivy can fetch and display EPSS scores for vulnerabilities if they are available. To do this, we need to use the --vuln-type os,library flag to ensure we are scanning for both operating system and library vulnerabilities, and Trivy will automatically include EPSS scores in the output if the data is available for a given CVE.

Let's scan the library/ubuntu:18.04 Docker image again, this time explicitly requesting OS and library vulnerability types.

trivy image --vuln-type os,library library/ubuntu:18.04

The --vuln-type os,library flag specifies the types of vulnerabilities to scan for. By default, Trivy often scans for these types, but explicitly including the flag ensures it. When Trivy finds a vulnerability (identified by a CVE ID) for which EPSS data exists, it will include the EPSS score in the report.

Trivy will perform the scan as before. The output will be similar to the initial scan, but you will notice an additional column for EPSS scores for some vulnerabilities.

2023-10-27T08:20:00.000+0000    INFO    Detected OS: ubuntu
2023-10-27T08:20:00.000+0000    INFO    Detecting Ubuntu vulnerabilities...
...
library/ubuntu:18.04 (ubuntu 18.04)
===================================
Total: 100 (UNKNOWN: 0, LOW: 50, MEDIUM: 30, HIGH: 15, CRITICAL: 5)

┌───────────────────────────────────────────────────┬─────────────────────────────────┬──────────┬───────────────────┬───────────────────────────────────────────────────────────┬───────┐
│                 Library/Package                   │              Vulnerability              │ Severity │ Installed Version │                       Fixed Version                       │ EPSS  │
├───────────────────────────────────────────────────┼─────────────────────────────────┼──────────┼───────────────────┼───────────────────────────────────────────────────────────┼───────┤
│ apt                                               │ CVE-YYYY-XXXX                   │ HIGH     │ 1.6.12            │ 1.6.14                                                    │ 0.95  │
│ ...                                               │ ...                             │ ...      │ ...               │ ...                                                       │ ...   │
└───────────────────────────────────────────────────┴─────────────────────────────────┴──────────┴───────────────────┴───────────────────────────────────────────────────────────┴───────┘

Notice the new EPSS column in the output table. The values in this column represent the EPSS score for the corresponding vulnerability, ranging from 0 to 1. A higher EPSS score indicates a higher probability of the vulnerability being exploited in the next 30 days. This information is valuable for prioritizing which vulnerabilities to address first, focusing on those with higher EPSS scores.

By including EPSS scores in your vulnerability analysis, you can move beyond just severity levels and make more informed decisions about risk and remediation.

Summary

In this lab, we learned how to analyze vulnerabilities in a Docker image using Trivy, a versatile security scanner. We pulled a vulnerable Ubuntu image and installed Trivy to perform the analysis. This initial step focused on the fundamental process of scanning a live Docker image for security weaknesses.