Container Images Vulnerability Management with Policy-as-Code & Trivy

Enterprises have adopted a cloud-native strategy with Kubernetes as the de-facto orchestration engine. The strategy is suited to provide application portability and scalability by abstracting the underneath infrastructure.

Cloud-native platforms require applications delivered in the container image format. These images are deployed across varied application environments like Local, Dev, Staging, UAT, Prod, Recovery, etc. They need an effective strategy to determine and mitigate associated security concerns. Any open vulnerabilities can lead to an unsecured cluster or a compromised application, thereby jeopardizing your customers.

Image scanning is the cornerstone of container security practices. It allows you to classify and categorize CVEs by their severity. Unlike application packages, container images can contain numerous vulnerabilities across many different packages deployed by various teams.

The DevOps team may harden the base images and the associated packages, while each development team can focus on their runtime requirements. Thus container security is a shared responsibility across different teams, so you need a solution that can be well adapted across the enterprise. The cloud-native strategy provides the required solution by creating checks based on the Open Policy Agent (OPA) standard.

OPA is a detailed yet straightforward specification. It can be applied to the different stages of a container's lifecycle for enforcing various practices. In this article, you will work using Trivy, an open source vulnerability scanner, and customize its image scan rules using OPA policies.

Prerequisites

If you'd like to follow along with this tutorial on your machine, you'll need to install Trivy on your machine. It supports a single binary which can be download from its release page. Alternatively, you can work with Trivy docker image using the command below :

 
$ docker run --rm aquasec/trivy:0.18.3  --version
Version: 0.18.3

Image Scan

Trivy binary does not include the vulnerabilities list. Instead, it downloads a list of known vulnerabilities, from an upstream git repository, on execution. The approach allows Trivy to keep the vulnerabilities knowledge up-to-date. It caches the vulnerability data, for about 6 hours, on disk so that subsequent operations can be performed quickly. The ephemeral nature of the Docker container discards this cache. You must bind a volume to persist the cache for subsequent operations.

 
$ docker run --rm -v $PWD/Caches:/root/.cache/ aquasec/trivy:0.18.3 python:3.4-alpine

 
2021-07-05T12:21:43.211Z	INFO	Detecting Alpine vulnerabilities...
2021-07-05T12:21:43.225Z	INFO	Number of PL dependency files: 0
2021-07-05T12:21:43.225Z	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T12:21:43.225Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
 
python:3.4-alpine (alpine 3.9.2)
================================
Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
 
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat        | CVE-2018-20843   | HIGH     | 2.2.6-r0          | 2.2.7-r0      | expat: large number of                |
|              |                  |          |                   |               | colons in input makes parser          |
|              |                  |          |                   |               | consume high amount...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20843 |
+              +------------------+          +                   +---------------+---------------------------------------+

Above command downloads and scans the python:3.4-alpine image from DockerHub. It uses the database cached at /root/.cache location for vulnerability lookup and identification. The command displays a summarised vulnerability report on your terminal without any vulnerability assessment details in a pretty format.

Trivy performs vulnerability assessment using Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of computer system security vulnerabilities. CVSS provides scores in Base, Temporal and Environmental categories, which are based on a matrix of attributes.

Base Scores measure security vulnerabilities based on their intrinsic characteristics, which are constant across different deployment environments. The other two scores are based on the Base score with time and environmental factors. Please refer to the CVSS specification document to know more about the complete specification.

Trivy can provide CVSS Base category score with individual attribute values using the JSON report format.  

 
$ docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 -f json -o /root/data/out.json python:3.4-alpine

The above specifies the -f json option to generate vulnerability report for python:3.4-alpine in JSON format. JSON format contains detailed information and does not provide any summary information, unlike the default tabular format. Furthermore, the command uses the -o /root/data/out.jsonoption to export the report to a file.

Filter Vulnerabilities

Development teams often need ways to quickly analyze and filter the numerous vulnerabilities. This allows them to prioritize their effort and deliver adequate fixes. The JSON report provides the different attributes which can be used to filter the vulnerabilities.

 
{
    "VulnerabilityID": "CVE-2021-22898",
    "PkgName": "curl",
    "InstalledVersion": "7.64.0-4+deb10u2",
    "SeveritySource": "nvd",
    "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-22898"
    "Severity": "HIGH",
    "CweIDs": [
      "CWE-909"
    ],
   ## Removed for Brevity
},

Trivy allows you to build ignore policies using OPA format. The policy can be used to discard vulnerabilities based on VulnerabilityID, PkgName, Severity, CweIDs or any other attribute.

 
package trivy
 
default ignore = false
ignore_pkgs := {"bash", "vim", "libbz2"}
ignore_severities := {"LOW", "MEDIUM"}
 
ignore {
  input.PkgName == ignore_pkgs[_]
}
 
ignore {
  input.Severity == ignore_severities[_]
}
 
ignore {
  input.VulnerabilityID == "CVE-2019-8457"
}
 
ignore {
  input.CweIDs[_] == "CWE-125"
}
 
ignore {
  input.PkgName == "libssl1"
  input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
  deny_cwe_ids := { "CWE-119","CWE-476"}
  count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}

Please make a note of the following things in the above configuration :

• The `package trivy` imports the required parser for the ignore blocks.
• ignore block provides the required conditional checks. All checks in a single ignore block are combined using the AND clause.
• Different ignore blocks are used to provide OR clauses.

You can apply the ignore policy using the --ignore-policy flag.

 
docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 --ignore-policy /root/data/ignorePolicy1.rego python:3.4-alpine

 
2021-07-05T12:23:06.734Z	INFO	Detected OS: alpine
2021-07-05T12:23:06.734Z	INFO	Detecting Alpine vulnerabilities...
2021-07-05T12:23:06.750Z	INFO	Number of PL dependency files: 0
2021-07-05T12:23:06.750Z	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T12:23:06.750Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
 
python:3.4-alpine (alpine 3.9.2)
================================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 9, CRITICAL: 2)
 
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat        | CVE-2018-20843   | HIGH     | 2.2.6-r0          | 2.2.7-r0      | expat: large number of                |
|              |                  |          |                   |               | colons in input makes parser          |
|              |                  |          |                   |               | consume high amount...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20843 |
+              +------------------+          +                   +---------------+---------------------------------------+

Let’s correlate the ignore blocks with the above vulnerability report :

• The first block ignores a CRITICAL vulnerability from the libbz2 package.
• The next block ignores all LOW and MEDIUM severity vulnerabilities. Thus there are 0 reported vulnerabilities for the respective severities.
• The subsequent two blocks ignored SQLlite vulnerabilities with respective matching criteria.
• The last block ignored libssl vulnerabilities with severity as either LOW, MEDIUM, or HIGH, and the specified CWE IDs.
• The first block ignores all vulnerabilities other than those that require network access to be exploited.
• The subsequent blocks ignore vulnerabilities that require privileged rights and that require user interaction.
• The last block ignored vulnerabilities with a CVSS score of below 5.

With all these ignore rules in place, you are only left with 2 CRITICAL and 9 HIGH severity vulnerabilities.

So far, you have created ignore rules using package-level attributes, but Trivy also allows you to filter vulnerabilities based on the CVSS Base group attributes. The CVSS Base group consists of two subgroups:

1. Exploitability – The Exploitability sub-group determines the ease is leveraging a vulnerability. A component whose attack is easy will score higher. It is subdivided into four attributes:  attack vector, attack complexity, Privilege Required, and User Interaction.
2. Impact – The Impact sub-group focuses on the actual outcome an attack can achieve as a result. It consists of three attributes, namely – Confidentiality, Integrity, and Availability.

You can create ignore policies based on any of the above-discussed attributes. Additionally, you can also use the CVSS score to filter the vulnerabilities.

 
package trivy
import data.lib.trivy
 
default ignore = false
 
nvd_v3_vector = v {
	v := input.CVSS.nvd.V3Vector
}
 
ignore {
  cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
  cvss_vector.AttackVector != "Network"
}
 
ignore {
  cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
  cvss_vector.PrivilegesRequired == "High"
}
 
ignore {
  cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
  cvss_vector.UserInteraction == "Required"
}
 
ignore {
	input.CVSS.nvd.V3Score < 5
}

 There are a few things to note in the above configuration :

• The `import data.lib.trivy` imports the parse_cvss_vector_v3 function used for CVSS attribute parsing.
• Each attribute has its set of values. Please refer to the library for the complete list of supported values.

Apply the ignore policy using the --ignore-policy flag, as done previously.

 
docker run --rm -v $PWD/Caches:/root/.cache/ -v $PWD:/root/data aquasec/trivy:0.18.3 --ignore-policy /root/data/ignorePolicy2.rego python:3.4-alpine

 
2021-07-05T08:22:09.956Z	INFO	Detected OS: alpine
2021-07-05T08:22:09.956Z	INFO	Detecting Alpine vulnerabilities...
2021-07-05T08:22:09.971Z	INFO	Number of PL dependency files: 0
2021-07-05T08:22:09.971Z	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2021-07-05T08:22:09.971Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
 
python:3.4-alpine (alpine 3.9.2)
================================
Total: 28 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 13, CRITICAL: 4)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |  TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat        | CVE-2018-20843   | HIGH     | 2.2.6-r0          | 2.2.7-r0      | expat: large numbe of                |
|              |                  |          |                   |               | colons in input makes parser          |
|              |                  |          |                   |               | consume high amount...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20843 |
+              +------------------+          +                   +---------------+---------------------------------------+

Let’s correlate the ignore blocks with the above vulnerability report :

With all these ignore rules in place, you are only left with 4 CRITICAL,  13 HIGH, and 11 MEDIUM severity vulnerabilities.

Conclusion

Cloud-native development needs modern ways of enforcing security practices. Image scanning with OPA-based policies can provide vulnerability prioritization for the ever-growing stream of known vulnerabilities. Trivy provides a simple configuration for filtering vulnerability list based on contextual factors. The open-sourced solution can be run in various setups like workstations, client-servers, etc to support varied integration models.

At Magalix, we help companies shift security left by defining, managing, and deploying custom governance policies by leveraging PoC. Our libary of policies can prevent non-secure container images from being deployed.  We help implement the right workflows, playbooks, and more using a robust OPA policy execution engine

To learn more, reach out to one of our in-house Kubernetes experts