1. Documentation
    2. history bug_report picture_as_pdf
×

Examining images for vulnerabilities

With Red Hat Advanced Cluster Security for Kubernetes, you can analyze images for vulnerabilities using the RHACS scanners, or you can configure an integration to use another supported scanner.

The scanners in RHACS analyze each image layer to find packages and match them against known vulnerabilities by comparing them with a vulnerability database populated from different sources. Depending on the scanner used, sources include the National Vulnerability Database (NVD), the Open Source Vulnerabilities (OSV) database, and operating system vulnerability feeds.

The RHACS Scanner V4 uses the OSV database available at OSV.dev under this license.

RHACS contains two scanners: the StackRox Scanner and Scanner V4.

Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The StackRox Scanner originates from a fork of the Clair v2 open source scanner and is the default scanner. In version 4.4, RHACS introduced Scanner V4, built on ClairCore, which provides additional image scanning features.

This documentation uses the term "RHACS scanner" or "Scanner" to refer to the combined scanning capabilities provided by the two scanners: the StackRox Scanner and Scanner V4. When referring to the capabilities of a specific scanner, the name of the specific scanner is used.

When the RHACS scanner finds any vulnerabilities, it performs the following actions:

  • Shows them in the Vulnerability Management view for detailed analysis

  • Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment

  • Checks them against enabled security policies

The RHACS scanner inspects the images and identifies the installed components based on the files in the images. It might fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

Components Files

Package managers

  • /etc/alpine-release

  • /etc/apt/sources.list

  • /etc/lsb-release

  • /etc/os-release or /usr/lib/os-release

  • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release

  • Other similar system files.

Language-level dependencies

  • package.json for JavaScript.

  • dist-info or egg-info for Python.

  • MANIFEST.MF in Java Archive (JAR) for Java.

Application-level dependencies

  • dotnet/shared/Microsoft.AspNetCore.App/

  • dotnet/shared/Microsoft.NETCore.App/

About RHACS Scanner V4 (Technology Preview)

RHACS provides its own scanner, or you can configure an integration to use RHACS with another vulnerability scanner.

Beginning with version 4.4, Scanner V4, built on ClairCore, provides scanning for language and operating system-specific image components. For version 4.4, RHACS also uses the StackRox Scanner to provide some scanning functionality until that functionality is implemented in a future release.

Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Additional resources

Scanning images

For version 4.4, RHACS provides two scanners: the StackRox Scanner and Scanner V4. Both scanners can examine images in secured clusters connected in your network. Secured cluster scanning is enabled by default in Red Hat OpenShift environments deployed by using the Operator or when delegated scanning is used. See "Accessing delegated image scanning" for more information.

Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

When using the StackRox Scanner, RHACS performs the following actions:

  • Central submits image scanning requests to the StackRox Scanner.

  • Upon receiving these requests, the StackRox Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central

  • The StackRox Scanner identifies the vulnerabilities in the following areas:

    • Base image operating system

    • Packages that are installed by the package managers

    • Programming language specific dependencies

    • Programming runtimes and frameworks

When using Scanner V4, RHACS performs the following actions:

  • Central requests the Scanner V4 Indexer to download and index (analyze) given images.

  • Scanner V4 Indexer pulls image metadata from registries to determine the layers of the image, and downloads each previously unindexed layer.

  • Scanner V4 Indexer requests mapping files from Central that assist the indexing process. Scanner V4 Indexer produces in an index report.

  • Central requests that Scanner V4 Matcher match given images to known vulnerabilities. This process results in the final scan result: a vulnerability report. Scanner V4 Matcher requests the latest vulnerabilities from Central.

  • Scanner V4 Matcher requests the results of the image indexing, the index report, from Scanner V4 Indexer. It then uses the report to determine relevant vulnerabilities. This interaction occurs only when the image is indexed in the Central cluster. This interaction does not occur when Scanner V4 is matching vulnerabilities for images indexed in secured clusters.

  • The Indexer stores data in the Scanner V4 DB that is related to the indexing results to ensure that image layers are only downloaded and indexed once. This prevents unnecessary network traffic and other resource utilization.

  • When secured cluster scanning is enabled, Sensor requests Scanner V4 to index images. Scanner V4 Indexer requests mapping files from Sensor that assist the indexing process unless Central exists in the same namespace. In that case, Central is contacted instead.

Understanding and addressing common Scanner warning messages

When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE warning message. Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.

The following table shows some common Scanner warning messages:

Table 1. Warning messages
Message Description

Unable to retrieve the OS CVE data, only Language CVE data is available

Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages.

Stale OS CVE data

Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9.

For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities.

Failed to get the base OS information

Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image.

Failed to retrieve metadata from the registry

Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking docker.io, or an authentication issue preventing access.

To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries.

Image out of scope for Red Hat Vulnerability Scanner Certification

Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.

If you are using a Red Hat container image, consider using a base image newer than June 2020.

Supported package formats

Scanner can check for vulnerabilities in images that use the following package formats:

  • apt

  • apk

  • dpkg

  • rpm

Supported programming languages

Scanner can check for vulnerabilities in dependencies for the following programming languages:

  • Go (Scanner V4 only)

    • Binaries: The standard library version used to build the binary is analyzed. If the binaries are built with module support (go.mod), then the dependencies are also analyzed.

  • Java

    • JAR

    • WAR

    • EAR

  • JavaScript

    • Node.js

    • npm package.json

  • Python

    • egg and wheel formats

  • Ruby

    • gem

Supported runtimes and frameworks

Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), the StackRox Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core

  • ASP.NET Core

These are not supported by Scanner V4.

Supported operating systems

The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.

Scanner identifies vulnerabilities in images that contain the following Linux distributions. For more information about the vulnerability databases used, see "Vulnerability sources" in "RHACS Architecture".

Distribution Version

Alpine Linux

alpine:3.2[1],alpine:3.3, alpine:3.4, alpine:3.5, alpine:3.6, alpine:3.7, alpine:3.8, alpine:3.9, alpine:3.10, alpine:3.11, alpine:3.12, alpine:3.13, alpine:3.14, alpine:3.15, alpine:3.16, alpine:3.17, alpine:3.18, alpine:3.19[2], alpine:edge

Amazon Linux

amzn:2018.03, amzn:2, amzn:2023[2]

CentOS

centos:6[1], centos:7[1], centos:8[1]

Debian

debian:10, debian:11, debian:12, debian:unstable, distroless

Oracle Linux

versions 5-9[2]

Photon OS

1.0[2], 2.0[2], 3.0 [2]

Red Hat Enterprise Linux (RHEL)

rhel:6[3], rhel:7[3], rhel:8[3], rhel:9[3]

SUSE

SLES 11, 12, 15[2]; openSUSE Leap 42.3, 15.0, 15.1[2]; SUSE Linux[2]

Ubuntu

ubuntu:14.04, ubuntu:16.04, ubuntu:18.04, ubuntu:20.04, ubuntu:21.04, ubuntu:21.10, ubuntu:22.04, ubuntu:22.10, ubuntu:23.04, ubuntu:23.10

The following vulnerability sources are not updated by the vendor: ubuntu:12.04, ubuntu:12.10, ubuntu:13.04, ubuntu:14.10, ubuntu:15.04, ubuntu::15.10, ubuntu::16.10, ubuntu:17.04, ubuntu:17.10, ubuntu:18.10, ubuntu:19.04, ubuntu:19.10, ubuntu:20.10,

  1. Only supported in the StackRox Scanner.

  2. Only supported in Scanner V4.

  3. Images older than June 2020 are not supported in Scanner V4.

  • Scanner does not support the Fedora operating system because Fedora does not maintain a vulnerability database. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.
Additional resources

Accessing delegated image scanning

You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.

Enhancing image scanning by accessing delegated image scanning

Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.

For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.

The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.

Configuring delegated image scanning

A new delegated registry configuration specifies the registries from which image scans are to be delegated. For images observed by Sensor, this configuration allows you to delegate scans from no registries, all registries, or specific registries. To enable delegation of scans using the roxctl CLI, the Jenkins plugin, or the API, you must also specify a destination cluster and source registry.

Prerequisites

  • Scanner-slim must be installed in the secured cluster to scan images.

    Enabling Scanner-slim is supported on OpenShift Container Platform and Kubernetes secured clusters.
Procedure

  1. In the RHACS portal, go to Platform Configuration → Clusters.

  2. In the Clusters view header, click Manage delegated scanning.

  3. In the Delegated Image Scanning page, provide the following information:

    • Delegate scanning for: Choose the scope of the image delegation by selecting one of the following options:

      • None: The default option. This option specifies that no images are scanned by the secured clusters, except for images from the OpenShift Container Platform integrated registry.

      • All registries: This option indicates that all images are scanned by secured clusters.

      • Specified registries: This option specifies which images should be scanned by secured clusters based on the registries list.

    • Select default cluster to delegate to: From the drop-down list, select the name of the default cluster that will process the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None if required.

    • Optional: Click Add registry and specify the source registry and destination cluster details. You can select the destination cluster as None if the scan requests are not coming from the CLI and API. You can add more than one source registry and destination cluster if required.

  4. Click Save.

Image integrations are now synchronized between Central and Sensor, and Sensor captures pull-secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.

Installing and configuring Scanner-slim on secured clusters

Using the Operator

RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

For more information, see Installing RHACS on secured clusters by using the Operator.

Using Helm

Secured Cluster Services Helm chart (secured-cluster-services) installs a Scanner-slim version on each secured cluster. In Kubernetes, the secured cluster services include Scanner-slim as an optional component. On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.

Verifying after installation

Procedure

  • Verify that the status of the secured cluster indicates that Scanner is present and healthy:

    1. In the RHACS portal, go to Platform Configuration → Clusters.

    2. In the Clusters view, select a cluster to view its details.

    3. In the Health Status card, ensure that Scanner is present and is marked as Healthy.

Using image scanning

You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl CLI, Jenkins, and API.

For more information about how to scan images by using the roxctl CLI, see Image scanning by using the roxctl CLI.

Setting up scanning

You can configure settings for scanning, such as automatic scanning of active and inactive images.

Automatic scanning of active images

Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.

From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images.

Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.

You can also use the roxctl CLI to check the image scan results on demand.

Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. In the RHACS portal, go to Vulnerability Management (2.0) → Workload CVEs (Tech preview).

  2. Click <number> Images to display a list of images and locate the image you want to watch.

  3. Click the overflow menu, kebab, and then select Watch image. RHACS then scans the image and shows an error or success message.

  4. (Optional) To remove a watched image, click the overflow menu, kebab, and then select Unwatch image.

  5. (Optional) You can view the list of all watched images and add additional images to watch by clicking Manage watched images in the page header.

    In the RHACS portal, click Platform ConfigurationSystem Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  6. Click Close to return to the Workload CVEs page.

Additional resources

About vulnerabilities

RHACS fetches vulnerability definitions and updates from multiple vulnerability feeds. These feeds are both general in nature, such as NVD, or distribution-specific, such as Alpine, Debian, and Ubuntu. For more information on viewing and addressing vulnerabilities that are found, see Vulnerability management.

Fetching vulnerability definitions

In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources, and it refreshes every 3 hours.

  • The address of the feed is https://definitions.stackrox.io.

  • You can change the default query frequency for Central and the StackRox Scanner by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL environment variable:

    $ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
    1 If you use Kubernetes, enter kubectl instead of oc.

Note the following guidance:

  • The StackRox Scanner’s configuration map still has an updater.interval parameter for configuring the scanner’s updating frequency, but it no longer includes the fetchFromCentral parameter.

  • Setting this environment variable is not supported for Scanner V4.

For more information about the vulnerability sources that RHACS uses, see "Vulnerability sources" in "Red Hat Advanced Cluster Security for Kubernetes architecture".

Additional resources

Understanding vulnerability scores

The Red Hat Advanced Cluster Security for Kubernetes portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. RHACS shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, RHACS shows the score and lists v3 along with it. For example, 6.5 (v3).

    CVSS v3 scores are only available if you are using the StackRox Scanner version 1.3.5 and later or Scanner V4.

  • If a CVSS v3 score is not available, RHACS might show only the CVSS v2 score. For example, 6.5.

You can use the API to get the CVSS scores. If CVSS v3 information is available for a vulnerability, the response might include both CVSS v3 and CVSS v2 information.

For a Red Hat Security Advisory (RHSA), the CVSS score is set to the highest CVSS score among all the related CVEs. One RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.

Disabling language-specific vulnerability scanning

Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.

Procedure

  • To disable language-specific vulnerability scanning, run the following command:

    $ oc -n stackrox set env deploy/scanner \ (1)
  ROX_LANGUAGE_VULNS=false (2)
    1 If you use Kubernetes, enter kubectl instead of oc.
    2 If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS.

Additional resources