1. Documentation
    2. history bug_report picture_as_pdf
×

Examining images for vulnerabilities

With Red Hat Advanced Cluster Security for Kubernetes you can analyze images for vulnerabilities. Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.

When Scanner finds any vulnerabilities, it:

  • Shows them in the Vulnerability Management view for detailed analysis.

  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment.

  • Checks them against enabled security policies.

Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Components Files

Package managers

  • /etc/alpine-release

  • /etc/apt/sources.list

  • /etc/lsb-release

  • /etc/os-release or /usr/lib/os-release

  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release

  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.

  • dist-info or egg-info for Python.

  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/

  • dotnet/shared/Microsoft.NETCore.App/

Scanning images

Central submits image scanning requests to Scanner. Upon receiving these requests, Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central.

You can also integrate Red Hat Advanced Cluster Security for Kubernetes with another vulnerability scanner.

Scanner identifies the vulnerabilities in the:

  • base image operating system

  • packages that are installed by the package managers

  • programming language specific dependencies

  • programming runtimes and frameworks

Understanding and addressing common Scanner warning messages

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Table 1. Warning messages
Message Description

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

If you are using a Red Hat container image, consider using a base image newer than June 2020.

Supported package formats

Scanner can check for vulnerabilities in images that use the following package formats:

  • yum

  • microdnf

  • apt

  • apk

  • dpkg

  • RPM

Supported programming languages

Scanner can check for vulnerabilities in dependencies for the following programming languages:

  • Java

  • JavaScript

  • Python

  • Ruby

Supported runtimes and frameworks

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core

  • ASP.NET Core

Supported operating systems

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions:

Distribution Version

Alpine Linux

alpine:v3.2, alpine:v3.3, alpine:v3.4, alpine:v3.5, alpine:v3.6, alpine:v3.7, alpine:v3.8, alpine:v3.9, alpine:v3.10, alpine:v3.11, alpine:v3.12, alpine:v3.13, alpine:v3.14, alpine:v3.15, alpine:v3.16, alpine:v3.17, alpine:v3.18, alpine:edge

Amazon Linux

amzn:2018.03, amzn:2

CentOS

centos:6, centos:7, centos:8

Debian

debian:10, debian:11, debian:12, debian:unstable

Red Hat Enterprise Linux (RHEL)

rhel:6, rhel:7, rhel:8, rhel:9

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:22.04, ubuntu:22.10, ubuntu:23.04, ubuntu:23.10

  • Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

  • Scanner also identifies vulnerabilities in the following images. However, the vulnerability sources are not updated anymore by their vendor:

    Distribution Version

    Debian

    debian:8

    Ubuntu

    ubuntu:12.04, ubuntu:12.10, ubuntu:13.04, ubuntu:14.10, ubuntu:15.04, ubuntu::15.10, ubuntu::16.10, ubuntu:17.04, ubuntu:17.10, ubuntu:18.10, ubuntu:19.04, ubuntu:19.10, ubuntu:20.10, ubuntu:21.04

Accessing delegated image scanning

You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.

Enhancing image scanning by accessing delegated image scanning

Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.

For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.

The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.

Configuring delegated image scanning

A new delegated registry configuration specifies the registries from which image scans are to be delegated. For images observed by Sensor, this configuration allows you to delegate scans from no registries, all registries, or specific registries. To enable delegation of scans using the roxctl CLI, the Jenkins plugin, or the API, you must also specify a destination cluster and source registry.

Prerequisites

  • Scanner-slim must be installed in the secured cluster to scan images.

    Enabling Scanner-slim is supported on OpenShift Container Platform and Kubernetes secured clusters.
Procedure

  1. In the RHACS portal, navigate to Platform Configuration → Clusters.

  2. In the Clusters view header, click Manage delegated scanning.

  3. In the Delegated Image Scanning page, provide the following information:

    • Delegate scanning for: Choose the scope of the image delegation by selecting one of the following options:

      • None: The default option. This option specifies that no images are scanned by the secured clusters, except for images from the OpenShift Container Platform integrated registry.

      • All registries: This option indicates that all images are scanned by secured clusters.

      • Specified registries: This option specifies which images should be scanned by secured clusters based on the registries list.

    • Select default cluster to delegate to: From the drop-down list, select the name of the default cluster that will process the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None if required.

    • Optional: Click Add registry and specify the source registry and destination cluster details. You can select the destination cluster as None if the scan requests are not coming from the CLI and API. You can add more than one source registry and destination cluster if required.

  4. Click Save.

Image integrations are now synchronized between Central and Sensor, and Sensor captures pull-secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.

Installing and configuring scanning on secured clusters

Using the Operator

RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

For more information, see Installing RHACS on secured clusters by using the Operator.

Using Helm

Secured Cluster Services Helm chart (secured-cluster-services) installs a Scanner-slim version on each secured cluster. In Kubernetes, the secured cluster services include Scanner-slim as an optional component. On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

Verifying after installation

Procedure

  • Verify that the status of the secured cluster indicates that Scanner is present and healthy:

    1. In the RHACS portal, navigate to Platform Configuration → Clusters.

    2. In the Clusters view, select a cluster to view its details.

    3. In the Health Status card, ensure that Scanner is present and is marked as Healthy.

Using image scanning

You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl CLI, Jenkins, and API.

For more information about how to scan images by using the roxctl CLI, see Image scanning by using the roxctl CLI.

Periodic scanning of images

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. On the RHACS portal, navigate to Vulnerability Management (2.0) → Workload CVEs (Tech preview).

  2. Click <number> Images to display a list of images and locate the image you want to watch.

  3. Click kebab, and then select Watch image. RHACS then scans the image and shows an error or success message.

  4. (Optional) To remove a watched image, click kebab, and then select Unwatch image.

  5. (Optional) You can view the list of all watched images and add additional images to watch by clicking Manage watched images in the page header.

    On the RHACS portal, click Platform ConfigurationSystem Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  6. Click Close to return to the Workload CVEs page.

Fetching vulnerability definitions

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources that include multiple Linux distributions and the National Vulnerability Database, and it refreshes every hour.

  • The address of the feed is https://definitions.stackrox.io.

  • You can change the default query frequency for Central by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable:

    $ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
    1 If you use Kubernetes, enter kubectl instead of oc.

Scanner’s configuration map still has an updater.interval parameter for configuring Scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

Understanding vulnerability scores

In the RHACS portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. Red Hat Advanced Cluster Security for Kubernetes shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, Red Hat Advanced Cluster Security for Kubernetes shows the score and lists v3 along with it. For example, 6.5 (v3).

    CVSS v3 scores are only available if you are using Scanner version 1.3.5 and newer.

  • If a CVSS v3 score is not available, Red Hat Advanced Cluster Security for Kubernetes shows only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a Common Vulnerabilities and Exposures (CVE), the response includes both CVSS v3 and CVSS v2 information.

For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the RHACS portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.

In such cases, Red Hat Advanced Cluster Security for Kubernetes:

  • Finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.

  • Breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.

Additional resources

Viewing images in your environment

With RHACS, you can view the details for all container images in your clusters.

Procedure

  1. In the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. To view details for all the images in your cluster, in the Vulnerability Management view header, click Images.

You can also view this information by navigating to Vulnerability Management (2.0)Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.

Additional resources

Viewing the Dockerfile for an image

Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.

The Dockerfile section shows information about:

  • All the layers in the Dockerfile

  • The instructions and their value for each layer

  • The components included in each layer

  • The number of CVEs in components for each layer

When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of instructions, values, creation date, and components.

  4. Select the expand icon for an individual component to view more information.

You can also view this information by navigating to Vulnerability Management (2.0)Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.

Additional resources

Identifying the container image layer that introduces vulnerabilities

Use the Vulnerability Management view to identify vulnerable components and the image layer they appear in.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of image components.

  4. Select the expand icon for specific components to get more details about the CVEs affecting the selected component.

You can also view this information by navigating to Vulnerability Management (2.0)Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.

Additional resources

Identifying Dockerfile lines in images that introduced components with CVEs

You can identify specific Dockerfile lines in an image that introduced components with CVEs.

Procedure

To view a problematic line:

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.

  3. In the Image details view, under Image Findings, CVEs are listed in the Observed CVEs, Deferred CVEs, and False positive CVEs tabs.

  4. Locate the CVE you want to examine further. In the Affected Components column, click on the <number> Components link to view a list of components affected by the CVE. You can perform the following actions in this window:

    • Click the expand icon next to a specific component to view the Dockerfile line in the image that introduced the CVE. To address the CVE, you need to change this line in the Dockerfile; for example, you can upgrade the component.

    • Click the name of the component to go to the Component Summary page and view more information about the component.

You can also view this information by navigating to Vulnerability Management (2.0)Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.

Additional resources

Identifying the operating system of the base image

Use the Vulnerability Management view to identify the operating system of the base image.

Procedure

  1. Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.

  2. From the Vulnerability Management view header, select Images.

  3. View the base operating system (OS) and OS version for all images under the Image OS column.

  4. Select an image to view its details. The base operating system is also available under the Image SummaryDetails and Metadata section.

Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:

  • The operating system information is not available, or

  • If the image scanner in use does not provide this information.

Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information.

You can also view this information by navigating to Vulnerability Management (2.0)Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.

Additional resources

Disabling language-specific vulnerability scanning

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure

  • To disable language-specific vulnerability scanning, run the following command:

    $ oc -n stackrox set env deploy/scanner \ (1)
  ROX_LANGUAGE_VULNS=false (2)
    1 If you use Kubernetes, enter kubectl instead of oc.
    2 If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Additional resources

  • For more information about Common Vulnerabilities and Exposures (CVEs), see the Red Hat CVE Database.