Make Your Containers Better, Smaller and More Secure using DockerSlim and Trivy

Madhu Kumar - Jan 19 '22 - - Dev Community

DockerSlim is a tool for developers that provides a set of commands (build, xray, lint and others) to simplify and optimise your developer experience with containers. It makes your containers betters, smaller and more secure.

docker-slim will optimise and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don't need, reducing the attack surface of your container.

Installation

Homebrew

macpro$ brew install docker-slim
Running `brew update --preinstall`...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> New Formulae
roapi
==> Updated Formulae
Updated 150 formulae.
==> Deleted Formulae
gr-osmosdr
==> New Casks
surge-xt                                                                                               the-watcher
==> Updated Casks
Updated 75 casks.
==> Deleted Casks
macspice

==> Downloading https://ghcr.io/v2/homebrew/core/docker-slim/manifests/1.37.3
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/docker-slim/blobs/sha256:df87009035951ec38e0ea41d9e16bd50380270eed26b218dbce04cabde178372
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:df87009035951ec38e0ea41d9e16bd50380270eed26b218dbce04cabde178372?se=2022-01-19T07%3A30%3A00Z&sig=lv644bJ8lsHdmXnoP6PSeF
######################################################################## 100.0%
==> Pouring docker-slim--1.37.3.monterey.bottle.tar.gz
🍺  /usr/local/Cellar/docker-slim/1.37.3: 7 files, 22.3MB
==> Running `brew cleanup docker-slim`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Enter fullscreen mode Exit fullscreen mode

Docker

macpro$ docker pull dslim/docker-slim
Using default tag: latest
latest: Pulling from dslim/docker-slim
906008da2104: Pull complete
Digest: sha256:c9630eb10a8d2712807efd8125804e44f67127903a15e19557b6b2d4aabd85cf
Status: Downloaded newer image for dslim/docker-slim:latest
docker.io/dslim/docker-slim:latest
Enter fullscreen mode Exit fullscreen mode

Interactive CLI prompt screencast

Interactive CLI

DockerSlim in action

Understand why your docker image is so big with 'docker-slim xray' command

You can use the docker-slim xray command to get the details about a package's size. The command performs a static analysis on the target container image and reverse-engineers the Dockerfile from the image, telling you what's inside of your container image and why it is so big:

macpro$ docker-slim xray --target hello-world
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=xray state=started
cmd=xray info=params add-image-manifest='false' add-image-config='false' rm-file-artifacts='false' target='hello-world'
cmd=xray state=image.api.inspection.start
cmd=xray info=image size.human='13 kB' id='sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412' size.bytes='13256'
cmd=xray info=image.stack instructions='2' message='see report file for details' index='0' name='hello-world:latest' id='sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412'
cmd=xray state=image.api.inspection.done
cmd=xray state=image.data.inspection.start
cmd=xray info=image.data.inspection.save.image.start
cmd=xray info=image.data.inspection.save.image.end
cmd=xray info=image.data.inspection.process.image.start
cmd=xray info=image.data.inspection.process.image.end
cmd=xray state=image.data.inspection.done
cmd=xray info=image.package.details
cmd=xray info=layers.count value='1'
cmd=xray info=layer.start
cmd=xray info=layer index='0' id='c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c' path='c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c/layer.tar'
cmd=xray info=change.instruction all='COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3decdf428333fb2683696f4358af6c2 /' index='0:0' type='COPY' snippet='COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3...'
cmd=xray info=other.instructions count='1'
cmd=xray info=other.instruction pos='0' index='0:1' type='CMD' snippet='CMD ["/hello"]
' all='CMD ["/hello"]
'
cmd=xray info=layer.stats all_size.bytes='13256' all_size.human='13 kB'
cmd=xray info=layer.stats object_count='1'
cmd=xray info=layer.stats file_count='1'
cmd=xray info=layer.stats max_file_size.human='13 kB' max_file_size.bytes='13256'
cmd=xray info=layer.stats added_size.human='13 kB' added_size.bytes='13256'
cmd=xray info=layer.change.summary deleted='0' modified='0' added='1' all='1'
cmd=xray info=layer.objects.count value='1'
cmd=xray info=layer.objects.top.start
A: mode=-rwxrwxr-x size.human='13 kB' size.bytes=13256 uid=0 gid=0 mtime='2021-09-23T23:47:50Z' H=[A:0] hash=c2f307ac8061b9861c3ed4dfb4fbf19d30fe697a '/hello'
cmd=xray info=layer.objects.top.end
cmd=xray info=layer.end
cmd=xray info=image.entry exe_args='' exe_path='/hello'
cmd=xray info=image.entry.full_exe_path name='/hello' layer='0'
cmd=xray state=completed
cmd=xray state=done
cmd=xray info=results artifacts.location='/tmp/docker-slim-state/.docker-slim-state/images/feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412/artifacts'
cmd=xray info=results artifacts.dockerfile.original='Dockerfile.fat'
cmd=xray info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
Enter fullscreen mode Exit fullscreen mode

The report will be saved locally in a file called "slim.report.json". This will be overwritten every time you execute xray command.

cmd=xray info=report file='slim.report.json'

Contents of report file:

macpro$ cat slim.report.json
{
  "version": "1.2",
  "engine": "darwin|Transformer|1.37.3|latest|latest",
  "containerized": false,
  "host_distro": {
    "name": "",
    "version": "",
    "display_name": "other"
  },
  "type": "xray",
  "state": "done",
  "target_reference": "hello-world",
  "source_image": {
    "identity": {
      "id": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
      "tags": [
        "latest"
      ],
      "names": [
        "hello-world:latest"
      ],
      "digests": [
        "sha256:975f4b14f326b05db86e16de00144f9c12257553bba9484fed41f9b6f2257800"
      ],
      "full_digests": [
        "hello-world@sha256:975f4b14f326b05db86e16de00144f9c12257553bba9484fed41f9b6f2257800"
      ]
    },
    "size": 13256,
    "size_human": "13 kB",
    "create_time": "2021-09-23T23:47:57Z",
    "docker_version": "20.10.7",
    "architecture": "amd64",
    "os": "linux",
    "env_vars": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ],
    "container_entry": {
      "cmd": [
        "/hello"
      ],
      "exe_path": "/hello",
      "full_exe_path": {
        "name": "/hello",
        "layer": 0
      }
    }
  },
  "artifact_location": "/tmp/docker-slim-state/.docker-slim-state/images/feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412/artifacts",
  "image_report": {
    "stats": {
      "duplicate_file_count": 0,
      "duplicate_file_total_count": 0,
      "duplicate_file_size": 0,
      "duplicate_file_total_size": 0,
      "duplicate_file_wasted_size": 0,
      "deleted_count": 0,
      "deleted_dir_content_count": 0,
      "deleted_dir_count": 0,
      "deleted_file_count": 0,
      "deleted_link_count": 0,
      "deleted_file_size": 0
    },
    "certs": {},
    "ca_certs": {}
  },
  "image_stack": [
    {
      "is_top_image": true,
      "id": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
      "full_name": "hello-world:latest",
      "repo_name": "hello-world",
      "version_tag": "latest",
      "raw_tags": [
        "hello-world:latest"
      ],
      "create_time": "2021-09-23T23:47:57Z",
      "new_size": 13256,
      "new_size_human": "13 kB",
      "instructions": [
        {
          "type": "COPY",
          "time": "2021-09-23T23:47:57Z",
          "is_nop": true,
          "local_image_exists": false,
          "layer_index": 0,
          "layer_id": "c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c",
          "layer_fsdiff_id": "sha256:e07ee1baac5fae6a26f30cabfe54a36d3402f96afda318fe0a96cec4ca393359",
          "size": 13256,
          "size_human": "13 kB",
          "params": "file:50563a97010fd7ce1ceebd1fa4f4891ac3decdf428333fb2683696f4358af6c2 in /",
          "command_snippet": "COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3...",
          "command_all": "COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3decdf428333fb2683696f4358af6c2 /",
          "target": "/",
          "source_type": "file"
        },
        {
          "type": "CMD",
          "time": "2021-09-23T23:47:57Z",
          "is_last_instruction": true,
          "is_nop": true,
          "is_exec_form": true,
          "local_image_exists": true,
          "layer_index": 0,
          "layer_id": "c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c",
          "layer_fsdiff_id": "sha256:e07ee1baac5fae6a26f30cabfe54a36d3402f96afda318fe0a96cec4ca393359",
          "size": 0,
          "params": "[\"/hello\"]\n",
          "command_snippet": "CMD [\"/hello\"]\n",
          "command_all": "CMD [\"/hello\"]\n",
          "empty_layer": true,
          "raw_tags": [
            "hello-world:latest"
          ]
        }
      ]
    }
  ],
  "image_layers": [
    {
      "id": "c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c",
      "index": 0,
      "path": "c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c/layer.tar",
      "fsdiff_id": "sha256:e07ee1baac5fae6a26f30cabfe54a36d3402f96afda318fe0a96cec4ca393359",
      "stats": {
        "all_size": 13256,
        "object_count": 1,
        "dir_count": 0,
        "file_count": 1,
        "link_count": 0,
        "max_file_size": 13256,
        "max_dir_size": 0,
        "deleted_count": 0,
        "deleted_dir_content_count": 0,
        "deleted_dir_count": 0,
        "deleted_file_count": 0,
        "deleted_link_count": 0,
        "deleted_size": 0,
        "added_size": 13256,
        "modified_size": 0
      },
      "changes": {
        "deleted": 0,
        "added": 1,
        "modified": 0
      },
      "top": [
        {
          "change": "A",
          "name": "/hello",
          "size": 13256,
          "mode": 509,
          "uid": 0,
          "gid": 0,
          "mod_time": "2021-09-24T01:47:50+02:00",
          "change_time": "0001-01-01T00:00:00Z",
          "history": {
            "A": {
              "layer": 0
            }
          },
          "hash": "c2f307ac8061b9861c3ed4dfb4fbf19d30fe697a"
        }
      ],
      "change_instruction": {
        "index": 0,
        "image_index": 0,
        "type": "COPY",
        "all": "COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3decdf428333fb2683696f4358af6c2 /",
        "snippet": "COPY file:50563a97010fd7ce1ceebd1fa4f4891ac3..."
      },
      "other_instructions": [
        {
          "index": 1,
          "image_index": 0,
          "type": "CMD",
          "all": "CMD [\"/hello\"]\n",
          "snippet": "CMD [\"/hello\"]\n"
        }
      ]
    }
  ],
  "image_archive_location": "/tmp/docker-slim-state/.docker-slim-state/images/feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412/image/feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412.tar"
}
Enter fullscreen mode Exit fullscreen mode

Scan for vulnerabilities in container images with Trivy

Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).

Demo: Vulnerability Detection (Container Image)

trivydemo

Installation

Homebrew

macpro$ brew install aquasecurity/trivy/trivy
==> Tapping aquasecurity/trivy
Cloning into '/usr/local/Homebrew/Library/Taps/aquasecurity/homebrew-trivy'...
remote: Enumerating objects: 234, done.
remote: Counting objects: 100% (123/123), done.
remote: Compressing objects: 100% (82/82), done.
remote: Total 234 (delta 40), reused 0 (delta 0), pack-reused 111
Receiving objects: 100% (234/234), 32.31 KiB | 807.00 KiB/s, done.
Resolving deltas: 100% (75/75), done.
Tapped 1 formula (12 files, 44.3KB).
==> Downloading https://github.com/aquasecurity/trivy/releases/download/v0.22.0/trivy_0.22.0_macOS-64bit.tar.gz
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/180687624/c5372977-9768-44b5-a521-b292023d59fc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJY
######################################################################## 100.0%
==> Installing trivy from aquasecurity/trivy
🍺  /usr/local/Cellar/trivy/0.22.0: 5 files, 43.4MB, built in 8 seconds
==> Running `brew cleanup trivy`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Enter fullscreen mode Exit fullscreen mode

Docker

macpro$ docker pull aquasec/trivy:0.18.3
0.18.3: Pulling from aquasec/trivy
540db60ca938: Pull complete
34d3c071cc52: Pull complete
d7bdd85a6e66: Pull complete
be1643e0617a: Pull complete
Digest: sha256:5d7b7bcdc556f45a3b5384f276eb14a83d4827b6d41a5c275159c3896f42465c
Status: Downloaded newer image for aquasec/trivy:0.18.3
docker.io/aquasec/trivy:0.18.3
Enter fullscreen mode Exit fullscreen mode

Trivy in action

Scan a docker image with trivy:

macpro$ trivy image hello-world
2022-01-19T10:20:59.269+0100    INFO    Need to update DB
2022-01-19T10:20:59.270+0100    INFO    Downloading DB...
25.55 MiB / 25.55 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 14.64 MiB p/s 2s
2022-01-19T10:21:02.334+0100    INFO    Number of language-specific files: 0



macpro$ trivy image aquasec/trivy:0.18.3
2022-01-19T10:21:29.264+0100    INFO    Detected OS: alpine
2022-01-19T10:21:29.264+0100    INFO    Detecting Alpine vulnerabilities...
2022-01-19T10:21:29.270+0100    INFO    Number of language-specific files: 1
2022-01-19T10:21:29.270+0100    INFO    Detecting gobinary vulnerabilities...

aquasec/trivy:0.18.3 (alpine 3.13.5)
====================================
Total: 44 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 27, CRITICAL: 7)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.12.5-r0         | 2.12.6-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-42378   | HIGH     | 1.32.1-r6         | 1.32.1-r7     | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42375   |          |                   |               | busybox: incorrect handling           |
|              |                  |          |                   |               | of a special element in               |
|              |                  |          |                   |               | ash applet leads to...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42375 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat        | CVE-2022-22822   | CRITICAL | 2.2.10-r1         | 2.2.10-r2     | addBinding in xmlparse.c in           |
|              |                  |          |                   |               | Expat (aka libexpat) before           |
|              |                  |          |                   |               | 2.4.3 has an integer...               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22822 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-22823   |          |                   |               | build_model in xmlparse.c in          |
|              |                  |          |                   |               | Expat (aka libexpat) before           |
|              |                  |          |                   |               | 2.4.3 has an integer...               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22823 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-22824   |          |                   |               | defineAttribute in xmlparse.c         |
|              |                  |          |                   |               | in Expat (aka libexpat)               |
|              |                  |          |                   |               | before 2.4.3 has an integer...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22824 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-45960   | HIGH     |                   |               | In Expat (aka libexpat) before        |
|              |                  |          |                   |               | 2.4.3, a left shift by 29 (or...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-45960 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-46143   |          |                   |               | In doProlog in xmlparse.c             |
|              |                  |          |                   |               | in Expat (aka libexpat)               |
|              |                  |          |                   |               | before 2.4.3, an integer...           |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-46143 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-22825   |          |                   |               | lookup in xmlparse.c in               |
|              |                  |          |                   |               | Expat (aka libexpat) before           |
|              |                  |          |                   |               | 2.4.3 has an integer...               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22825 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-22826   |          |                   |               | nextScaffoldPart in xmlparse.c        |
|              |                  |          |                   |               | in Expat (aka libexpat)               |
|              |                  |          |                   |               | before 2.4.3 has an integer...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22826 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2022-22827   |          |                   |               | storeAtts in xmlparse.c in            |
|              |                  |          |                   |               | Expat (aka libexpat) before           |
|              |                  |          |                   |               | 2.4.3 has an integer...               |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22827 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | CRITICAL | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcurl      | CVE-2021-22945   | CRITICAL | 7.76.1-r0         | 7.79.0-r0     | curl: use-after-free and              |
|              |                  |          |                   |               | double-free in MQTT sending           |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22945 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-22901   | HIGH     |                   | 7.77.0-r0     | curl: Use-after-free in               |
|              |                  |          |                   |               | TLS session handling when             |
|              |                  |          |                   |               | using OpenSSL TLS backend             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22901 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-22946   |          |                   | 7.79.0-r0     | curl: Requirement to use              |
|              |                  |          |                   |               | TLS not properly enforced             |
|              |                  |          |                   |               | for IMAP, POP3, and...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22946 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-22922   | MEDIUM   |                   | 7.78.0-r0     | curl: Content not matching hash       |
|              |                  |          |                   |               | in Metalink is not being discarded    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22922 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-22923   |          |                   |               | curl: Metalink download               |
|              |                  |          |                   |               | sends credentials                     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22923 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-22925   |          |                   |               | curl: Incorrect fix for               |
|              |                  |          |                   |               | CVE-2021-22898 TELNET                 |
|              |                  |          |                   |               | stack contents disclosure             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22925 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-22947   |          |                   | 7.79.0-r0     | curl: Server responses                |
|              |                  |          |                   |               | received before STARTTLS              |
|              |                  |          |                   |               | processed after TLS handshake         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22947 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-22898   | LOW      |                   | 7.77.0-r0     | curl: TELNET stack                    |
|              |                  |          |                   |               | contents disclosure                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22898 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-22924   |          |                   | 7.78.0-r0     | curl: Bad connection reuse            |
|              |                  |          |                   |               | due to flawed path name checks        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22924 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-42378   |          | 1.32.1-r6         | 1.32.1-r7     | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42375   |          |                   |               | busybox: incorrect handling           |
|              |                  |          |                   |               | of a special element in               |
|              |                  |          |                   |               | ash applet leads to...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42375 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/local/bin/trivy (gobinary)
==============================
Total: 5 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

+--------------------------------------+------------------+----------+-----------------------------------------------------------+-----------------+---------------------------------------+
|               LIBRARY                | VULNERABILITY ID | SEVERITY |                     INSTALLED VERSION                     |  FIXED VERSION  |                 TITLE                 |
+--------------------------------------+------------------+----------+-----------------------------------------------------------+-----------------+---------------------------------------+
| github.com/containerd/containerd     | CVE-2021-41103   | HIGH     | v1.4.4                                                    | v1.4.11, v1.5.7 | containerd: insufficiently            |
|                                      |                  |          |                                                           |                 | restricted permissions on container   |
|                                      |                  |          |                                                           |                 | root and plugin directories           |
|                                      |                  |          |                                                           |                 | -->avd.aquasec.com/nvd/cve-2021-41103 |
+                                      +------------------+----------+                                                           +-----------------+---------------------------------------+
|                                      | CVE-2021-32760   | MEDIUM   |                                                           | v1.4.8, v1.5.4  | containerd: pulling and               |
|                                      |                  |          |                                                           |                 | extracting crafted container          |
|                                      |                  |          |                                                           |                 | image may result in Unix file...      |
|                                      |                  |          |                                                           |                 | -->avd.aquasec.com/nvd/cve-2021-32760 |
+--------------------------------------+------------------+----------+-----------------------------------------------------------+-----------------+---------------------------------------+
| github.com/docker/cli                | CVE-2021-41092   | HIGH     | v20.10.0-beta1.0.20201029214301-1d20b15adc38+incompatible | v20.10.9        | docker: cli leaks private registry    |
|                                      |                  |          |                                                           |                 | credentials to registry-1.docker.io   |
|                                      |                  |          |                                                           |                 | -->avd.aquasec.com/nvd/cve-2021-41092 |
+--------------------------------------+------------------+----------+-----------------------------------------------------------+-----------------+---------------------------------------+
| github.com/opencontainers/image-spec | GMS-2021-101     | UNKNOWN  | v1.0.2-0.20190823105129-775207bd45b6                      | 1.0.2           | Clarify `mediaType` handling          |
+--------------------------------------+------------------+          +-----------------------------------------------------------+-----------------+---------------------------------------+
| golang.org/x/text                    | CVE-2021-38561   |          | v0.3.3                                                    | 0.3.7           | -->avd.aquasec.com/nvd/cve-2021-38561 |
+--------------------------------------+------------------+----------+-----------------------------------------------------------+-----------------+---------------------------------------+
Enter fullscreen mode Exit fullscreen mode

Conclusion

Bloated container images can negatively impact application performance and carry unnecessary security risks. If you suspect your container image is getting too big, after reading this blog you should know how to use DockerSlim to minify it and also scan your docker image for any vulnerabilities using Trivy.

More information on docker-slim here: https://github.com/docker-slim/docker-slim

More information on trivy here: https://github.com/aquasecurity/trivy

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .