×

With Red Hat Advanced Cluster Security for Kubernetes you can analyze images for vulnerabilities. Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.

When Scanner finds any vulnerabilities, it:

  • Shows them in the Vulnerability Management view for detailed analysis.

  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment.

  • Checks them against enabled security policies.

Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Components Files

Package managers

  • /etc/alpine-release

  • /etc/apt/sources.list

  • /etc/lsb-release

  • /etc/os-release or /usr/lib/os-release

  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release

  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.

  • dist-info or egg-info for Python.

  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/

  • dotnet/shared/Microsoft.NETCore.App/

Scanning images

Central submits image scanning requests to Scanner. Upon receiving these requests, Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central.

You can also integrate Red Hat Advanced Cluster Security for Kubernetes with another vulnerability scanner.

Scanner identifies the vulnerabilities in the:

  • base image operating system

  • packages that are installed by the package managers

  • programming language specific dependencies

  • programming runtimes and frameworks

Supported package formats

Scanner can check for vulnerabilities in images that use the following package formats:

  • yum

  • microdnf

  • apt

  • apk

  • dpkg

  • RPM

Supported programming languages

Scanner can check for vulnerabilities in dependencies for the following programming languages:

  • Java

  • JavaScript

  • Python

  • Ruby

Supported runtimes and frameworks

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core

  • ASP.NET Core

Supported operating systems

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions:

Distribution Version

Alpine Linux

alpine:v3.2, alpine:v3.3, alpine:v3.4, alpine:v3.5, alpine:v3.6, alpine:v3.7, alpine:v3.8, alpine:v3.9, alpine:v3.10, alpine:v3.11, alpine:v3.12, alpine:v3.13, alpine:v3.14, alpine:v3.15, alpine:v3.16, alpine:edge

Amazon Linux

amzn:2018.03, amzn:2

CentOS

centos:6, centos:7, centos:8

Debian

debian:9, debian:10, debian:11, debian:unstable

Red Hat Enterprise Linux (RHEL)

rhel:6, rhel:7, rhel:8

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:21.10, ubuntu:22.04

  • Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

  • Scanner also identifies vulnerabilities in the following images. However, the vulnerability sources are not updated anymore by their vendor:

    Distribution Version

    Debian

    debian:8

    Ubuntu

    ubuntu:12.04, ubuntu:12.10, ubuntu:13.04, ubuntu:14.10, ubuntu:15.04, ubuntu::15.10, ubuntu::16.10, ubuntu:17.04, ubuntu:17.10, ubuntu:18.10, ubuntu:19.04, ubuntu:19.10, ubuntu:20.10, ubuntu:21.04

Periodic scanning of images

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure Red Hat Advanced Cluster Security for Kubernetes to scan inactive (not deployed) images automatically.

Procedure
  1. Select Images on the Vulnerability Management view header to view a list of all the images.

  2. On the Images view header, select Watch Images.

  3. In the Manage Inactive Images dialog, enter the inactive image’s name (and not the image id) for which you want to enable scanning.

  4. Select Add Image. Red Hat Advanced Cluster Security for Kubernetes then scans the image and shows the error or success message.

  5. Select Return to Image list to view the Images view.

Fetching vulnerability definitions

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources that include multiple Linux distributions and the National Vulnerability Database, and it refreshes every hour.

  • The address of the feed is https://definitions.stackrox.io.

  • You can change the default query frequency for Central by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable:

    $ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
    1 If you use Kubernetes, enter kubectl instead of oc.

Scanner’s configuration map still has an updater.interval parameter for configuring Scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

Understanding vulnerability scores

In the RHACS portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. Red Hat Advanced Cluster Security for Kubernetes shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, Red Hat Advanced Cluster Security for Kubernetes shows the score and lists v3 along with it. For example, 6.5 (v3).

    CVSS v3 scores are only available if you are using Scanner version 1.3.5 and newer.

  • If a CVSS v3 score is not available, Red Hat Advanced Cluster Security for Kubernetes shows only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a Common Vulnerabilities and Exposures (CVE), the response includes both CVSS v3 and CVSS v2 information.

For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the RHACS portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.

In such cases, Red Hat Advanced Cluster Security for Kubernetes:

  • Finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.

  • Breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.

Viewing images in your environment

With Red Hat Advanced Cluster Security for Kubernetes you can view the details for all container images in your clusters.

Procedure
  1. Navigate to the RHACS portal and click Vulnerability Management from the left-hand navigation menu.

  2. To view details for all the images in your cluster, select Images on the Vulnerability Management view header.

Viewing the Dockerfile for an image

Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.

The Dockerfile tab shows information about:

  • All the layers in the Dockerfile

  • The instructions and their value for each layer

  • The components included in each layer

  • The number of CVEs in components for each layer

When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.

Procedure
  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from the Top Riskiest Images widget.

  3. In the Image details view, select the Dockerfile tab under the Image Findings section.

Identifying the container image layer that introduces vulnerabilities

Use the Vulnerability Management view to identify vulnerable components and the image layer they appear in.

Procedure
  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from the Top Riskiest Images widget.

  3. In the Image details view, select the Dockerfile tab under the Image Findings section.

  4. In the Dockerfile tab under the Image Findings section, select the expand icon to see a summary of image components.

  5. Select the expand icon for specific components to get more details about the CVEs affecting the selected component.

Identifying the operating system of the base image

Use the Vulnerability Management view to identify the operating system of the base image.

Procedure
  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. From the Vulnerability Management view header, select Images.

  3. View the base operating system (OS) and OS version for all images under the Image OS column.

  4. Select an image to view its details. The base operating system is also available under the Image SummaryDetails and Metadata section.

Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:

  • The operating system information is not available, or

  • If the image scanner in use does not provide this information.

Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information.

Disabling language-specific vulnerability scanning

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure
  • To disable language-specific vulnerability scanning, run the following command:

    $ oc -n stackrox set env deploy/scanner \ (1)
      ROX_LANGUAGE_VULNS=false (2)
    
    1 If you use Kubernetes, enter kubectl instead of oc.
    2 If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Additional resources

  • For more information about Common Vulnerabilities and Exposures (CVEs), see the Red Hat CVE Database.