CN116821917A - Container vulnerability detection method and system - Google Patents
Container vulnerability detection method and system Download PDFInfo
- Publication number
- CN116821917A CN116821917A CN202310702824.2A CN202310702824A CN116821917A CN 116821917 A CN116821917 A CN 116821917A CN 202310702824 A CN202310702824 A CN 202310702824A CN 116821917 A CN116821917 A CN 116821917A
- Authority
- CN
- China
- Prior art keywords
- knowledge base
- vulnerability
- information
- component
- mirror image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 29
- 230000001419 dependent effect Effects 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 34
- 238000004458 analytical method Methods 0.000 claims description 21
- 238000005516 engineering process Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 10
- 238000007726 management method Methods 0.000 claims description 9
- 238000011161 development Methods 0.000 claims description 7
- 238000009826 distribution Methods 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 6
- 238000009411 base construction Methods 0.000 claims description 4
- 238000005457 optimization Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 230000000875 corresponding effect Effects 0.000 description 2
- 230000006837 decompression Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241001255854 Teras Species 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a container vulnerability detection method and a system, which relate to the technical field of network information security, wherein the method comprises the steps of constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updating the vulnerability knowledge base and the dependent component knowledge base; scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image; and matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image, and generating a vulnerability report. According to the method and the device, the continuously updated associated knowledge base is combined, so that the loopholes of all levels of the current mirror image can be detected, and the loopholes are detected more efficiently and accurately.
Description
Technical Field
The application relates to the technical field of network information security, in particular to a method and a system for detecting container loopholes.
Background
Container vulnerability detection techniques are emerging with the development of container technologies (e.g., docker). The development of container leak detection has undergone the following stages: the initial stage: the advent of Docker container technology, enterprises and developers began to attempt to deploy applications using containers. At this stage, container security is not sufficiently appreciated, and vulnerability detection is based primarily on conventional methods of operating systems and applications. Stage of container safety consciousness: with the popularity of container technology, businesses and developers are beginning to focus on container security issues. At this stage, companies and open source projects, such as AquaSecurity, clair and Anchor, have developed that focus on container security, and they have begun to provide vulnerability scanning and security management functionality for containers. Container safe maturation stage: with the wide application of container technology, the container security requirement is continuously increased, and the requirements of enterprises on container vulnerability detection are also higher and higher. At this stage, container security solutions are becoming mature, providing more functionality and more efficient vulnerability detection methods such as static analysis, dynamic analysis, sandboxed technology, and the like. A container safety integration stage: with the development of DevOps and cloud native technologies, container security is gradually integrated into the whole application development and deployment lifecycle. The container vulnerability detection is not only an independent safety tool, but is tightly integrated with platforms such as CI/CD flow, kubernetes and the like, so that automatic vulnerability detection and repair are realized.
The current technology of container vulnerability detection is a dynamic analysis technology, which refers to security detection of containers during their operation to discover potential vulnerabilities and risks. Such methods typically analyze the runtime behavior of the container, network activity, system calls, etc., to identify abnormal behavior and potential threats. The main advantage of dynamic analysis is that problems during operation can be detected in real time, thereby helping developers and operation maintenance personnel to repair vulnerabilities more quickly. However, current detection techniques still suffer from the following drawbacks:
1. the complexity is high: dynamic detection requires real-time monitoring of the runtime environment and network behavior of the container application, which can increase system complexity, rely on a particular environment when running, and consume significant time to run the container.
2. The resource consumption is as follows: dynamic detection requires real-time analysis of large amounts of data, which consumes large amounts of computing resources and bandwidth, potentially resulting in reduced system performance.
3. High false positive rate: dynamic detection may missignal some normal behavior as a potential security threat, which may impose additional workload.
4. For insufficient vulnerability detection of application programs, dependency analysis is not performed on packet managers of various languages.
5. The loophole is not updated timely, the database is little in data and old, a few loophole libraries are accessed each time, and the latest results of all the loophole libraries are not received.
6. The number of supported system images is small and does not involve most of the system images that are common in the market.
Disclosure of Invention
In order to solve the problems, the application aims to provide a container vulnerability detection method and a system, so that vulnerability detection is more efficient and accurate.
To this end, an embodiment of the present application provides a method for detecting a container vulnerability, where the method includes:
s1: constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updating the vulnerability knowledge base and the dependent component knowledge base, and specifically comprises the following steps:
obtaining vulnerability information and dependency component information through various release channels, and generating an original vulnerability database and an original component database; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; performing association integration on the vulnerability knowledge base and the dependent component knowledge base to form an association knowledge base;
s2: scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image;
s3: and matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image, and generating a vulnerability report.
Preferably, the method for obtaining vulnerability information and dependent component information through various distribution channels and generating an original vulnerability database and an original component database comprises the following steps:
collecting data information from various authoritative release channels by adopting a distributed crawler technology, anti-crawler bypass and update strategies, wherein the related data information comprises CVE numbers, descriptions, scores, release time, update time, solutions, states, affected components and versions, reference links of the components of various programming languages, and names, versions, dependency relationships, sources and licenses of the components of various programming languages; importing the basic information for specific component information and vulnerability by a manual mode, or importing the data information by a manual mode under the condition of no Internet; and finally generating an original vulnerability database and an original component database.
Preferably, the distribution channel comprises an NVD platform, a CNNVD platform and a CVE platform.
Preferably, the method for continuously updating the vulnerability knowledge base and the dependent component knowledge base comprises the following steps:
the continuous updating of the vulnerability knowledge base and the dependent component knowledge base is carried out on the basis of a Scopy crawler framework, secondary development and optimization are carried out, the crawler is managed by using the gerape, and the dock daily timing task continuously updates the information of millions of open source projects, component information and various vulnerability information.
Preferably, the method for scanning the image file and analyzing the dependency relationship between the image file and the application program to extract the information of all the operating system software packages and the components of the programming language of the current image includes:
s21: scanning the mirror image file, and analyzing the mirror image layer by layer;
s22: extracting operating system information and software package information of an operating system;
s23: performing application dependency analysis and binary file analysis;
s24: and obtaining the information of all the system software packages and the components of the programming language of the current mirror image according to the analysis result.
Preferably, the method for performing application dependent parsing and binary file parsing is as follows:
judging the type of the operating system according to the extracted operating system information, finding the position of an operating system software package manager file, and calling an analysis program developed for the software package manager file to obtain the software package information of the operating system; traversing all files, judging whether the files meet the dependency management files of a certain programming language, and calling an analysis program developed for the dependency management files to obtain component information of the programming language in the mirror image file; traversing all files, judging whether the files are binary component files, and calling an analysis program developed for the binary component files to obtain all binary component information in the image file.
Preferably, the operating system types include Alpine Linux, debian Linux, red HatEnterprise Linux, arch Linux, ubuntu.
Preferably, the application relies on parsing, supporting twenty more programming languages including JavaScript, java, python, and thirty more package managers including Npm, maven, sbt. .
Preferably, the binary file parsing supports the binary file in the ELF format and the binary file in the PE format.
The embodiment of the application also provides a system for detecting the container loopholes, which comprises the following steps:
the knowledge base construction module is used for constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updates the vulnerability knowledge base and the dependent component knowledge base, and specifically comprises the following steps:
obtaining vulnerability information and dependency component information through various release channels, and generating an original vulnerability database and an original component database; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; performing association integration on the vulnerability knowledge base and the dependent component knowledge base to form an association knowledge base;
the analysis module is used for scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image;
and the vulnerability report generation module is used for matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image and generating a vulnerability report.
From the above technical scheme, the application has the following advantages:
(1) By scanning the container image, security vulnerabilities therein are identified and reported, helping developers and operation and maintenance personnel to ensure the security of the container.
(2) And the method supports the mirror image detection of various mirror images which comprise the base mirror images of Alpine Linux, debian Linux, red Hat EnterpriseLinux, arch Linux and Ubuntu system, and meets the requirements under different scenes.
(3) The mirror image static analysis occupies less resources and does not cause false alarm.
(4) In scanning container images, it is also possible to scan dependencies used by applications, including package management tools in various programming languages (e.g., NPM, yarn, pipenv, etc.).
(5) The latest loopholes and the affected libraries, components and packages disclosed by the authoritative websites are periodically crawled and stored in the database, and only the loophole information related to the database is required to be accessed for the discovered system software packages and the components of the programming language in the scanning process, so that the time and the bandwidth are saved.
Drawings
For a clearer description of embodiments of the application or of solutions in the prior art, reference will be made to the accompanying drawings, which are intended to be used in the examples, for a clearer understanding of the characteristics and advantages of the application, by way of illustration and not to be interpreted as limiting the application in any way, and from which, without any inventive effort, a person skilled in the art can obtain other figures. Wherein:
FIG. 1 is a flow chart of a method of container vulnerability detection provided in accordance with an embodiment;
FIG. 2 is a flow chart of knowledge base construction in an embodiment;
FIG. 3 is a flow chart of the collection of vulnerability information and dependent component information in an embodiment;
FIG. 4 is a flowchart of the cleaning and association of vulnerability information and dependent component information in an embodiment;
FIG. 5 is a diagram illustrating decompression of a mirrored tar packet according to an embodiment;
FIG. 6 is a base layer directory diagram in an embodiment;
FIG. 7 is a layer directory diagram over a base layer in an embodiment;
fig. 8 is a block diagram of a container vulnerability detection system provided in accordance with an embodiment.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Example 1
As shown in fig. 1, an embodiment of the present application provides a method for detecting a container vulnerability, which includes:
s1: constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updating the vulnerability knowledge base and the dependent component knowledge base;
s2: scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image;
s3: and matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image, and generating a vulnerability report.
The application provides a container vulnerability detection method, which is characterized in that a knowledge base is constructed, the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, latest vulnerabilities revealed by various large authority websites and affected components of a system software package and a programming language are periodically crawled and stored in a database, and only vulnerability information associated with the database is required to be accessed for the discovered components of the system software package and the programming language in the scanning process, so that time and bandwidth are saved. And analyzing the dependency relationship of the image file and the application program by scanning the image file to obtain the information of all the system software packages and the components of the programming language of the current image. In the analysis process, the operating system package is analyzed, and common operating systems such as AlpineLinux, debian Linux, ubuntu and the like are supported; the application program running dependency analysis supports binary analysis of twenty programming languages and thirty package manager files; binary files supporting ELF formats (e.g., linux executable) and PE formats (e.g., windows executable). The extracted information of the components of the system software package and the programming language is matched with the continuously updated associated knowledge base, so that vulnerabilities of all levels of the current mirror image can be detected, and finally a vulnerability report is generated, and vulnerability detection is more efficient and accurate.
Further, in step S1, a knowledge base is constructed, where the knowledge base includes a vulnerability knowledge base, a dependent component knowledge base, and an associated knowledge base, and the vulnerability knowledge base and the dependent component knowledge base are continuously updated.
Specifically, vulnerability information and dependency component information are obtained through various release channels, and an original vulnerability database and an original component database are generated; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; the vulnerability knowledge base and the dependent component knowledge base are associated and integrated to form an associated knowledge base, as shown in fig. 2.
The method for obtaining the vulnerability information and the dependency component information and generating the original vulnerability database and the original component database comprises the following steps: collecting data information from various authoritative distribution channels (including adopting a distributed crawler technology, anti-crawler bypass and update strategies), wherein the related data information comprises CVE numbers, descriptions, scores, distribution time, update time, solutions, states, affected components and versions, reference links and the like of the components of various programming languages, and names, versions, dependency relations, sources, licenses and the like of the components; importing the basic information for specific component information and vulnerability by a manual mode, or importing the data information by a manual mode under the condition of no Internet; the original vulnerability database and the original component database are finally generated as shown in fig. 3.
The obtained vulnerability information and the dependent component information are processed and analyzed, basic information, cleaning results and the like are stored and managed in a classified mode, and the vulnerability knowledge base and the component knowledge base are integrated in a correlated mode to form a correlated knowledge base, as shown in fig. 4.
In addition, the application continuously updates the vulnerability knowledge base and the dependent component knowledge base, performs secondary development and optimization on the basis of a Scopy crawler frame, manages the crawler by using the gerapy, and continuously updates the information, the component information and various vulnerability information of millions of open source projects in the world by the dock daily timing task.
Further, in step S2, the image file is scanned, and the dependency relationship between the image file and the application program is resolved, so as to extract the information of all the system software packages and the components of the programming language of the current image.
For a clearer explanation of mirror image resolution, the name terms are explained below. Mirroring is a special file system that contains configuration parameters (e.g., anonymous volumes, environment variables, users, etc.) prepared for the runtime in addition to the files that are needed to provide the programs, libraries, resources, configurations, etc. that are needed for the runtime of the container. The mirror does not contain any dynamic data, nor does its content change after construction. The relationship of a container and a mirror, like the instance and class in programming, mirror is a static definition, and a container is an entity at the time of mirror runtime. It is a stand-alone operating environment in which software can be run. The containers may be started, stopped, deleted, and isolated from each other. The containers do not affect each other or the host system. Through the container, the software can be deployed and operated efficiently and flexibly.
In static analysis, the analysis of the container is in analyzing the image file. OCI (OpenContainerInitiative) the open container specification is a de facto container standard that has been adopted by most container implementations and container orchestration systems, including Docker and Kubernetes. The open container specification defines how to create a mirror that meets the OCI specification, which specifies the content and format that the mirror's build system needs to export, the exported container mirror can be unpacked into a runtimebundle, which is a folder made up of specific file and directory structures from which the container can be run according to the runtime specification.
The OCI specification requires that the mirrored content must include the following three parts:
imagemanagement: mirror configuration and file system layer location information is provided, which can be considered as mirror directory, with file format json.
Imagelayerfilesystem change set: the file system and file system changes after serialization, which can be applied layer by layer in order as a container's rootfs, are therefore also commonly referred to as a layer (synonymous with the mirror layer mentioned below), and the file format can be a compressed format such as tar, gzip, etc.
ImageConfiguration: the file type is json, and the execution parameters used by the mirror image in running and ordered rootfs change information are contained. The rootfs (rootfilesystem) file system installed by the root mount point is a file, configuration and directory contained in an operating system, but does not include an operating system kernel.
As shown in fig. 5, in an example of image tar packet decompression, the layers in the management. The tar packages in the Layers list together form rootfs for generating the container, the mirror image of the container is constructed in a layered manner, the element sequence in the Layers also represents the sequence of superposition of mirror image Layers, and all Layers form a stack structure which is superposed from bottom to top. First, looking at the content in the base layer, i.e. the first recording layer, is a complete rootfs, as shown in fig. 6. The resulting file system of the upper layer is then observed, as shown in fig. 7.
The above description is that the construction process of the mirror image is incremental, each layer only containing the altered file content compared to the lower one, which is why the container mirror image is kept small.
Specifically, the method for scanning the image file, analyzing the dependency relationship between the image file and the application program, and extracting the information of all the system software packages and the components of the programming language of the current image comprises the following steps:
s21, scanning the mirror image file, and analyzing the mirror image layer by layer;
s22: extracting operating system information and software package information of an operating system;
s23: judging the type of the operating system according to the extracted operating system information, finding the position of an operating system software package manager file, and calling an analysis program developed for the software package manager file to obtain the software package information of the operating system; traversing all files, judging whether the files meet the dependency management files of a certain programming language, and calling an analysis program developed for the dependency management files to obtain component information of the programming language in the mirror image file; traversing all files, judging whether the files are binary component files, and calling an analysis program developed for the binary component files to obtain all binary component information in the mirror image file;
s24: and obtaining the information of all the system software packages and the components of the programming language of the current mirror image according to the analysis result.
Specifically, the mirror layer is analyzed: the container mirror consists of multiple layers, each layer being an increment or some change of the previous layer, the program will analyze the mirror layers layer by layer.
Extracting operating system information: the program will identify the underlying operating system of the image, such as Alpine Linux, debian Linux, ubuntu, etc.
Extracting software package information: and extracting the installed software package and version information thereof from the container image according to the type of the operating system in the last step. For example, for an Alpine Linux-based system, the program would parse the lib/apk/db/instrumented file.
An example of an installed file is as follows:
C:Q1yyMWoYnr7lKCxKm9mHlMwkd6dMY=
P:musl
V:1.1.24-r2
A:x86_64
S:377123
I:614400
T:themuslclibrary(libc)implementation
U:https://musl.libc.org/
L:MIT
o:musl
m:<timo.teras@iki.fi>
t:1584790550
c:4024cc3b29ad4c65544ad068b8f59172b5494306
p:so:libc.musl-x86_64.so.1=1
F:lib
R:libc.musl-x86_64.so.1
a:0:0:777
Z:Q17yJ3JFNypA4mxhJJr0ou6CzsJVI=
R:ld-musl-x86_64.so.1
a:0:0:755
Z:Q19mQZaYKY6yTQWQm0hkvsrh39O7Y=
referring to an official document of Apline, wherein the line P is the name of the dependency, the line V is the version of the dependency, traversing the file according to the line, extracting the dependency name first, and extracting the dependency version, and correspondingly obtaining the searched dependency item.
Application dependent parsing: in addition to detecting packages installed by the operating system, the program may also detect dependencies used in the application. The languages and package managers supported, such as JavaScript, java, python, etc., and thirty-more package managers corresponding thereto. The program parses the corresponding dependency package manager file, such as package. Json, pon. Xml, requirements. Txt, etc.
Binary file parsing: the program supports parsing binary files in ELF format (such as Linux executable) and PE format (such as Windows executable), and detecting libraries and components used in these binary files.
Further, in step S3, the extracted information of the components of the system software package and the programming language is matched with the associated knowledge base, so as to detect vulnerabilities of all levels of the current mirror image, and generate a vulnerability report.
Example two
As shown in fig. 8, the present application provides a container vulnerability-based detection system, comprising:
the knowledge base construction module 10 is configured to construct a knowledge base, where the knowledge base includes a vulnerability knowledge base, a dependent component knowledge base, and an associated knowledge base, and continuously updates the vulnerability knowledge base and the dependent component knowledge base, and specifically includes:
obtaining vulnerability information and dependency component information through various release channels, and generating an original vulnerability database and an original component database; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; performing association integration on the vulnerability knowledge base and the dependent component knowledge base to form an association knowledge base;
the analysis module 20 is used for scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all the system software packages and the components of the programming language of the current mirror image;
the vulnerability report generation module 30 is configured to match the extracted information of the components of the system software package and the programming language with the associated knowledge base, detect vulnerabilities of all levels of the current mirror image, and generate a vulnerability report
The system is used for implementing the above-mentioned container vulnerability detection method, and in order to avoid redundancy, the description is omitted here.
Note that the above is only a preferred embodiment of the present application and the technical principle applied. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, while the application has been described in connection with the above embodiments, the application is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the application, which is set forth in the following claims.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations and modifications of the present application will be apparent to those of ordinary skill in the art in light of the foregoing description. It is not necessary here nor is it exhaustive of all embodiments. And obvious variations or modifications thereof are contemplated as falling within the scope of the present application.
Claims (10)
1. A method for detecting a container leak, comprising:
s1: constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updating the vulnerability knowledge base and the dependent component knowledge base, and specifically comprises the following steps:
obtaining vulnerability information and dependency component information through various release channels, and generating an original vulnerability database and an original component database; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; performing association integration on the vulnerability knowledge base and the dependent component knowledge base to form an association knowledge base;
s2: scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image;
s3: and matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image, and generating a vulnerability report.
2. The method for detecting container vulnerabilities of claim 1, wherein the method for obtaining vulnerabilities information and dependent component information through a plurality of distribution channels, generating an original vulnerabilities database and an original component database, comprises:
collecting data information from various authoritative release channels by adopting a distributed crawler technology, anti-crawler bypass and update strategies, wherein the related data information comprises CVE numbers, descriptions, scores, release time, update time, solutions, states, affected components and versions, reference links of the components of various programming languages, and names, versions, dependency relationships, sources and licenses of the components of various programming languages; importing the basic information for specific component information and vulnerability by a manual mode, or importing the data information by a manual mode under the condition of no Internet; and finally generating an original vulnerability database and an original component database.
3. The container vulnerability detection method of claim 1, wherein the distribution channel comprises an NVD platform, a CNNVD platform, a CVE platform.
4. The method of claim 1, wherein the method of continuously updating the vulnerability knowledge base and the dependent component knowledge base comprises:
the continuous updating of the vulnerability knowledge base and the dependent component knowledge base is carried out on the basis of a Scopy crawler framework, secondary development and optimization are carried out, the crawler is managed by using the gerape, and the dock daily timing task continuously updates the information of millions of open source projects, component information and various vulnerability information.
5. The method for detecting container vulnerabilities according to claim 1, wherein the method for scanning the image file and resolving the dependency relationship between the image file and the application program to extract component information of all operating system packages and programming languages of the current image comprises:
s21: scanning the mirror image file, and analyzing the mirror image layer by layer;
s22: extracting operating system information and software package information of an operating system;
s23: performing application dependency analysis and binary file analysis;
s24: and obtaining the information of all the operating system software packages and the components of the programming language of the current mirror image according to the analysis result.
6. The method for detecting container vulnerabilities of claim 5, wherein the method for performing application-dependent parsing and binary file parsing comprises:
judging the type of the operating system according to the extracted operating system information, finding the position of an operating system software package manager file, and calling an analysis program developed for the software package manager file to obtain the software package information of the operating system; traversing all files, judging whether the files meet the dependency management files of a certain programming language, and calling an analysis program developed for the dependency management files to obtain information of components of the programming language in the mirror image files; traversing all files, judging whether the files are binary component files, and calling an analysis program developed for the binary component files to obtain all binary component information in the image file.
7. The method of claim 6, wherein the operating system type comprises Alpine Linux, debrian Linux, red Hat Enterprise Linux, arch Linux, ubuntu.
8. The method of container vulnerability detection of claim 6, wherein the application dependent parsing supports twenty more programming languages including JavaScript, java, python and thirty more package managers including Npm, maven, sbt.
9. The method of claim 6, wherein the binary file parsing supports an ELF format binary file and a PE format binary file.
10. A container leak detection system, comprising:
the knowledge base construction module is used for constructing a knowledge base, wherein the knowledge base comprises a vulnerability knowledge base, a dependent component knowledge base and an associated knowledge base, and continuously updates the vulnerability knowledge base and the dependent component knowledge base, and specifically comprises the following steps:
obtaining vulnerability information and dependency component information through various release channels, and generating an original vulnerability database and an original component database; respectively processing and analyzing the vulnerability information in the original vulnerability database and the dependent component information in the original component database to obtain a vulnerability knowledge base and a dependent component knowledge base; performing association integration on the vulnerability knowledge base and the dependent component knowledge base to form an association knowledge base;
the analysis module is used for scanning the mirror image file, analyzing the dependency relationship between the mirror image file and the application program, and extracting the information of all system software packages and components of the programming language of the current mirror image;
and the vulnerability report generation module is used for matching the extracted information of the components of the system software package and the programming language with the associated knowledge base, detecting vulnerabilities of all levels of the current mirror image and generating a vulnerability report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310702824.2A CN116821917A (en) | 2023-06-14 | 2023-06-14 | Container vulnerability detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310702824.2A CN116821917A (en) | 2023-06-14 | 2023-06-14 | Container vulnerability detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116821917A true CN116821917A (en) | 2023-09-29 |
Family
ID=88121451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310702824.2A Pending CN116821917A (en) | 2023-06-14 | 2023-06-14 | Container vulnerability detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116821917A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117608765A (en) * | 2024-01-24 | 2024-02-27 | 南京中孚信息技术有限公司 | Safety reinforcement method, device and medium of Docker container |
-
2023
- 2023-06-14 CN CN202310702824.2A patent/CN116821917A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117608765A (en) * | 2024-01-24 | 2024-02-27 | 南京中孚信息技术有限公司 | Safety reinforcement method, device and medium of Docker container |
| CN117608765B (en) * | 2024-01-24 | 2024-04-09 | 南京中孚信息技术有限公司 | Safety reinforcement method, device and medium of Docker container |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10977066B2 (en) | Virtual machine to container conversion and optimization | |
| US8984331B2 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
| Kwon et al. | Divds: Docker image vulnerability diagnostic system | |
| Zerouali et al. | On the impact of outdated and vulnerable javascript packages in docker images | |
| Vu et al. | Lastpymile: identifying the discrepancy between sources and packages | |
| US10922213B2 (en) | Embedded quality indication data for version control systems | |
| US20130111018A1 (en) | Passive monitoring of virtual systems using agent-less, offline indexing | |
| US20190052602A1 (en) | Generating rules to detect security vulnerabilities based on vulnerability primitives with entry point finder | |
| Duarte et al. | An empirical study of docker vulnerabilities and of static code analysis applicability | |
| US20080071715A1 (en) | System and method for the scalable processing of knowledge collected for a knowledge base | |
| CN116821917A (en) | Container vulnerability detection method and system | |
| CN112395042A (en) | Method and device for carrying out security scanning facing to business container mirror image | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| Balliu et al. | Challenges of producing software bill of materials for java | |
| CN111859399A (en) | Vulnerability detection method and device based on oval | |
| CN111625834A (en) | System and method for detecting vulnerability of Docker mirror image file | |
| CN115220863A (en) | Operation and maintenance method and device for container application, computer equipment and storage medium | |
| Mitropoulos et al. | Dismal code: Studying the evolution of security bugs | |
| Di Angelo et al. | Smartbugs 2.0: An execution framework for weakness detection in ethereum smart contracts | |
| US11443046B2 (en) | Entry point finder | |
| CN115544518A (en) | Vulnerability scanning engine implementation method and device, vulnerability scanning method and electronic equipment | |
| Opdebeeck et al. | Infrastructure-as-Code Ecosystems | |
| US10572669B2 (en) | Checking for unnecessary privileges with entry point finder | |
| US10719609B2 (en) | Automatic impact detection after patch implementation with entry point finder | |
| Rôla | Dynamic Security Testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |