Examine images

Discover images running in your environment and determine if they're at risk.

With the StackRox Kubernetes Security Platform you can analyze images for vulnerabilities. StackRox Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.

  • You need Scanner version 2.0.1 or higher to identify vulnerabilities in language-level dependencies. The StackRox Kubernetes Security Platform version 3.0.35.0 and higher includes this Scanner version.

  • To disable language-specific vulnerability scanning you can set the value of the following environment variable to false:

    • LANGUAGE_VULNS for the StackRox Kubernetes Security Platform version 3.0.47 and older.
    • ROX_LANGUAGE_VULNS for the StackRox Kubernetes Security Platform version 3.0.48 and newer.

    If you are using the StackRox Kubernetes Security Platform version 3.0.48 or newer, you can use either one of these variables to disable language-specific vulnerability scanning.

    Copy
    kubectl -n stackrox set env deploy/scanner ROX_LANGUAGE_VULNS=false
    Copy
    oc -n stackrox set env deploy/scanner ROX_LANGUAGE_VULNS=false

When Scanner finds any vulnerabilities, it:

  • shows them in the Vulnerability Management view for detailed analysis (requires the StackRox Kubernetes Security Platform version 3.0.42 or newer).
  • includes them in risk ranking.
  • checks them against system policies.
  • highlights them in the portal for risk assessment.

Images Screen
Images Screen

Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:

  1. For package managers:

    • /etc/alpine-release
    • /etc/apt/sources.list
    • /etc/lsb-release
    • /etc/os-release or /usr/lib/os-release
    • /etc/oracle-release, /etc/centos-release, /etc/redhat-release, or /etc/system-release
    • or similar system files.
  2. For language-level dependencies:

    • package.json for JavaScript.
    • dist-info or egg-info for Python.
    • MANIFEST.MF in Java Archive (JAR) for Java.
  3. For application-level dependencies:

    • dotnet/shared/Microsoft.AspNetCore.App/
    • dotnet/shared/Microsoft.NETCore.App/

Scanning images

StackRox Central submits image scanning requests to StackRox Scanner. Upon receiving these requests, StackRox Scanner pulls image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with vulnerability lists and sends information back to StackRox Central.

You can also integrate with another vulnerability scanner.

Scanner identifies vulnerabilities that are installed by package managers, language-level, and application-level dependencies.

Supported package formats

  • yum
  • microdnf
  • apt
  • apk
  • dpkg
  • rpm

Supported programming languages

  • Java
  • JavaScript
  • Python
  • Ruby

Supported runtimes and frameworks

Beginning from the StackRox Kubernetes Security Platform version 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:

  • .NET Core
  • ASP.NET Core

Supported operating systems

Scanner identifies vulnerabilities in the following Linux distributions:

DistributionVersion
Alpine Linux3.2 to 3.12
Amazon Linux2018.03, 2
CentOS and Red Hat Enterprise Linux (RHEL)5, 6, 7, 8
Debian9 and newer
Oracle Linux5 and newer
Ubuntu12.04 to 20.04 (including LTS and ESM releases)
  1. The listed supported platforms are the distributions in which Scanner identifies vulnerabilities, and it’s different from the Supported platforms on which you can install the StackRox Kubernetes Security Platform.
  2. Scanner doesn’t support the Fedora operating system because Fedora doesn’t maintain a vulnerability database for packages within the Fedora repositories. However, Scanner still detects language-specific vulnerabilities in Fedora-based images.

Vulnerability definitions

  • For the StackRox Kubernetes Security Platform version 3.0.35 and newer: StackRox Scanner fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources (multiple Linux distributions and the National Vulnerability Database), and it refreshes every hour.
    • For the StackRox Kubernetes Security Platform version 3.0.35 till 3.0.38, the address of the feed is https://storage.googleapis.com/definitions.stackrox.io
    • For the StackRox Kubernetes Security Platform version 3.0.39 and newer, the address of the feed is https://definitions.stackrox.io
  • For the StackRox Kubernetes Security Platform version 3.0.34 and older: StackRox Scanner fetches the vulnerability definitions every two hours from Linux distributions and the National Vulnerability Database.

Vulnerability scores

In the StackRox portal, the StackRox Kubernetes Security Platform shows a single CVSS base score for each vulnerability. The StackRox Kubernetes Security Platform shows the CVSS score based on the following criteria:

  • If a CVSS v3 score is available, the StackRox Kubernetes Security Platform shows the score and lists v3 along with it. For example, 6.5 (v3).
  • If a CVSS v3 score isn’t available, the StackRox Kubernetes Security Platform shows only the CVSS v2 score. For example, 6.5.
  • You can use the API to get the CVSS scores. If CVSS v3 information is available for a particular CVE, the response includes both CVSS v3 and CVSS v2 information.
  • CVSS v3 scores are only available if you’re using StackRox Scanner version 1.3.5 and newer.
  • For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the StackRox portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects Red Hat products specifically. In such cases, the StackRox Kubernetes Security Platform:
    • finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.
    • breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.

Re-scanning images

The StackRox Kubernetes Security Platform periodically scans all active (deployed) images and updates the image scan results to reflect the latest vulnerability definitions.

From the StackRox Kubernetes Security Platform version 3.0.57, you can configure the Watch setting for images to enable automatic scanning of inactive (undeployed) images.

It scans all deployed images and updates the results every 4 hours. The StackRox Kubernetes Security Platform fetches the image scan results from the StackRox Scanner or other integrated image scanners that you use.

You can also use the roxctl CLI to check the image scan results on demand.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.