JP2020154861A - Container image verification device, container image verification method, and container image verification program - Google Patents

Abstract

To secure safety of a container image while reducing consumption of calculation resources by processing for verifying fragility.SOLUTION: In a container image verification system, a simple information acquisition unit 121 acquires a container configuration file from a container image database 160, and specifies a version of a package. A simple collation unit 123 performs simple verification for determining presence/absence of fragility of the package included in a container image on the basis of fragility information 170 in which the version of the package is associated with the presence/absence of fragility. A detailed information acquisition unit 131 executes the container image of which fragility is determined to be present by simple verification as a detailed verification object container image, and acquires package information included in the detailed verification object container image. A detailed collation unit 132 performs detailed verification for determining the presence/absence of fragility of the package included in the detailed verification object container image on the basis of the fragility information 170.SELECTED DRAWING: Figure 1

Description

The present invention relates to a container image verification device, a container image verification method, and a container image verification program.

When acquiring the container image used in the container environment from the public registry, there is a risk of downloading the vulnerable image. Also, even if it is initially safe, there is a possibility to create a container image with vulnerable packages added in the container environment. If a container image with such a vulnerability is deployed on a system that is open to the Internet, there is a risk of being attacked by a cyber attack and causing damage to the system.

Patent Document 1 includes a container image acquisition device and a distribution device. The acquisition device accepts input of information for specifying the version of the container image, identifies the version, and notifies the distribution device. The distribution device transmits the corresponding version of the container image to the acquisition device.

JP-A-2018-63629

In Patent Document 1, the container image distributed by the distribution device may contain a vulnerable software package. However, there is no mechanism to verify such vulnerabilities and ensure the safety of container images. Vulnerabilities can be verified by executing container images, but since all container images are executed to verify vulnerabilities, the consumption of computational resources is high.

An object of the present invention is to ensure the safety of the container image while reducing the consumption of computational resources by the process of verifying the vulnerability.

The container image verification device according to the present invention is a container image verification device that verifies the vulnerability of a container image.
A simple information acquisition unit that acquires the container configuration file from the container image database that stores the container configuration file that represents the procedure for generating the container image, and specifies the version of the package included in the container image.
A simple collation unit that performs simple verification to determine the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities. ,
A detailed information acquisition unit that executes a container image determined to be vulnerable by the simple verification as a container image subject to detailed verification and acquires package information included in the container image subject to detailed verification.
Based on the vulnerability information, it is provided with a detailed collation unit that performs detailed verification for determining the presence or absence of vulnerabilities in the package included in the detailed verification target container image.

The simple information acquisition unit
The package installation command that constitutes the generation procedure is extracted from the container configuration file, and the version of the package is specified based on the package installation command in which the version of the package is specified.

The container image database includes the modification date and time of the container image.
The vulnerability information includes the latest update date.
When the version of the package cannot be specified, the simple collation unit compares the update date and time of the container image included in the container image database with the latest update date and time of the vulnerability information, and the update date and time of the container image. If the vulnerability information is subsequently updated, it is determined that the package included in the container image is vulnerable.

The simple collation unit stores the result of the simple verification in the container image database, and stores the result of the simple verification.
The detailed collation unit stores the result of the detailed verification in the container image database, and stores the result of the detailed verification.
The container image verification device is
Based on the container image database, it is provided with a container image selection unit that determines whether or not the container image determined to be vulnerable can be updated as a vulnerable container image and updates the vulnerable container image if it can be updated. ..

The container image selection unit
If it is determined that the vulnerability container image cannot be updated, the vulnerability container image is deleted from the public registry that stores the container image to be distributed to the production environment published on the Internet.

The container image verification method according to the present embodiment is the container image verification method of the container image verification device for verifying the vulnerability of the container image.
The simple information acquisition unit acquires the container configuration file from the container image database in which the container configuration file representing the container image generation procedure is stored, identifies the version of the package included in the container image, and determines the version of the package.
The simple collation unit performs a simple verification to determine the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities. Do,
The detailed information acquisition unit executes the container image determined to be vulnerable by the simple verification as the detailed verification target container image, acquires the package information included in the detailed verification target container image, and obtains the package information.
Based on the vulnerability information, the detailed collation unit performs detailed verification for determining the presence or absence of vulnerabilities in the package included in the detailed verification target container image.

The container image verification program according to this embodiment is used in the container image verification program of the container image verification device that verifies the vulnerability of the container image.
A simple information acquisition process that acquires the container configuration file from the container image database that stores the container configuration file that represents the procedure for generating the container image and specifies the version of the package included in the container image.
Based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities, a simple collation process for performing simple verification to determine the presence or absence of vulnerabilities in the package included in the container image. ,
The detailed information acquisition process of executing the container image determined to be vulnerable by the simple verification as the detailed verification target container image and acquiring the package information included in the detailed verification target container image, and
Based on the vulnerability information, the container image verification device, which is a computer, is made to execute a detailed collation process for performing detailed verification for determining the presence or absence of vulnerabilities in the package included in the detailed verification target container image.

In the container image verification device according to the present invention, the simple information acquisition unit acquires the container configuration file from the container image database and specifies the version of the package included in the container image. Based on the vulnerability information, the simple collation unit performs simple verification to determine the presence or absence of vulnerabilities in the package included in the container image. Then, the detailed collation unit performs detailed verification on the container image to be detailed verification that is determined to be vulnerable by simple verification. Therefore, according to the container image verification device according to the present invention, detailed verification is performed only on the container image subject to detailed verification determined to be vulnerable by simple verification, so that the amount of computational resources consumed by the container image verification process is consumed. Has the effect of being able to reduce.

The overall block diagram of the container image verification system which concerns on Embodiment 1. FIG. The flow chart of the container image acquisition process which concerns on Embodiment 1. FIG. The flow chart of the container image database registration process which concerns on Embodiment 1. FIG. The flow chart of the container image utilization processing which concerns on Embodiment 1. FIG. The flow chart of the container image periodical verification process which concerns on Embodiment 1. FIG. The flow chart of the container image verification process which concerns on Embodiment 1. FIG. The flow diagram of the simple verification process of the container image which concerns on Embodiment 1. FIG. An example of the container configuration file and vulnerability information according to the first embodiment. The flow chart of the vulnerability information acquisition process which concerns on Embodiment 1. The flow chart of the acquisition process of the latest update date information of the vulnerability information which concerns on Embodiment 1. FIG. FIG. 5 is a flow chart of an extraction process of package name and version information according to the first embodiment. FIG. 5 is a flow chart of a simple package information acquisition process from the container configuration file according to the first embodiment. FIG. 5 is a flow chart of a simple package information acquisition process from the container configuration file (rpm command) according to the first embodiment. FIG. 5 is a flow chart of a simple package information acquisition process from the container configuration file (yum command) according to the first embodiment. The flow chart of the detailed verification process of the container image which concerns on Embodiment 1. FIG. FIG. 5 is a flow chart of a detailed package information acquisition process of the detailed verification process according to the first embodiment. An example of a package list according to the first embodiment. The flow chart of the package name / version information extraction process from the package list which concerns on Embodiment 1. The flow chart of the container image update / deletion process which concerns on Embodiment 1. FIG. FIG. 5 is a flow chart of a container image updateability determination process according to the first embodiment. The flow chart of the container image update process which concerns on Embodiment 1. FIG. FIG. 5 is a flow chart of a container image distribution device update process according to the first embodiment. The flow chart of the container image deletion processing which concerns on Embodiment 1. FIG. FIG. 5 is a flow chart of a container image production environment utilization process according to the first embodiment. The figure which shows the flow of data which concerns on Embodiment 1. FIG. The hardware configuration diagram of the container image verification apparatus which concerns on Embodiment 1. FIG.

Hereinafter, the present embodiment will be described with reference to the drawings. In each figure, the same or corresponding parts are designated by the same reference numerals. In the description of the embodiment, the description will be omitted or simplified as appropriate for the same or corresponding parts.

Embodiment 1.
*** Explanation of configuration ***
FIG. 1 is an overall configuration diagram of the container image verification system 500 according to the present embodiment.
The container image verification system 500 includes a container image verification device 100, a local registry 200, and a container image distribution device 300.
Here, the outline of the function of each component of the container image verification system 500 will be described.

The local registry 200 stores a container image 210 published on the Internet. The local registry 200 stores a container image previously acquired from the public registry via the Internet, or a container image modified in the development environment 50. The local registry 200 distributes the container image 210 to the development environment 50.
The package management system 220 is a system that manages packages inside the container image.

The container image verification device 100 verifies the vulnerability of the container image. That is, the container image verification device 100 determines whether or not the container image contains a vulnerability, and deletes the container image containing the vulnerability.
The container image verification device 100 includes a simple verification unit 120, a detailed verification unit 130, a container image selection unit 150, a container image database 160, and vulnerability information 170. The simple verification unit 120 includes a simple information acquisition unit 121, a vulnerability information acquisition unit 122, and a simple collation unit 123. The detailed verification unit 130 includes a detailed information acquisition unit 131 and a detailed collation unit 132.
The container image verification device 100 verifies the presence or absence of vulnerabilities in the container image 210 stored in the local registry 200, and saves the result in the container image database 160. Further, the container image verification device 100 selects the container image to be duplicated by the container image distribution device 300 by the container image selection unit 150.

The container image database 160 manages the following information of the container image.
・ Container image ID
・ Container image update date and time ・ Container image simple verification result ・ Container image update availability ・ Container configuration file ・ Container image detailed verification result ・ Package information ・ Vulnerable package name

The simple information acquisition unit 121 acquires the container configuration file from the container image database 160 in which the container configuration file representing the container image generation procedure is stored. Then, the simple information acquisition unit 121 specifies the version of the package included in the container image. The simple information acquisition unit 121 is also referred to as a simple package information acquisition unit.

The detailed information acquisition unit 131 executes the container image determined to be vulnerable by the simple verification as the detailed verification target container image. Then, the detailed information acquisition unit 131 acquires the package information included in the detailed verification target container image. The detailed information acquisition unit 131 executes the container image from the package management system 220, acquires a list of installed packages, and stores the following information in the container image database 160.
・ Package name ・ Version information

Vulnerability information acquisition unit 122 acquires vulnerability information 170 from a vulnerability information database existing on the Internet, and stores the following information in a local vulnerability information database.
・ Vulnerability information ID
・ Package name ・ Version information

Vulnerability information 170 exists in the container image verification device 100. Vulnerability information 170 is information in which the version of the package included in the container image is associated with the presence or absence of vulnerabilities. Vulnerability information 170 includes package vulnerability information and the latest update date.

The simple collation unit 123 performs simple verification for determining the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information 170. The simple collation unit 123 collates the information of the container image database 160 with the vulnerability information 170. The simple collation unit 123 collates the package information of the container image with the vulnerability information 170, and determines that there is a vulnerability if there is a matching package and that there is no vulnerability if there is no matching package.

The detailed collation unit 132 determines whether or not there is a vulnerability in the container image (container image subject to detailed verification) that has been determined to be vulnerable by simple verification, and inputs the container image name and its detailed verification result into the container image database 160. ..

The container image selection unit 150 updates and deletes the container image of the local registry 200 and the container image distribution device 300 based on the simple verification result and the detailed verification result stored in the container image database 160. For the vulnerable container image, try updating the container image in the local registry 200. If the update is not possible, the container image is distributed only to the local registry 310 and deleted from the public registry 320.

The container image distribution device 300 distributes the container image to the production environment. The container image distribution device 300 is composed of a local registry 310 and a public registry 320. Different IP addresses are assigned to the local registry 310 and the public registry 320, and access control is performed by the firewall 70.

The local registry 310 distributes the container image only to the production environment (local) 90. All container images of the local registry 200 are duplicated and stored.
The public registry 320 distributes the container image to the production environment (local) 90 and the production environment (public) 80. Of the container images in the local registry 200, only the container images determined to be safe by the container image verification device 100 are duplicated and stored.

The production environment (local) 90 is a production environment existing in a network segment that does not accept connections from the Internet 30. On the other hand, the production environment (public) 80 is a production environment existing in a network segment that accepts connections from the Internet 30.

*** Explanation of operation ***
The container image verification process by the container image verification system 500 according to the present embodiment will be described.

FIG. 2 is a flow chart of the container image acquisition process according to the present embodiment.
As a usage pattern of the container image verification system 500, it is assumed that the administrator acquires a new container image from the public registry and the developer develops using the container image. The container image acquisition process in which the administrator acquires the container image from the public registry each time will be described below.

In step S101, the container image acquisition from the public registry is started.
In step S102, the container image is downloaded from the public registry.
In step S103, the container image database registration process is executed.
In step S104, the container image verification process is performed.

FIG. 3 is a flow chart of the container image database registration process according to the present embodiment.
In step S201, the following information of the container image is registered in the container image database.
・ Container image ID
-Container image update date and time-Container configuration file

FIG. 4 is a flow chart of the container image utilization process according to the present embodiment.
The container image utilization process is a process in which the developer uses the acquired container image.
In step S301, the container image utilization process is started.
In step S302, the container image is expanded from the local registry 200 to the development environment 50.
In step S303, the necessary changes are made to the expanded container image.
In step S304, the container image is committed and saved in the local registry 200.
In step S305, the container image database registration process is executed.
In step S306, the container image verification process is performed.

FIG. 5 is a flow chart of the container image periodic verification process according to the present embodiment.
The container image periodic verification process is performed periodically in order to respond to the update of vulnerability information.
In step S401, the container image periodic verification process is started.
In step S402, vulnerability information is acquired from the vulnerability information database.
In step S403, the container image verification process is performed on all the container images on the local registry 200 (step S404).

<Container image verification process>
FIG. 6 is a flow chart of the container image verification process according to the present embodiment.
There are the following two methods for obtaining the package information of the container image by the container image verification device 100.
(A) Expand the container from the container image, log in to the inside, and check.
(B) The package information is estimated from the container image configuration file and the modification date.
Although the method (a) above can obtain all the package information, it consumes computational resources to deploy the container. Verification of the presence or absence of vulnerabilities in container images is divided into two stages, and only container images judged to be dangerous by method (b) are judged by method (a), which consumes computational resources. The amount can be suppressed.

In step S501, the simple verification unit 120 performs a simple verification process of the container image.
In step S502, if the container image is safe, the process ends.
If the container image is not safe in step S502, the detailed verification unit 130 performs a detailed verification process (step S503).

If the container image (container image subject to detailed verification) is vulnerable in step S504, the container image update / deletion process is executed (step S505). Then, the process proceeds to step S506.
If the container image (container image subject to detailed verification) is not vulnerable in step S504, the process proceeds to step S506.
In step S506, the container image is deleted from the verification server.

<Simple verification process>
FIG. 7 is a flow chart of a simple verification process of the container image according to the present embodiment.
First, an outline of the simple verification process by the simple verification unit 120 will be described.
The simple information acquisition unit 121 acquires the container configuration file from the container image database 160 in which the container configuration file representing the container image generation procedure is stored. Then, the simple information acquisition unit 121 specifies the version of the package included in the container image. More specifically, the simple information acquisition unit 121 extracts the package installation command that configures the generation procedure from the container configuration file, and specifies the package version based on the package installation command in which the package version is specified.

The simple collation unit 123 performs simple verification for determining the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information 170 in which the version of the package included in the container image and the presence or absence of vulnerabilities are associated with each other. Do.
Further, when the package version cannot be specified, the simple collation unit 123 compares the update date and time of the container image included in the container image database 160 with the latest update date and time of the vulnerability information 170. Then, when the vulnerability information 170 is updated after the update date and time of the container image, the simple collation unit 123 determines that the package included in the container image is vulnerable.
The simple collation unit 123 stores the result of the simple verification in the container image database 160.
A specific example of the simple verification process of the container image is as follows.

In step S601, the vulnerability information acquisition process by the vulnerability information acquisition unit 122 of the simple verification unit 120 is executed.
In step S602, the simple package information acquisition process from the container configuration file is executed by the simple information acquisition unit 121 of the simple verification unit 120.

FIG. 8 is a diagram showing an example of a container configuration file and vulnerability information according to the present embodiment.
In the simple verification process, package information is extracted from the container configuration file. A Dockerfile is shown as an example of a container configuration file.
In the line where "RUN" is described in the above configuration file, the package installation command to be executed when the container image is created is described. The rpm command installs a specific version of the rpm package, and the yum command upgrades to the latest version at the time the container image was created.

In step S603, the simple collation unit 123 of the simple verification unit 120 determines whether or not the package information exists. If the package information exists, the process proceeds to step S604. If the package information does not exist, the process proceeds to step S605.

In step S604, the simple collation unit 123 determines whether the package information and the vulnerability information have the same package name and version information. If there is a match, the process proceeds to step S606. If there is no match, the process proceeds to step S605.
In step S606, the simple collation unit 123 determines that the container image is vulnerable (has a risk).

In step S605, the simple collation unit 123 determines whether or not the update date and time is before the latest update date of the vulnerability information. If the update date and time is before the latest update date of the vulnerability information, the container image is determined to be vulnerable (hazardous) in step S606. If the update date is not before the latest update date of the vulnerability information, the container image is determined to be "safe" in step S607.

As described above, when the package name and version of the container image are specified, the simple collation unit 123 determines the presence or absence of a vulnerability by collating with the package name and version of the vulnerability information. If the version is not specified, the simple collation unit 123 assumes that the latest version of the package at the time of creating the container image is installed, and compares the update date and time of the container image with the latest update date of the vulnerability information. .. The simple verification unit 120 compares the update date and time of the container image with the latest update date of the vulnerability information, and confirms whether or not there is vulnerability information after the update date and time of the container image. If there is vulnerability information, it is determined that there is a vulnerability (dangerous) because the installed package may not correspond to the vulnerability.

FIG. 9 is a flow chart of the vulnerability information acquisition process according to the present embodiment.
In step S701, the vulnerability information acquisition unit 122 acquires vulnerability information from the vulnerability information database on the Internet.
In step S702, the vulnerability information acquisition unit 122 performs a process of extracting the package name and version information from the vulnerability information.
In step S703, the vulnerability information acquisition unit 122 executes an acquisition process for acquiring the latest update date information of the vulnerability information.
In step S704, the vulnerability information acquisition unit 122 stores the vulnerability information ID, package name, version information, and latest update date information in the local vulnerability information 170 (vulnerability information database).

The example of vulnerability information in FIG. 8 is an example of the one provided by Redhat Security Data. In the example of vulnerability information in FIG. 8, information in which a package of Redhat having a vulnerability and CVE which is a vulnerability information ID are mapped is described in XML format.

FIG. 10 is a flow chart of an acquisition process of the latest update date information of the vulnerability information according to the present embodiment.
In step S801, the vulnerability information acquisition unit 122 extracts a line containing the character string “erratum released”.
In step S802, the vulnerability information acquisition unit 122 uses the equal “=” as a delimiter and extracts a character string including the date on the right side.
In step S803, the vulnerability information acquisition unit 122 uses double quotation marks as delimiters and extracts the date portion.
In step S804, the vulnerability information acquisition unit 122 acquires the date of the last line as the latest update date of the vulnerability information.

FIG. 11 is a flow chart of a package name and version information extraction process according to the present embodiment.
In step S901, the vulnerability information acquisition unit 122 extracts a line containing the character string “rpm”.
In step S902, the vulnerability information acquisition unit 122 acquires the character string of the package name and version information on the right side with the equal “=” as the delimiter.
In step S903, the vulnerability information acquisition unit 122 removes the double quotation mark.
In step S904, the vulnerability information acquisition unit 122 uses the character string "-0:" as a delimiter and divides it into a package name and version information.
In step S905, the vulnerability information acquisition unit 122 acquires the package name.
In step S906, the vulnerability information acquisition unit 122 acquires three numbers separated by dots (.) As version information for the version information.

FIG. 12 is a flow chart of a simple package information acquisition process from the container configuration file according to the present embodiment.
FIG. 12 is a simple package information acquisition process for extracting package information from the container configuration file. Here, it is assumed that the package is installed by the rpm command and the yum command as shown in the example of the container configuration file.
In step S1001, the simple information acquisition unit 121 extracts the yum command from the container configuration file.
If the yum command exists in step S1002, the simple information acquisition unit 121 executes the simple package information acquisition process from the yum command (step S1003).
If the yum command does not exist in step S1002, the simple information acquisition unit 121 extracts the rpm command (step S1004).
If the rpm command exists in step S1005, the simple information acquisition unit 121 executes the simple package information acquisition process from the rpm command (step S1006).

FIG. 13 is a flow chart of a simple package information acquisition process from the container configuration file according to the present embodiment.
FIG. 13 is a simple package information acquisition process from the rpm command when the package is installed by the rpm command.
In step S1011, the simple information acquisition unit 121 extracts a character string including the package name and version information on the left side, using the character string ".rpm" as a delimiter.
In step S1012, the simple information acquisition unit 121 divides the package name and the version information by using the character string "-" as a delimiter.
In step S1013, the simple information acquisition unit 121 acquires the package name.
In step S1014, the simple information acquisition unit 121 acquires three numbers separated by dots (.) As version information for the version information.

FIG. 14 is a flow chart of a simple package information acquisition process from the container configuration file according to the present embodiment.
FIG. 14 is a simple package information acquisition process from the yum command when the package is installed by the yum command.
In step S1021, the simple information acquisition unit 121 searches for the presence or absence of a numerical value in the yum line.
In step S1022, if a numerical value exists, the simple information acquisition unit 121 uses the character string "-" as a delimiter and divides the package name and the version information (step S1023).
If the numerical value does not exist in step S1022, the process ends.
In step S1024, the simple information acquisition unit 121 acquires the package name.
In step S1025, the simple information acquisition unit 121 acquires three numbers separated by dots (.) As version information for the version information.

<Detailed verification process>
FIG. 15 is a flow chart of a detailed verification process of the container image according to the present embodiment.
The detailed verification process of the container image of FIG. 15 is a process of performing detailed verification of the container image determined to be vulnerable (has a risk) in the simple verification process. A container image that is determined to be vulnerable (has a risk) by the simple verification process is used as the container image for detailed verification.

The detailed information acquisition unit 131 executes the container image determined to be vulnerable by the simple verification as the detailed verification target container image, and acquires the package information included in the detailed verification target container image.
The detailed collation unit 132 performs detailed verification for determining the presence or absence of vulnerabilities in the package included in the detailed verification target container image based on the vulnerability information.

In the simple verification process, the package information and the local vulnerability information database are referred to, the package name and version information are compared, and if there is a match, it is determined that there is a vulnerability (risk). If there is no match, it is determined that there is no vulnerability (no danger), and the simple verification result is saved in the container image database 160. At this time, the vulnerability information 170 acquired by the vulnerability information acquisition unit 122 is stored in the local vulnerability information database.

In step S1031, the detailed information acquisition unit 131 of the detailed verification unit 130 executes the detailed package information acquisition process for acquiring the package information from the detailed verification target container image.
In step S1032, the detailed collation unit 132 of the detailed verification unit 130 executes the vulnerability information acquisition process for acquiring the vulnerability information 170 from the local vulnerability information database.
In step S1033, the detailed collation unit 132 determines whether the package information and the vulnerability information have the same package name and version information. If there is a match, the detailed collation unit 132 determines that there is a vulnerability (step S1034). If there is no match, the detailed collation unit 132 determines that there is no vulnerability (step S1035).
In step S1036, the detailed collation unit 132 stores the result of the detailed verification in the container image database 160.

FIG. 16 is a flow chart of a detailed package information acquisition process of the detailed verification process according to the present embodiment.
The detailed information acquisition unit 131 acquires a package list from the container image of the local registry 200 in the following sequence. The container image here is a container image subject to detailed verification.
In step S1041, the detailed information acquisition unit 131 executes the container image on the container image execution server and logs in.
In step S1042, the detailed information acquisition unit 131 acquires the package list by the function of the package management system.
In step S1043, the detailed information acquisition unit 131 executes the package name and version information extraction process from the package list.
In step S1044, the detailed information acquisition unit 131 saves the package name and version information as the package information of the container image database 160.

FIG. 17 is a diagram showing an example of a package list according to the present embodiment. FIG. 17 is an output example of a package list by rpm, which is a package management system.

FIG. 18 is a flow chart of the package name / version information extraction process from the package list according to the present embodiment.
The detailed information acquisition unit 131 extracts the package name and version information from the package list.
In step S1051, the detailed information acquisition unit 131 uses a hyphen (−) as a delimiter and divides it into a package name and a version.
In step S1052, the detailed information acquisition unit 131 acquires the package name.
In step S1053, the detailed information acquisition unit 131 acquires three numbers separated by dots (.) As version information for the version information.

<Container image update / deletion process>
FIG. 19 is a flow chart of the container image update / deletion process according to the present embodiment.
Based on the container image database 160, the container image selection unit 150 determines whether or not to update the container image determined to be vulnerable as a vulnerable container image. Then, the container image selection unit 150 updates the vulnerable container image if it can be updated. If it is determined that the vulnerable container image cannot be updated, the container image selection unit 150 deletes the vulnerable container image from the public registry 320 that stores the container image to be distributed to the production environment published on the Internet. To do.
Specifically, it is as follows.

In step S1061, the container image selection unit 150 executes a container image update possibility determination process for updating the vulnerable container image.
If the update can be performed in step S1062, the container image selection unit 150 executes the container image update process (step S1063). Here, the container image selection unit 150 stores both the container images before and after the update in the local registry 200 and the local registry 310 of the container image distribution device 300. Further, the container image selection unit 150 stores only the updated image in the public registry 320 of the container image distribution device 300.
If the update is not possible in step S1062, the container image selection unit 150 executes the container image deletion process (step S1064). If not possible, the container image selection unit 150 leaves the container image only in the local registry 200 and the local registry 310 of the container image distribution device 300, and deletes the container image from the public registry 320.

FIG. 20 is a flow chart of the container image updateability determination process according to the present embodiment.
The container image selection unit 150 executes a container image update possibility determination process for determining whether the container image can be updated.
In step S1071, the container image selection unit 150 acquires the vulnerable package name from the container image database.
In step S1072, the container image selection unit 150 expands the container image and logs in.
In step S1073, the container image selection unit 150 outputs a list of updatable packages by the function of the package management system and compares them with the vulnerable package names.

In step S1074, the container image selection unit 150 determines whether there is a match between the updatable package name and the vulnerable package name. If there is a match, in step S1075, the container image selection unit 150 determines that the update is possible. If there is no match, in step S1076, the container image selection unit 150 determines that the update is not possible.
In step S1077, the container image selection unit 150 saves the determination result in the container image database 160.

FIG. 21 is a flow chart of the container image update process according to the present embodiment.
The container image selection unit 150 executes a container image update process for updating the container image.
In step S1081, the container image selection unit 150 logs in to the container image and updates the vulnerable package.
In step S1082, the container image selection unit 150 creates a container image and writes it to the local registry.
In step S1083, the container image selection unit 150 updates the container image database.
In step S1084, the container image selection unit 150 executes the container image distribution device update process.

FIG. 22 is a flow chart of the container image distribution device update process according to the present embodiment.
The container image selection unit 150 executes a container image distribution device update process for updating the container image of the container image distribution device.
In step S1091, the container image selection unit 150 refers to the local registry 200 and replicates all the container images to the local registry 310.
In step S1092, the container image selection unit 150 refers to the container image database 160 and replicates only the container image determined to be safe to the public registry 320.

FIG. 23 is a flow chart of the container image deletion process according to the present embodiment.
The container image selection unit 150 executes a container image deletion process for deleting an unupdated container image from the public registry 320.
In step S111, the container image selection unit 150 deletes the vulnerable container image from the public registry 320.
In step S1112, the container image selection unit 150 updates the container image database 160.

FIG. 24 is a flow chart of the container image production environment utilization process according to the present embodiment.
The system administrator executes the container image production environment usage process for deploying the container image in the production environment (local) or the production environment (public).
In step S1121, the container image is expanded to the production environment (local) from the local registry 310 of the container image distribution device 300.
Further, in step S1131, the container image is expanded to the production environment (public) from the public registry 320 of the container image distribution device 300.

The flow of data according to this embodiment will be summarized with reference to FIG. 25.
(1) is the acquisition of the container image from the public registry.
(2) is a container image verification process of the local registry 200.
(3) is a vulnerability information acquisition process for acquiring vulnerability information from a vulnerability information database.
(4) is the use of the container image of the local registry 200 in the development environment.
(5) is a copy of the container image of the local registry 200 to the container image distribution device.
(6) is the use of the container image of the local registry 310 in the production environment (local).
(7) is the use of the container image of the public registry 320 in the production environment (public).

*** Hardware configuration ***
Here, the hardware configuration of the container image verification device 100 will be described with reference to FIG. 26.
The container image verification device 100 is a computer. The container image verification device 100 includes a processor 910 and other hardware such as a memory 921, an auxiliary storage device 922, an input interface 930, an output interface 940, and a communication device 950. The processor 910 is connected to other hardware via a signal line and controls these other hardware.

The container image verification device 100 has, as functional elements, a simple information acquisition unit 121, a vulnerability information acquisition unit 122, a simple collation unit 123, a detailed information acquisition unit 131, a detailed collation unit 132, a container image selection unit 150, and a container image database 160. , And vulnerability information 170.

The functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 are realized by software. The container image database 160 and the vulnerability information 170 are provided in the memory 921. Alternatively, the container image database 160 and the vulnerability information 170 may be provided in the auxiliary storage device 922. Further, the container image database 160 and the vulnerability information 170 may be separately provided in the memory 921 and the auxiliary storage device 922.

The processor 910 is a device that executes a container image verification program. The container image verification program is a program that realizes the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150.
The processor 910 is an IC (Integrated Circuit) that performs arithmetic processing. A specific example of the processor 910 is a CPU (Central Processing).
Unit), DSP (Digital Signal Processor), GPU (Graphics Processing Unit).

The memory 921 is a storage device that temporarily stores data. A specific example of the memory 921 is a SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
The auxiliary storage device 922 is a storage device that stores data. A specific example of the auxiliary storage device 922 is an HDD. Further, the auxiliary storage device 922 may be a portable storage medium such as an SD (registered trademark) memory card, CF, NAND flash, flexible disc, optical disk, compact disc, Blu-ray (registered trademark) disc, or DVD. HDD is an abbreviation for Hard Disk Drive. SD® is an abbreviation for Secure Digital. CF is an abbreviation for CompactFlash®. DVD is an abbreviation for Digital Versaille Disc.

The input interface 930 is a port connected to an input device such as a mouse, keyboard, or touch panel. Specifically, the input interface 930 is a USB (Universal Serial Bus) terminal. The input interface 930 may be a port connected to a LAN (Local Area Network).
The output interface 940 is a port to which a cable of an output device such as a display is connected. Specifically, the output interface 940 is a USB terminal or an HDMI (registered trademark) (High Definition Interface Interface) terminal. Specifically, the display is an LCD (Liquid Crystal Display).

The communication device 950 has a receiver and a transmitter. The communication device 950 is wirelessly connected to a communication network such as a LAN, the Internet, or a telephone line. Specifically, the communication device 950 is a communication chip or a NIC (Network Interface).
Card).

The container image verification program is read into processor 910 and executed by processor 910. In the memory 921, not only the container image verification program but also the OS (Operating System) is stored. The processor 910 executes the container image verification program while executing the OS. The container image verification program and the OS may be stored in the auxiliary storage device 922. The container image verification program and the OS stored in the auxiliary storage device 922 are loaded into the memory 921 and executed by the processor 910. A part or all of the container image verification program may be incorporated in the OS.

The container image verification device 100 may include a plurality of processors that replace the processor 910. These multiple processors share the execution of the container image verification program. Each processor, like the processor 910, is a device that executes a container image verification program.

Data, information, signal values and variable values used, processed or output by the container image verification program are stored in a memory 921, an auxiliary storage device 922, or a register or cache memory in the processor 910.

"Processing", "procedure" or "procedure" of each part of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150. It may be read as "process". In addition, the "process" of simple information acquisition processing, vulnerability information acquisition processing, simple collation processing, detailed information acquisition processing, detailed collation processing, and container image selection processing is "program", "program product", or "computer reading that records the program". It may be read as "possible recording medium".
The container image verification program causes a computer to execute each process, each procedure or each process in which the "part" of each of the above parts is read as "process", "procedure" or "process". Further, the container image verification method is a method performed by the container image verification device 100 executing a container image verification program.
The container image verification program may be provided stored in a computer-readable recording medium. Further, the container image verification program may be provided as a program product.

*** Other configurations ***
<Modification example 1>
In the present embodiment, the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 are realized by software. As a modification, the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 may be realized by hardware. In that case, the container image verification device 100 includes an electronic circuit instead of the processor 910.

The electronic circuit is a dedicated electronic circuit that realizes the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150.
The electronic circuit is specifically a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA, an ASIC, or an FPGA. GA is an abbreviation for Gate Array. ASIC is an abbreviation for Application Specific Integrated Circuit. FPGA is an abbreviation for Field-Programmable Gate Array.

The functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 may be realized by one electronic circuit. It may be realized by being distributed in a plurality of electronic circuits.
As another modification, some functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 are realized by an electronic circuit. The remaining functions may be realized by software.
Further, as another modification, some or all the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 are provided. , May be realized by firmware.

Each of the processor and the electronic circuit is also called a processing circuit. That is, in the container image verification device 100, the functions of the simple information acquisition unit 121, the vulnerability information acquisition unit 122, the simple collation unit 123, the detailed information acquisition unit 131, the detailed collation unit 132, and the container image selection unit 150 are processing circuits. Is realized by.

*** Explanation of the effect of this embodiment ***
When the container image is added to the local registry, the container image verification device 100 according to the present embodiment verifies in advance whether or not a vulnerable package is included. Then, if there is a vulnerability, it will try to update the package, and if it cannot, it will be prohibited to deploy to the environment published on the Internet. Therefore, according to the container image verification device 100 according to the present embodiment, the safety of the container image used in the container environment can be ensured.

Further, in the container image verification device 100 according to the present embodiment, the vulnerability database is referred to and the presence or absence of the vulnerability is determined on a regular basis. Then, when it is newly discovered that the container image stored in the container image distribution device is vulnerable, it is tried to update each time, and if it is not possible, it is deleted from the distribution target to the public production environment. Therefore, according to the container image verification device 100 according to the present embodiment, the safety of the container image delivered to the production environment is ensured by confirming the presence or absence of vulnerabilities in the package based on the information in the vulnerability information database. be able to. In addition, by acquiring information from the vulnerability database on a regular basis, new vulnerability information can be reflected in the determination of the presence or absence of vulnerabilities.

Further, in the container image verification device 100 according to the present embodiment, first, if a version is obtained, the version is verified, and if the version is not obtained, the update date and time is used for verification. This makes it possible to determine vulnerabilities even if an older version of the package is used.

The effects of the container image verification device 100 according to this embodiment are summarized below.
-The safety of the container image obtained from the public registry can be guaranteed.
-It is possible to ensure the safety of the container image created by the user developer in the development environment.
-By periodically referring to the vulnerability database and making a judgment, verification can be performed based on the latest vulnerability information.
-Not only remove the vulnerable container image from the distribution target, but also try to eliminate the vulnerability by updating.
-By performing the container image verification in two stages, simple verification and detailed verification, the number of container images subject to detailed verification, which consumes a large amount of computational resources, can be reduced and computational resources can be saved.
-Images that are determined to be vulnerable by the verification device can not be distributed to the public production environment, but can be distributed only to the local production environment.

In the above-described first embodiment, each part of the container image verification device has been described as an independent functional block. However, the configuration of the container image verification device does not have to be the configuration as in the above-described embodiment. The functional block of the container image verification device may have any configuration as long as the functions described in the above-described embodiment can be realized. Further, the container image verification device may be a system composed of a plurality of devices instead of one device.
Further, in the first embodiment, a plurality of parts may be combined and carried out. Alternatively, one part of this embodiment may be implemented. In addition, this embodiment may be implemented in any combination as a whole or partially.
That is, in the first embodiment, it is possible to freely combine the respective embodiments, modify any component of each embodiment, or omit any component in each embodiment.

It should be noted that the above-described embodiments are essentially preferred examples and are not intended to limit the scope of the present invention, the scope of the application of the present invention, and the scope of use of the present invention. The above-described embodiment can be variously modified as needed.

30 Internet, 50 Development environment, 70 Firewall, 80 Production environment (public), 90 Production environment (local), 100 Container image verification device, 120 Simple verification unit, 121 Simple information acquisition unit, 123 Simple verification unit, 122 Vulnerability information Acquisition Department, 130 Detailed Verification Department, 131 Detailed Information Acquisition Department, 132 Detailed Verification Department, 150 Container Image Selection Department, 160 Container Image Database, 170 Vulnerability Information, 200 Local Registry, 210 Container Image, 220 Package Management System, 300 Containers Image distribution device, 310 local registry, 320 public registry, 500 container image verification system, 910 processor, 921 memory, 922 auxiliary storage, 930 input interface, 940 output interface, 950 communication device.

Claims (7)

In the container image verification device that verifies the vulnerability of the container image,
A simple information acquisition unit that acquires the container configuration file from the container image database that stores the container configuration file that represents the procedure for generating the container image, and specifies the version of the package included in the container image.
A simple collation unit that performs simple verification to determine the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities. ,
A detailed information acquisition unit that executes a container image determined to be vulnerable by the simple verification as a container image subject to detailed verification and acquires package information included in the container image subject to detailed verification.
A container image verification device including a detailed collation unit that performs detailed verification for determining the presence or absence of vulnerabilities in a package included in the detailed verification target container image based on the vulnerability information. The simple information acquisition unit
The container image verification device according to claim 1, wherein a package installation command constituting the generation procedure is extracted from the container configuration file, and the version of the package is specified based on the package installation command in which the version of the package is specified. .. The container image database includes the modification date and time of the container image.
The vulnerability information includes the latest update date.
When the version of the package cannot be specified, the simple collation unit compares the update date and time of the container image included in the container image database with the latest update date and time of the vulnerability information, and the update date and time of the container image. The container image verification device according to claim 1 or 2, wherein it is determined that the package included in the container image is vulnerable when the vulnerability information is subsequently updated. The simple collation unit stores the result of the simple verification in the container image database, and stores the result of the simple verification.
The detailed collation unit stores the result of the detailed verification in the container image database, and stores the result of the detailed verification.
The container image verification device is
Based on the container image database, it is provided with a container image selection unit that determines whether or not the container image determined to be vulnerable can be updated as a vulnerable container image and updates the vulnerable container image if it can be updated. The container image verification device according to any one of claims 1 to 3. The container image selection unit
The container according to claim 4, wherein when it is determined that the vulnerable container image cannot be updated, the vulnerable container image is deleted from the public registry that stores the container image to be distributed to the production environment published on the Internet. Image verification device. In the container image verification method of the container image verification device that verifies the vulnerability of the container image,
The simple information acquisition unit acquires the container configuration file from the container image database in which the container configuration file representing the container image generation procedure is stored, identifies the version of the package included in the container image, and determines the version of the package.
The simple collation unit performs a simple verification to determine the presence or absence of vulnerabilities in the package included in the container image based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities. Do,
The detailed information acquisition unit executes the container image determined to be vulnerable by the simple verification as the detailed verification target container image, acquires the package information included in the detailed verification target container image, and obtains the package information.
A container image verification method in which a detailed collation unit performs detailed verification for determining the presence or absence of vulnerabilities in a package included in the detailed verification target container image based on the vulnerability information. In the container image verification program of the container image verification device that verifies the vulnerability of the container image,
A simple information acquisition process that acquires the container configuration file from the container image database that stores the container configuration file that represents the procedure for generating the container image and specifies the version of the package included in the container image.
Based on the vulnerability information associated with the version of the package included in the container image and the presence or absence of vulnerabilities, a simple collation process for performing simple verification to determine the presence or absence of vulnerabilities in the package included in the container image. ,
The detailed information acquisition process of executing the container image determined to be vulnerable by the simple verification as the detailed verification target container image and acquiring the package information included in the detailed verification target container image, and
A container image verification program that causes the container image verification device, which is a computer, to perform detailed verification processing that determines the presence or absence of vulnerabilities in the package included in the detailed verification target container image based on the vulnerability information. ..

Images