DI-UMONS : Dépôt institutionnel de l’université de Mons

Recherche transversale
(titres de publication, de périodique et noms de colloque inclus)
2019-02-24 - Colloque/Article dans les actes avec comité de lecture - Anglais - 11 page(s)

Zerouali Ahmed , Mens Tom , Robles Gregorio, Gonzalez-Barahona Jesus, "On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs" in IEEE International Conference on Software Analysis, Evolution, and Reengineering, Hangzhou, Chine, 2019

  • Codes CREF : Informatique appliquée logiciel (DI2570), Informatique générale (DI1162), Analyse de systèmes informatiques (DI2572)
  • Unités de recherche UMONS : Génie Logiciel (S852)
  • Instituts UMONS : Institut de Recherche en Technologies de l’Information et Sciences de l’Informatique (InforTech)
Texte intégral :

Abstract(s) :

(Anglais) Packaging software into containers is becoming a common practice when deploying services in cloud and other environments. Docker images are one of the most popular container technologies for building and deploying containers. A container image usually includes a collection of software packages, that can have bugs and security vulnerabilities that affect the container health. Our goal is to support container deployers by analysing the relation between outdated containers and vulnerable and buggy packages installed in them. We use the concept of technical lag of a container as the difference between a given container and the most up-to-date container that is possible with the most recent releases of the same collection of packages. For 7,380 official and community Docker images that are based on the Debian Linux distribution, we identify which software packages are installed in them and measure their technical lag in terms of version updates, security vulnerabilities and bugs. We have found, among others, that no release is devoid of vulnerabilities, so deployers cannot avoid vulnerabilities even if they deploy the most recent packages. We offer some lessons learned for container developers in regard to the strategies they can follow to minimize the number of vulnerabilities. We argue that Docker container scan and security management tools should improve their platforms by adding data about other kinds of bugs and include the measurement of technical lag to offer deployers information of when to update.

Identifiants :
  • DOI : 10.1109/SANER.2019.8668013
  • arXiv : https://arxiv.org/abs/1811.12874

Mots-clés :
  • (Anglais) security vulnerability
  • (Anglais) empirical software engineering
  • (Anglais) Docker container
  • (Anglais) data analysis
  • (Anglais) technical lag