One challenge everyone working with containers has experienced is worrying about common vulnerabilities and exposures (CVEs) putting your apps and services at risk of attack. The obvious solution is to scan your containers, but when you start scanning containers with a vulnerability scanner, what you get is a ton of information. Every version of every container — except maybe the container you just built 10 minutes ago — is riddled with known CVEs.
Making sense of how to prioritize vulnerabilities is really difficult. Of course, the first thing you do is sort by severity and focus on the critical and high vulnerabilities. But now you have a new problem, how do you patch these critical and high risk vulns? Do you know what introduced that vulnerability into your codebase? Was it the base operating system, or a package that got installed, or is it a library in the code that you’re running?
Oftentimes, you can patch a whole bunch of known CVEs by just updating the base image (or the FROM statement) of your container. However, you don't know how many vulnerabilities will be patched. You don’t even know if there's a new version of your base image available! Without access to the source code of the container, it may not be possible for you to determine this necessary information.
I’m excited to release Fairwinds Base Image Finder (affectionately called BIF), which is an open source utility that you can use to detect which of many popular base images was used to build the container. You can also see if there's a new version of the container available that includes patches for any of the CVEs in the original container. BIF offers you upgrade recommendations for base images that are newer and less vulnerable, so you can choose the version that makes the most sense for your deployment. You don't even need to see the Dockerfile to make a decision. The BIF API provides access to a continuously updated database of base image and CVE information — use of the API is free up to 1000 uses per month.
You can install Base Image Finder right now or keep reading to learn more.
To start using BIF, you need to request an API token. You can do this via the command line interface (CLI):
bif request-token
# Follow the prompt to enter your email address
You’ll receive your token via email. To automatically have BIF use this token, export it as INSIGHTS_OSS_TOKEN in your environment.
There are two ways to use BIF to find your base images.
You can extract the image layers using Skopeo — like this:
bif find --image-layers $(skopeo inspect docker://us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0 | jq .Layers[] -rc)
Input: [sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8]
BASE IMAGE | LAST SCAN | CVE | SEVERITY | CVSS | FIXED IN
----------------+------------+----------------+----------+------+-----------------
alpine:3.16.0 | 2023-02-28 | CVE-2022-2097 | MEDIUM | 5.30 | 3.17.3, 3.16.5
| | CVE-2022-30065 | HIGH | 7.80 | 3.17.3, 3.16.5
| | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5
| | CVE-2022-4304 | MEDIUM | 5.90 | 3.17.3, 3.16.5
| | CVE-2022-4450 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0215 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0286 | HIGH | 7.40 | 3.17.3, 3.16.5
In this example we use Polaris, our open source policy engine for Kubernetes. Your results will look something like the below (depending on when you do it and the version number).
bif find --image us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0
Input: us-docker.pkg.dev/fairwinds-ops/oss/polaris 7.0.0
BASE IMAGE | LAST SCAN | CVE | SEVERITY | CVSS | FIXED IN
----------------+------------+----------------+----------+------+-----------------
alpine:3.16.0 | 2023-02-28 | CVE-2022-2097 | MEDIUM | 5.30 | 3.17.3, 3.16.5
| | CVE-2022-30065 | HIGH | 7.80 | 3.17.3, 3.16.5
| | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5
| | CVE-2022-4304 | MEDIUM | 5.90 | 3.17.3, 3.16.5
| | CVE-2022-4450 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0215 | HIGH | 7.50 | 3.17.3, 3.16.5
| | CVE-2023-0286 | HIGH | 7.40 | 3.17.3, 3.16.5
If you have any issues, try adding debug logging by adding the --debug flag. If that doesn’t help, reach out to us in our Community Slack channel or file a GitHub issue.
BIF might just become your BFF, because it helps you understand where a vulnerability was introduced in your containers. The quick identification of your base images helps you upgrade faster and solve a bunch of vulnerabilities quickly that would otherwise have been hard to track down and resolve from a long list of unique CVEs. We’d love to hear your questions and suggestions, so please reach out to help us make sure this project helps you improve the security of your containerized environments.