Static detection of vulnerabilities in base images of software containers
First Claim
1. A method for detecting vulnerabilities in base images of software containers, comprising:
- receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container;
extracting contents of each image layer of the at least one base image;
scanning the extracted contents to detect at least one vulnerability;
generating a detection event, when the at least one vulnerability is detected;
generating a unitary signature for each layer of the at least one base image when no vulnerability is detected;
determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and
generating a safe event when no vulnerability is detected.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for detecting vulnerabilities in base images of software containers are disclosed. The method includes receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extracting contents of each image layer of each base image; scanning the extracting contents to detect at least one vulnerability; and generating a detection event, when the at least one vulnerability is detected.
85 Citations
33 Claims
-
1. A method for detecting vulnerabilities in base images of software containers, comprising:
-
receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extracting contents of each image layer of the at least one base image; scanning the extracted contents to detect at least one vulnerability; generating a detection event, when the at least one vulnerability is detected; generating a unitary signature for each layer of the at least one base image when no vulnerability is detected; determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and generating a safe event when no vulnerability is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A host device for detecting vulnerabilities in software containers at runtime, comprising:
-
a processing system; and a memory, the memory containing instructions that, when executed by the processing system, configure the host device to; receive an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extract contents of each image layer of the at least one base image; scan the extracted contents to detect at least one vulnerability; generate a detection event, when the at least one vulnerability is detected; and generate a unitary signature for each layer of the at least one base image when no vulnerability is detected; determine, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and generate a safe event when no vulnerability is detected. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A non-transitory computer readable medium having stored thereon instructions for causing a processing system to execute a process for detecting vulnerabilities in software containers at runtime, the process comprising:
-
receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extracting contents of each image layer of the at least one base image; scanning the extracted contents to detect at least one vulnerability; generating a detection event, when the at least one vulnerability is detected; generating a unitary signature for each layer of the at least one base image when no vulnerability is detected; determining, after saving the unitary signature in a database, if repeated scanning of the at least one base image is required based on the unitary signature generated for each layer of the at least one base image, wherein the contents of each layer are extracted and scanned again when it is determined that repeated scanning is required; and generating a safe event when no vulnerability is detected.
-
Specification