Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Trivy vulnerability scan results for container images in a Notes database

Daniel Nashed – 10 September 2022 09:49:40

Trivy (https://aquasecurity.github.io/trivy/)  is a very interesting tool to scan container images, configurations, GitHub projects and more.
I have used it to improve some of the configuration options of the container image.
Trivy supports a JSON formatted output with much more information, than the summary returned on a scan --> https://aquasecurity.github.io/trivy/v0.17.0/examples/report/

Here is an example command-line:

trivy image -f json -o /tmp/trivy_hcl_ubi9.json domino-container:ubi9


I took the result file and imported it into a Notes database. It's pretty simple using the Lotus Script class and the JSON parser.
An agent parses the result and updates the database.
It turns out some CVEs are reported more than once depending on the packages you have installed.
The database consolidates the report and provides a full overview.


Different base images have different CVEs

It's pretty interesting to see how different the Docker base images from different distributions deal with security patching.

I looked into current versions for important libs earlier and found out that VMware Photon is the clear winner, Followed y SUSE Leap and SUSE Enterprise.
That's going to be a separate post soon.

But also from security patch level point of view, VMware Photon 4.0 and the current SUSE Enterprise (https://registry.suse.com/) and Leap (https://hub.docker.com/r/opensuse/leap) images are ahead of the curve and have no single vulnerability reported for the packages required for Domino.

The Domino container project supports different base images to build on. The default is currently CentOS Stream 8, which is a commonly used based image.
I also have just added support for SUSE Enterprise -- which surprisingly does not install awk by default and caused the Domino installer to fail.
Not sure not sure it would make sense to switch to another default image from security point of view, because the RedHat base images are a behind VMware Photon and SUSE Leap and Enterprise versions.

Feedback?

What are you experiences with container security? Which is your favorite Linux base image and why?
Would the analysis database be interesting for others? Should I make it available open source as well?

-- Daniel

Examples:

Image:Trivy vulnerability scan results for container images in a Notes database



Image:Trivy vulnerability scan results for container images in a Notes database




Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]