IBM Cloud™ Docker Registry - Push and Scan for Common Vulnerabilities, and Exposures (CVE)

IBM Cloud™ scans images in their Docker Container Registry (DCR)

Introduction

Vulnerability Advisor provides security management for IBM Cloud™ Container Registry, generating a security status report that includes suggested fixes and best practices.

When you add an image to a namespace, the image is automatically scanned by Vulnerability Advisor to detect security issues and potential vulnerabilities. If security issues are found, instructions are provided to help fix the reported vulnerability.

Any issues that are found by Vulnerability Advisor result in a verdict that indicates that it is not advisable to deploy this image. If you choose to deploy the image, any containers that are deployed from the image include known issues that might be used to attack or otherwise compromise the container. The verdict is adjusted based on any exemptions that you specified. This verdict can be used by Container Image Security Enforcement to prevent the deployment of nonsecure images in IBM Cloud™ Kubernetes Service (IKS).

Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you to secure your XtremeCloud Applications that are deployed to IKS.

Tag, Push, and Analyze the Results

Let’s tag and push our brand provider Docker Image to the IBM Cloud™ Container Registry:


[centos@vm-controller xtremecloud-brand]$ docker tag registry.gitlab.com/eupraxialabs/xtremecloud-brand:3.1.2 us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2
[centos@vm-controller xtremecloud-brand]$ docker push us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2
The push refers to a repository [us.icr.io/eupraxialabs/xtremecloud-brand]
b8c352029964: Pushed
f435434daeec: Pushed
b3920d5c9c89: Pushed
37a63b5c958f: Pushed
408dd085e29a: Pushed
d9ff549177a9: Pushed
3.1.2: digest: sha256:00c16c4ad0d2e3ec7398a35ce67cc73d074467638ff74641bdeece39b106aa28 size: 1588
[centos@vm-controller xtremecloud-brand]$ ibmcloud cr image-list
Listing images...

REPOSITORY                                 TAG     DIGEST         NAMESPACE      CREATED      SIZE    SECURITY STATUS
us.icr.io/eupraxialabs/xtremecloud-brand   3.1.2   00c16c4ad0d2   eupraxialabs   3 days ago   85 MB   Scanning...

OK
[centos@vm-controller xtremecloud-brand]$ ibmcloud cr image-list
Listing images...

REPOSITORY                                 TAG     DIGEST         NAMESPACE      CREATED      SIZE    SECURITY STATUS
us.icr.io/eupraxialabs/xtremecloud-brand   3.1.2   00c16c4ad0d2   eupraxialabs   3 days ago   85 MB   1 Issue

OK

Now, let’s look at a vulnerability assessment:

[centos@vm-controller xtremecloud-brand]$ ibmcloud cr va us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2
Checking security issues for 'us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2'...

Image 'us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2' was last scanned on Tue Nov  5 19:20:11 UTC 2019
The scan results show that 1 ISSUE was found for the image.

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages   How to Resolve
CVE-2019-14697     Active          musl                Upgrade musl to >= 1.1.19-r11

To see the details about the fixes for these packages, run the command again with the '--extended' flag.

OK

So, let’s look at the extended information that is provided at the command line:


[centos@vm-controller xtremecloud-brand]$ ibmcloud cr va us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2 --extended
Checking security issues for 'us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2'...

Image 'us.icr.io/eupraxialabs/xtremecloud-brand:3.1.2' was last scanned on Tue Nov  5 19:20:11 UTC 2019
The scan results show that 1 ISSUE was found for the image.

Vulnerable Packages Found
=========================

CVE-2019-14697

   Policy Status
   Active

   Summary
   musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

   Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2019-14697

   Affected Packages   Policy Status   How to Resolve                  Security Notice
   musl                Active          Upgrade musl to >= 1.1.19-r11   ALPINE-CVE-2019-14697



OK

Let’s look up the CVE at the NIST National Vulnerability Database:

NIST National Vulnerability Database (NDB) Common Vulnerability Exposure (CVE) - click image to enlarge

If you prefer to use the IBM Cloud™ browser user interface, the CVE can be reviewed in this manner:

IBM Cloud™ Container Registry - click image to enlarge