An analysis of security vulnerabilities in container images for scientific data analysis

Abstract Background Software containers greatly facilitate the deployment and reproducibility of scientific data analyses in various platforms. However, container images often contain outdated or unnecessary software packages, which increases the number of security vulnerabilities in the images, widens the attack surface in the container host, and creates substantial security risks for computing infrastructures at large. This article presents a vulnerability analysis of container images for scientific data analysis. We compare results obtained with 4 vulnerability scanners, focusing on the use case of neuroscience data analysis, and quantifying the effect of image update and minification on the number of vulnerabilities. Results We find that container images used for neuroscience data analysis contain hundreds of vulnerabilities, that software updates remove roughly two-thirds of these vulnerabilities, and that removing unused packages is also effective. Conclusions We provide recommendations on how to build container images with fewer vulnerabilities.

[1]  Ron Mengelers,et al.  The Effects of FreeSurfer Version, Workstation Type, and Macintosh Operating System Version on Anatomical Volume and Cortical Thickness Measurements , 2012, PloS one.

[2]  William Enck,et al.  A Study of Security Vulnerabilities on Docker Hub , 2017, CODASPY.

[3]  Tristan Glatard,et al.  Boutiques: a flexible framework to integrate command-line applications in computing platforms , 2018, GigaScience.

[4]  Dennis Shasha,et al.  ReproZip: The Reproducibility Packer , 2016, J. Open Source Softw..

[5]  Vanessa Sochat,et al.  Singularity: Scientific containers for mobility of compute , 2017, PloS one.

[6]  Tristan Glatard,et al.  Reproducibility of neuroimaging analyses across operating systems , 2015, Front. Neuroinform..

[7]  Tassos Dimitriou,et al.  Container Security: Issues, Challenges, and the Road Ahead , 2019, IEEE Access.

[8]  Satrajit S. Ghosh,et al.  BIDS apps: Improving ease of use, accessibility, and reproducibility of neuroimaging data analysis methods , 2016, bioRxiv.

[9]  Roberto Di Pietro,et al.  Docker ecosystem - Vulnerability Analysis , 2018, Comput. Commun..

[10]  Tom Mens,et al.  On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs , 2018, 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[11]  Martin Knahl,et al.  Providing Security in Container-Based HPC Runtime Environments , 2016, ISC Workshops.

[12]  Roberto Di Pietro,et al.  To Docker or Not to Docker: A Security Perspective , 2016, IEEE Cloud Computing.