Cargando…
An analysis of security vulnerabilities in container images for scientific data analysis
BACKGROUND: Software containers greatly facilitate the deployment and reproducibility of scientific data analyses in various platforms. However, container images often contain outdated or unnecessary software packages, which increases the number of security vulnerabilities in the images, widens the...
| Autores principales: | , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Oxford University Press
2021
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8173661/ https://www.ncbi.nlm.nih.gov/pubmed/34080631 http://dx.doi.org/10.1093/gigascience/giab025 |
| _version_ | 1783702763873501184 |
|---|---|
| author | Kaur, Bhupinder Dugré, Mathieu Hanna, Aiman Glatard, Tristan |
| author_facet | Kaur, Bhupinder Dugré, Mathieu Hanna, Aiman Glatard, Tristan |
| author_sort | Kaur, Bhupinder |
| collection | PubMed |
| description | BACKGROUND: Software containers greatly facilitate the deployment and reproducibility of scientific data analyses in various platforms. However, container images often contain outdated or unnecessary software packages, which increases the number of security vulnerabilities in the images, widens the attack surface in the container host, and creates substantial security risks for computing infrastructures at large. This article presents a vulnerability analysis of container images for scientific data analysis. We compare results obtained with 4 vulnerability scanners, focusing on the use case of neuroscience data analysis, and quantifying the effect of image update and minification on the number of vulnerabilities. RESULTS: We find that container images used for neuroscience data analysis contain hundreds of vulnerabilities, that software updates remove roughly two-thirds of these vulnerabilities, and that removing unused packages is also effective. CONCLUSIONS: We provide recommendations on how to build container images with fewer vulnerabilities. |
| format | Online Article Text |
| id | pubmed-8173661 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2021 |
| publisher | Oxford University Press |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-81736612021-06-04 An analysis of security vulnerabilities in container images for scientific data analysis Kaur, Bhupinder Dugré, Mathieu Hanna, Aiman Glatard, Tristan Gigascience Technical Note BACKGROUND: Software containers greatly facilitate the deployment and reproducibility of scientific data analyses in various platforms. However, container images often contain outdated or unnecessary software packages, which increases the number of security vulnerabilities in the images, widens the attack surface in the container host, and creates substantial security risks for computing infrastructures at large. This article presents a vulnerability analysis of container images for scientific data analysis. We compare results obtained with 4 vulnerability scanners, focusing on the use case of neuroscience data analysis, and quantifying the effect of image update and minification on the number of vulnerabilities. RESULTS: We find that container images used for neuroscience data analysis contain hundreds of vulnerabilities, that software updates remove roughly two-thirds of these vulnerabilities, and that removing unused packages is also effective. CONCLUSIONS: We provide recommendations on how to build container images with fewer vulnerabilities. Oxford University Press 2021-06-03 /pmc/articles/PMC8173661/ /pubmed/34080631 http://dx.doi.org/10.1093/gigascience/giab025 Text en © The Author(s) 2021. Published by Oxford University Press GigaScience. https://creativecommons.org/licenses/by/4.0/This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) ), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited. |
| spellingShingle | Technical Note Kaur, Bhupinder Dugré, Mathieu Hanna, Aiman Glatard, Tristan An analysis of security vulnerabilities in container images for scientific data analysis |
| title | An analysis of security vulnerabilities in container images for scientific data analysis |
| title_full | An analysis of security vulnerabilities in container images for scientific data analysis |
| title_fullStr | An analysis of security vulnerabilities in container images for scientific data analysis |
| title_full_unstemmed | An analysis of security vulnerabilities in container images for scientific data analysis |
| title_short | An analysis of security vulnerabilities in container images for scientific data analysis |
| title_sort | analysis of security vulnerabilities in container images for scientific data analysis |
| topic | Technical Note |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8173661/ https://www.ncbi.nlm.nih.gov/pubmed/34080631 http://dx.doi.org/10.1093/gigascience/giab025 |
| work_keys_str_mv | AT kaurbhupinder ananalysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT dugremathieu ananalysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT hannaaiman ananalysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT glatardtristan ananalysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT kaurbhupinder analysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT dugremathieu analysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT hannaaiman analysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis AT glatardtristan analysisofsecurityvulnerabilitiesincontainerimagesforscientificdataanalysis |