ConPan: Analysing Packages Installed in Docker Containers

0 likes•439 views

ConPan is a tool that analyzes software packages installed in Docker containers to identify outdated and vulnerable packages. It combines information about outdatedness and known security vulnerabilities. ConPan works by scanning Docker images and comparing package information to vulnerability databases. The goal is to help identify security risks from outdated and vulnerable packages in container images to improve container security.

Software

ConPan: Analyzing Packages
Installed in Docker Containers
Ahmed Zerouali, Valerio Cosentino,
Jesus Gonzalez-Barahona, Gregorio Robles,
Tom Mens
Int’l Conf. Mining Software Repositories (MSR)
Montreal, QC, Canada - May 26-27, 2019

Motivation: Security vulnerabilities are
main barrier to container adoption
ClusterHQ, June 2015

Motivation: Security vulnerabilities are
main barrier to container adoption
FlawCheck, August 2015

Commercial tools for scanning Docker images

“Systems with a low dependency freshness are more than four
times as likely to contain security issues in these dependencies.”
“Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015)
"The number of vulnerabilities is moderately correlated
with the number of outdated packages in a container”
“On the Relation between Outdated Docker Containers, Severity Vulnerabilities,
and Bugs”, A. Zerouali et al. (SANER 2019)
Outdatedness causes Security Vulnerabilities

ConPAn– Container Packages Analyzer
Goal: combine information about outdatedness and security vulnerabilities

ConPan Installation
$ git clone https://github.com/neglectos/ConPan
$ python3 setup.py build
$ python3 setup.py install

ConPan in action
Through command-line interface:
$ conpan -p debian -c <Docker image> -d path/to/data
Example:
$ conpan -p debian -c google/mysql -d /ConPan/data/debian/

More Related Content

Similar to ConPan: Analysing Packages Installed in Docker Containers (20)

PPTX

An In-depth look at application containersJohn Kinsella

PPT

20160221 va interconnect_pubCanturk Isci

PDF

Finding Your Way in Container SecurityKsenia Peguero

PPTX

Understanding container securityJohn Kinsella

PDF

Container Patching: Cloud Native Security Con 2023Greg Castle

PDF

Finding Your Way in Container SecurityKsenia Peguero

PDF

Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS

PDF

Common vulnerabilities & exposures (cve) in docker containers- 2018 alldaydevopsJose Manuel Ortega Candel

PPTX

Secure container: Kata container and gVisorChing-Hsuan Yen

PDF

Why Should Developers Care About Container Security?All Things Open

PDF

ATO 2022 - Why should devs care about container security.pdfEric Smalling

PDF

Container Stranger Danger - Why should devs care about container securityEric Smalling

PPTX

Clair, A Container Image Security AnalyzerCoreOS

PPTX

Docker Security and Orchestration for DevSecOps winsSharath Kumar

PDF

Security Tips to run Docker in ProductionGianluca Arbezzano

PDF

Vulnerability Exploitation in Docker Container EnvironmentsFlawCheck

PDF

Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...Alfredo Hickman

PDF

AWS Chicago talk from John Downey - Containers and securityAWS Chicago

PDF

Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling

PDF

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft ...Cohesive Networks

An In-depth look at application containersJohn Kinsella

20160221 va interconnect_pubCanturk Isci

Finding Your Way in Container SecurityKsenia Peguero

Understanding container securityJohn Kinsella

Container Patching: Cloud Native Security Con 2023Greg Castle

Finding Your Way in Container SecurityKsenia Peguero

Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS

Common vulnerabilities & exposures (cve) in docker containers- 2018 alldaydevopsJose Manuel Ortega Candel

Secure container: Kata container and gVisorChing-Hsuan Yen

Why Should Developers Care About Container Security?All Things Open

ATO 2022 - Why should devs care about container security.pdfEric Smalling

Container Stranger Danger - Why should devs care about container securityEric Smalling

Clair, A Container Image Security AnalyzerCoreOS

Docker Security and Orchestration for DevSecOps winsSharath Kumar

Security Tips to run Docker in ProductionGianluca Arbezzano

Vulnerability Exploitation in Docker Container EnvironmentsFlawCheck

Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...Alfredo Hickman

AWS Chicago talk from John Downey - Containers and securityAWS Chicago

Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft ...Cohesive Networks

More from Tom Mens (20)

PDF

Dependency Issues in Open Source Software Package RegistriesTom Mens

PDF

Model Testing of Executable Statecharts using SISMICTom Mens

PDF

How to be(come) a successful PhD studentTom Mens

PPTX

Recognising bot activity in collaborative software developmentTom Mens

PDF

A Dataset of Bot and Human Activities in GitHubTom Mens

PDF

The (r)evolution of CI/CD on GitHubTom Mens

PDF

Nurturing the Software Ecosystems of the FutureTom Mens

PDF

Comment programmer un robot en 30 minutes?Tom Mens

PPTX

On the rise and fall of CI services in GitHubTom Mens

PPTX

On backporting practices in package dependency networksTom Mens

PPTX

Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens

PPTX

Lost in Zero SpaceTom Mens

PDF

Evaluating a bot detection model on git commit messagesTom Mens

PPTX

Is my software ecosystem healthy? It depends!Tom Mens

PPTX

Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens

PDF

On the fragility of open source software packaging ecosystemsTom Mens

PPTX

How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens

PPTX

Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens

PPTX

Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens

PDF

SecoHealth 2019 Research AchievementsTom Mens

Dependency Issues in Open Source Software Package RegistriesTom Mens

Model Testing of Executable Statecharts using SISMICTom Mens

How to be(come) a successful PhD studentTom Mens

Recognising bot activity in collaborative software developmentTom Mens

A Dataset of Bot and Human Activities in GitHubTom Mens

The (r)evolution of CI/CD on GitHubTom Mens

Nurturing the Software Ecosystems of the FutureTom Mens

Comment programmer un robot en 30 minutes?Tom Mens

On the rise and fall of CI services in GitHubTom Mens

On backporting practices in package dependency networksTom Mens

Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens

Lost in Zero SpaceTom Mens

Evaluating a bot detection model on git commit messagesTom Mens

Is my software ecosystem healthy? It depends!Tom Mens

Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens

On the fragility of open source software packaging ecosystemsTom Mens

How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens

Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens

Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens

SecoHealth 2019 Research AchievementsTom Mens

Recently uploaded (20)

PDF

Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...GetOnCRM Solutions

PDF

SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on MacSAP Vista, an A L T Z E N Company

PDF

Enhancing Security in VAST: Towards Static Vulnerability ScanningESUG

PPTX

TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIsphilipnathen82

PDF

Virtual Threads in Java: A New Dimension of Scalability and PerformanceTier1 app

PDF

advancepresentationskillshdhdhhdhdhdhhfhfjasmenrojas249

PDF

WatchTraderHub - Watch Dealer software with inventory management and multi-ch...WatchDealer Pavel

PDF

Enhancing Healthcare RPM Platforms with Contextual AI IntegrationCadabra Studio

PPT

Why Reliable Server Maintenance Service in New York is Crucial for Your BusinessSam Vohra

PDF

AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdfsiddharthnetsavvies

PDF

How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025ronakdubey419

PPTX

Explanation about Structures in C language.pptxVeeral Rathod

PPTX

Role Of Python In Programing Language.pptxjaykoshti048

PPTX

classification of computer and basic part of digital computerravisinghrajpurohit3

PPT

Brief History of Python by Learning Python in three hoursadanechb21

PPT

Activate_Methodology_Summary presentatioannapureddyn

PDF

Supabase Meetup: Build in a weekend, scale to millionsCarlo Gilmar Padilla Santana

PPTX

Contractor Management Platform and Software Solution for ComplianceSHEQ Network Limited

PDF

Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025imang66g

PPTX

slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...kr2589474

Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...GetOnCRM Solutions

SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on MacSAP Vista, an A L T Z E N Company

Enhancing Security in VAST: Towards Static Vulnerability ScanningESUG

TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIsphilipnathen82

Virtual Threads in Java: A New Dimension of Scalability and PerformanceTier1 app

advancepresentationskillshdhdhhdhdhdhhfhfjasmenrojas249

WatchTraderHub - Watch Dealer software with inventory management and multi-ch...WatchDealer Pavel

Enhancing Healthcare RPM Platforms with Contextual AI IntegrationCadabra Studio

Why Reliable Server Maintenance Service in New York is Crucial for Your BusinessSam Vohra

AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdfsiddharthnetsavvies

How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025ronakdubey419

Explanation about Structures in C language.pptxVeeral Rathod

Role Of Python In Programing Language.pptxjaykoshti048

classification of computer and basic part of digital computerravisinghrajpurohit3

Brief History of Python by Learning Python in three hoursadanechb21

Activate_Methodology_Summary presentatioannapureddyn

Supabase Meetup: Build in a weekend, scale to millionsCarlo Gilmar Padilla Santana

Contractor Management Platform and Software Solution for ComplianceSHEQ Network Limited

Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025imang66g

slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...kr2589474

ConPan: Analysing Packages Installed in Docker Containers

1. ConPan: Analyzing Packages Installed in Docker Containers Ahmed Zerouali, Valerio Cosentino, Jesus Gonzalez-Barahona, Gregorio Robles, Tom Mens Int’l Conf. Mining Software Repositories (MSR) Montreal, QC, Canada - May 26-27, 2019

2. Docker containers ● are isolated bundles of software packages ● facilitate deploying software applications in production environments ● are created by combining and modifying images from public (official or community) repositories

3. Motivation: Security vulnerabilities are main barrier to container adoption ClusterHQ, June 2015

4. Motivation: Security vulnerabilities are main barrier to container adoption FlawCheck, August 2015

5. Commercial tools for scanning Docker images

6. Commercial tools for scanning Docker images

7. “Systems with a low dependency freshness are more than four times as likely to contain security issues in these dependencies.” “Measuring Dependency Freshness in Software Systems”, Cox et al. (ICSE 2015) "The number of vulnerabilities is moderately correlated with the number of outdated packages in a container” “On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs”, A. Zerouali et al. (SANER 2019) Outdatedness causes Security Vulnerabilities

8. ConPAn– Container Packages Analyzer Goal: combine information about outdatedness and security vulnerabilities

9. ConPan Installation $ git clone https://github.com/neglectos/ConPan $ python3 setup.py build $ python3 setup.py install

10. ConPan in action Through command-line interface: $ conpan -p debian -c <Docker image> -d path/to/data Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/

11. ConPan in action Through API:

12. ConPan in action Through API:

13. ConPan in action Through API:

Editor's Notes

#4: So, In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of more than >60% candidate enterprises said that security was the #1 barrier to putting containers in a production environment.
#5: After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments. At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
#6: Most of the tools available today are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
#7: Most of the tools available today, they are commercial ( not free) tools that provide information about security vulnerabilities about packages installed in docker containers but they don’t provide information about how outdated packages are. How many versions they are missing and how much they are lagging behind the latest version.
#8: In fact, it has been shown that the number of software vulnerabilities is related with how outdated this software is. More outdated dependencies have more vulnerabilities. Moreover, are there any tools that provide information about other kind of bugs, other than security bugs.
#9: For this reason, we have developed ConPan. A python utility that helps to anlayze packages installed in Docker containers. The overall structure of ConPan is summarized in the figure. Its core is composed by five tasks, which consists of: (i) pulling and running Docker images; (ii) identifying the installed packages; (iii) tracking them back to their package managers; (iv) searching for their known vulnerability reports or other reported bugs and quality issues; (v) reporting the results in a specific output format. ConPan also provides general information about the analysed Docker Hub image, fetched from the Docker Hub registry using its API.
#10: To install conpan