From 03df7a5e0043618f1b02ec6b3e7a14ca713c7346 Mon Sep 17 00:00:00 2001 From: Anton Sankov Date: Thu, 22 Dec 2022 20:21:51 +0200 Subject: [PATCH] Add a paragraph about CVEs and move some links around --- 2023/day14.md | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/2023/day14.md b/2023/day14.md index 1bd3324..e8532dc 100644 --- a/2023/day14.md +++ b/2023/day14.md @@ -1,6 +1,6 @@ # Container Image Scanning -A container image consists of an image manifest, a filesystem and an image configuration. (1) +A container image consists of an image manifest, a filesystem and an image configuration. [1](https://opencontainers.org/about/overview/) For example, the filesystem of a container image for a Java application will have a Linux filesystem, the JVM, and the JAR/WAR file that represents our application. @@ -257,15 +257,23 @@ If an image scanner tells you that you have 0 vulnerabilities in your image, tha Also, mitigating vulnerabilities can be as simple as bumping a version of a dependency (or downgrading one), but sometimes it can be more tricky because that version bump might require a change in your code. +## CVEs + +In the vulnerability table provided by our scanner we see something that starts with `CVE-`: + +```text +bash 4.4.18-2ubuntu1.2 deb CVE-2022-3715 Medium +``` + +[**CVE**](https://cve.mitre.org/) stands for **C**ommon **V**ulnerability and **E**xposures. + +It is a system that allows us to track vulnerabilities and be able to easily search for them. + +Each time a new vulnerability is found, it is assigned a CVE by the [CNA](https://www.cve.org/ProgramOrganization/CNAs) (CVE Numbering Authority) and associated with all components that contain that vulnerability. + +Once this is done, this information is propagated to the vulnerabilities databases and can be leveraged by image scanners to warn about CVEs/vulnerabilities that are present in our container. + +## Summary + Now we know why image scanning is important and how it can help us be more secure. In [Day 15](day15.md) we are going to dive deeper into the way the image scanners work under the hood, looking into things like SBOMs and vulnerability databases. - -## Resources - -[1](https://opencontainers.org/about/overview/) -TODO: more -## DAST - -## Fuzzing - -## IAST