This topic contains the following sections.
Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. Lacework also supports scanning of non-OS packages for programming languages (Java, Ruby, PHP, GO, NPM, .NET, Python).
This means you can identify and take action on software vulnerabilities in your risky container images and manage that risk proactively. In addition, Lacework automatically correlates assessed images to active containers in your monitored environment, so you have continuous visibility into your software vulnerability risk. For information about vulnerability alerts that could be reported, see Default Policies.
Operating System Support
| Operating System | Versions |
|---|---|
| Alpine Linux | 3.x |
| Amazon Linux | 2 |
| Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
| CentOS | 5, 6, 7 |
| Debian | 7, 8, 9, 10, unstable |
| Redhat Enterprise Linux | 5, 6, 7, 8 Minimal OS images are not supported |
| Ubuntu | 12.04 and above, snap |
| SUSE SLES | 12 SP3, 12 SP4, 12 SP5 |
| openSUSE Leap | 15.x |
| Distroless (Bazel) | Any |
Container Registry Support
You must integrate the container registry that contains repositories with the container images that you want to assess for vulnerabilities.
Lacework supports the following container registries (only image manifest V2, schema 2 is supported) and scan types.
| Registry | Support |
|---|---|
| Amazon Container Registry (ECR) | Auto polling On-demand scans |
| Azure Container Registry as Docker V2 Registry | Registry notification On-demand scans |
| Docker Hub | Auto polling On-demand scans |
| Docker V2-based authentication registries | On-demand scans |
| Docker V2 Registry | Registry notification On-demand scans |
| GitHub Container Registry | Registry notification On-demand scans |
| GitLab as Docker V2 Registry | On-demand scans |
| Google Artifact Registry (GAR) | Auto polling On-demand scans |
| Google Container Registry (GCR) | Auto polling On-demand scans |
| JFrog as Docker V2 Registry | Registry notification On-demand scans |
Package Assessment Support
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
|---|---|---|---|
| Alpine Linux | NVD Score (CVSS v3 supersedes CVSS v2) | NVD | https://github.com/alpinelinux/aports.git |
| Amazon Linux | Distro | N/A | See Amazon Linux CVSS Scores |
| CentOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| Redhat Enterprise Linux | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
| SUSE SLES | Distro | FIRST.org CVSS v3.1 | https://www.suse.com/security/cve/ |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for each CVE. Scores range from 0 to 10. Severities can be Info, Low, Medium, High, or Critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3.x (if available) and CVSS v2.0. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity
- Lacework converts the CVSS v3 score to a severity
- Lacework converts the CVSS v2 score to a severity
Severities are rated using the following scale (ref: FIRST.org):
| Rating | CVSS Score |
|---|---|
| Info | 0.0 |
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
Amazon Linux CVSS Scores
AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.
Programming Language Support
Lacework offers support on the following programming languages:
| Library name | Package manager | Version format |
|---|---|---|
| Java | maven | maven |
| Ruby | bundler | bundler |
| PHP | composer | composer |
| Go | go | go |
| npm (node / react / typescript) |
npm yarn |
npm yarn |
| .NET | nuget | nuget |
| Python | pip poetry python |
pip poetry pep440 |
Note: This feature is disabled by default, see the configure scanner section in inline scanner, Configure the Proxy Scanner section in proxy scanner, and Support for Library Packages section in CI pipelines for instructions to enable it.
CVE Sources
Lacework uses the following CVE Sources for programming language scanning:
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lockfiles that are generated by the package managers. - By scanning different binarires that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installs.
These files can exist in any path in the container.
Files Scanned
The following table is a breakdown of the types of files and file extensions that are scanned for each programming language:
| Language | Files scanned |
|---|---|
| Java | *.jar*.war*.earFat JAR files are also scanned for their dependencies. |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| Go | *.sumAny executable binaries built by Go (Inline Scanner only) |
| npm | package-lock.jsonyarn.lock |
| .NET | packages.lock.json |
| Python | Pipfile.lockpoetry.lock*.egg-info/PKG-INFO*.dist-info/METADATA |
Note: For .NET packages, *.csproj files are not yet supported by Lacework container scanning. These files are used by Microsoft Visual Studio 2017 onwards.
Additionally, Go binary scan support is only available using the Inline Scanner. See the Known Issues section in the v4.31 release notes for details.
Registry Errors
If there is a registry error while scanning an image, Lacework retries the scan (based on the HTTP response code).
- If the registry displays a 400 or 500 HTTP response code, Lacework retries the scan three times.
- If the registry displays a 404 HTTP response code, it means that the image data does not exist. So, Lacework does not retry this scan and it displays an error message in the Console.
Vulnerability Assessment
When container registries support auto polling, Lacework assesses for vulnerabilities when the container registry is initially integrated. After the initial integration, Lacework completes the following actions at the listed schedule.
- Lacework polls the integrated registries for new container images every 15 minutes.
- Lacework assesses all images for vulnerabilities as soon as they are polled. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVEs) database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses the registries that are integrated with Lacework and finds all repositories (or only a subset of repositories, if specified) in each registry that Lacework has permissions to access.
- Lacework finds the newest container images found in each repository up to the limit. When Lacework initially assesses a repository, it scans the newest container images up to 50 at a time per repository (per hour). After the initial assessment, Lacework polls the integrated repositories at a regular time interval for the newest container images up to the limit of 50 container images per repository. There is also an hourly limit of 700 container images per Lacework account, with any other images being assessed the next hour.
- Lacework assesses all software packages in the found container images.
- Lacework searches the common vulnerabilities and exposures (CVEs) database for software packages in the container images and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses existing image assessments for newly identified risks. Lacework reassesses images based on CVE information for a known package and version.
Assessment Example
These assessment steps are illustrated in the following example:
- You register the Docker Hub registry in Lacework.
- Lacework finds all the repositories in the Docker Hub registry.
- Lacework assesses a container image in a repository.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the container image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
View Vulnerabilities
The container vulnerability page contains open vulnerabilities and previous vulnerabilities that were fixed. To navigate to this page, select Vulnerabilities > Containers in the Lacework Console.
Note: Lacework only reports on a container image if it has permission to access the image.
Filters
By default, the page displays Fixable and Active vulnerabilities. You can use the following methods to refine the list of vulnerabilities displayed:
- Use the search function at the top of the page to find specific text in any of the details for all images.
- Click filters along the top of the page to make them active. Remove an active filter by clicking on it again or by clicking the Reset filters icon (
). You can also click on the tags in the vulnerabilities list to use them as filters. - Click the View all filters icon (
) and select the filters you want to use.
Groups
By default, the list displays vulnerabilities that are grouped by image registry. To change how the list groups vulnerabilities, select a different grouping option from the drop-down:
- Image ID
- Image Registry
- Image Repo
- CVE
- Package Name
- Package Namespace
Time range
To change the time period, select a different one from the drop-down or use the horizontal arrows to move to the next/previous period. Select from the following past periods: hour, day, three days, week, month, or a Custom range.
Only information found during assessment of the specified date range is reported. For example, if 9 days ago a container image was removed from a container repository in the registry and the specified date range is 7 days, this container image is not listed in the table.
Save view
When the page displays your list of vulnerabilities, save the current view by clicking the Save view icon in the top right corner. This lets you access the saved view later through the Open view icon.
When you open a saved view, its name displays in the page title as Vulnerabilities/Container/view name. Click the icon adjacent to this name to access additional actions such as update, reset, save as, and rename.
You can also copy the link to the current view by clicking the Copy link icon. You can then share that link with others so they can see the same view. Note that searches and sorting cannot be saved in views or copied as links.
Charts
Dashboard
The statistics depict the following data: Scanned Active Images, Unscanned Active Images, Image Scanning Errors, and Registry Integration Errors.
The chart depicts open vulnerabilities. Hover your mouse over the Open Vulnerabilities chart to see the critical, high, medium, and low vulnerabilities for that date:
Group by Image ID Charts
If you select Group by Image ID/Registry/Repo, a sunburst chart appears in the row for each image name:
You can click on the image name for more details and a detailed sunburst chart is displayed on the CVE tab:
Vulnerabilities List
The vulnerabilities list is below the overview statistics and Open Vulnerabilities chart. The information displayed depends on how the vulnerabilities are grouped.
The vulnerability list allows you to refresh data, download CSV, and sort.
Click a tag link to reload the vulnerability list with the tag as the filter.
Group by Image ID
The Group by Image ID/Registry/Repo list allows you to sort by image creation date, image repository, number of containers, or critical CVE - high to low.
When these groups are selected, the list displays the following information:
- Image name
- Number of vulnerabilities (CVEs)
Click an image name to display detailed assessment results (you can expand this to full screen using the << icon).
The Details tab contains descriptive information about the image, you can also filter for all active containers that Lacework can find with this image in use.
The CVE tab will display a list of vulnerabilities for the image with additional information in columns. This list lets you refresh data, download CSV/PDF, and can be sorted by severity, score, or vulnerability ID.
| Column | Description |
|---|---|
| Vulnerabilities | Displays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the CVE number to open a web page that provides details about the CVE. |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSSv3 or CVSSv2 scores (in that order of precedence). |
| Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. |
| Package Name | Displays the operating system package or language package that the vulnerability was found in. |
| Current Version | Displays the current version of the package found on the image. |
| Fix Version | Displays the version of the package where the issue is fixed when a patch is available. |
| Introduced in Layer | Displays the Docker file command that applied the package onto the current Docker image. Each Docker container image is made up of a series of layers and each layer is the result of a command. |
Group by CVE
The Group by CVE/Package Name/Package Namespace list allows you to sort by severity, score, vulnerability ID, or affected hosts.
When these groups are selected, the list displays the following information:
- Vulnerability (CVE) ID
- Number of affected images
Click a Vulnerability ID to display detailed assessment results (this can be expanded to full screen using the << icon). The Details tab contains descriptive information about the vulnerability.
The Images tab will display a list of image IDs where the vulnerability was found with additional information in columns. This list allows you to refresh data, download CSV/PDF, and can be sorted by containers, image created time, or image ID.
| Column | Description |
|---|---|
| Image ID | Displays the sha256 hash that was generated for this image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard  icon. |
| Image Created Time | Displays when the image was created in the repository. |
| Containers | Displays the total number of unique containers that ran for this image. This includes currently active containers plus any containers that have been started and subsequently stopped or killed. This number can exceed your number of containers. Note: Lacework must be integrated with your container registries for these reports. |
Vulnerability Continuous Assessment
Lacework continuously reassesses container images for new vulnerabilities. Lacework lets you control what images are continually reevaluated. You can globally override the default option and configure what images should be assessed.
- Go to Settings > General Settings in the Lacework Console to display the General Settings page.
- Scroll down to the bottom of the page to configure Continuous Assessments.
- Under Continuous Assessments, select one of the following options:
- Reassess active images: Reassesses only images active in the past 24 hours. This is the default option.
- Reassess images with a specific tag or label for 30 days: Reassesses images for 30 days based on the tags, labels, and repositories that you specify. This option ignores whether the image is active or inactive.
Vulnerability FAQs
How does Lacework's registry-based scanning work?
Lacework uses Docker V2-compatible APIs to derive image layer manifests and their composition to assess the packages within them. Though Lacework uses the docker pull implementation, Lacework consumes only the manifest; Lacework does not store or cache the images.
How does Lacework handle initial scanning for different registry services?
Behavior can be categorized into managed registries and unmanaged registries. Managed registries (ECR, GCR, GitHub) offer efficiencies for automatic initial scans and periodic polling completely through APIs without your running additional infrastructure on your side. This provides maximum value with least effort, allowing you to set your credentials and make it work. Unmanaged registries do not offer this functionality within their APIs and span the spectrum in regards to conformance with the Docker V2 API standard. This requires additional workflows. Lacework supports automated scanning via registry notifications as new images are built, but to seed existing images, Lacework requires manual image scans via CLI or API.
Does Lacework support scanning of Fat JARs?
Scanning of Fat JARs is fully supported when using the Lacework scanner. Fat JARs are single JAR files that contain all the dependencies needed for a project or to run a service (including the service code itself). The Lacework scanner will scan all the dependent packages within the Fat JAR and report back with any vulnerabilities.