Digging Into Your App's Container Image Layers for Sneaky Vulnerabilities

The presentation discusses the importance of vulnerability scanning in DevOps and provides tips for refining the output of vulnerability scanning tools.

• Vulnerability scanning is important in DevOps
• Refining the output of vulnerability scanning tools is necessary for efficient use
• Tools like 3b have flags that can be used to filter results
• Mitigating reported vulnerabilities is often an easy task
• An anecdote is provided to illustrate the process of refining vulnerability scanning output

The speaker shares a personal experience of having to manually check for vulnerability resolution in a base image and searching through the Helm repo to find the version that mitigated a vulnerability. They also demonstrate the use of the Maven dependency plugin to locate a specific library in a container image.

Mitigating vulnerabilities in container images is, most of the time, a straight-forward task: update the base image, use a newer version of Node or Java, bump the patch version of a project dependency, etc. However, all useful pieces of software are complex and vulnerability scanning tools fall short on explaining why they are flagging some edge-cases. This session walks you through mitigating critical vulnerabilities in popular container images like Java-based ones, from the obvious to the sneaky ones, and how to leverage layer explorer tools to narrow the search field for the latter. It is meant to be a hands-on session, first we will use Aqua’s Trivy scanner to analyze an image generated for a Spring Boot app and then wagoodman's dive to explore in which layer we are introducing a version of a library with critical vulnerabilities, while Maven seems to tell us otherwise.Click here to view captioning/translation in the MeetingPlay platform!