Managing image security with Vulnerability Advisor

Vulnerability Advisor is provided as part of IBM Cloud® Container Registry. Vulnerability Advisor checks the security status of container images that are provided by IBM, third parties, or added to your organization's registry namespace.

Vulnerability Advisor provides security management for IBM Cloud Container Registry. Vulnerability Advisor generates a security status report that includes suggested fixes and best practices.

When you add an image to a namespace, the image is automatically scanned by Vulnerability Advisor to detect security issues and potential vulnerabilities. If security issues are found, instructions are provided to help fix the reported vulnerability.

Any issues that are found by Vulnerability Advisor result in a verdict that indicates that it is not advisable to deploy this image. If you choose to deploy the image, any containers that are deployed from the image include known issues that might be used to attack or otherwise compromise the container. The verdict is adjusted based on any exemptions that you specified.

Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you to secure your IBM Cloud infrastructure.

You can use IBM Cloud Security and Compliance Center to monitor vulnerabilities that are detected by Vulnerability Advisor. For more information, see Getting started with Security and Compliance Center.

Vulnerability Advisor version 3 is discontinued from 13 November 2023. For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.

Using Portieris to block the deployment of images with issues that are found by Vulnerability Advisor is deprecated.

About Vulnerability Advisor

Vulnerability Advisor provides functions to help you to secure your images.

The following functions are available in version 4:

Scans images for issues.
Creates an evaluation report that is based on security practices that are specific to IBM Cloud Kubernetes Service.
Supplies instructions about how to fix a reported vulnerable package in its reports.
Applies exemption policies to reports at an account, namespace, repository, or tag level to mark when issues that are flagged do not apply to your use case.

The Security status column in the Images tab of the Container Registry dashboard displays the number of issues that are associated with each image. To find out more about the issues, click the link in the Security status column.

The Vulnerability Advisor dashboard provides an overview and assessment of the security for an image. If you want to find out more about the Vulnerability Advisor dashboard, see Reviewing a vulnerability report.

Encrypted images aren't scanned by Vulnerability Advisor.

Data protection

To scan images and containers in your account for security issues, Vulnerability Advisor collects, stores, and processes the following information:

Free-form fields, including IDs, descriptions, and image names (registry, namespace, repository name, and image tag)
Metadata about the file modes and creation timestamps of the configuration files
The content of system and application configuration files in images and containers
Installed packages and libraries (including their versions)

Do not put personal information into any field or location that Vulnerability Advisor processes, as identified in the preceding list.

Scan results, aggregated at a data center level, are processed to produce anonymized metrics to operate and improve the service.

In version 4, the image is indexed when it is first pushed to Container Registry registry, and that index report is stored in the database. When Vulnerability Advisor is queried, the image index report is retrieved, and a vulnerability assessment is produced. This action happens dynamically every time Vulnerability Advisor is queried. Therefore, no pregenerated scan result exists that requires deleting. However, the image index report is deleted within 30 days of the deletion of the image from the registry.

Types of vulnerabilities

Vulnerable packages

Vulnerability Advisor checks for vulnerable packages in images that are using supported operating systems and provides a link to any relevant security notices about the vulnerability.

Packages that contain known vulnerability issues are displayed in the scan results. The possible vulnerabilities are updated daily by using the published security notices for the Docker image types that are listed in the following table. Typically, for a vulnerable package to pass the scan, a later version of the package is required that includes a fix for the vulnerability. The same package can list multiple vulnerabilities, and in this case, a single package update can address multiple vulnerabilities.

Vulnerability Advisor returns vulnerabilities only when a package fix is published by the distributor. Declared vulnerabilities that aren't fixed yet, or are not going to be fixed, are not reported by Vulnerability Advisor. Therefore, if Vulnerability Advisor does not report any vulnerabilities, there might still be a risk in the image.

For version 4, the image is indexed the first time that it is pushed. Thereafter, the vulnerability assessment is calculated every time Vulnerability Advisor is queried about that image. Images are scanned only if they have a tag.

The following tables show the supported Docker base images that Vulnerability Advisor checks for vulnerable packages.

Vulnerability Advisor supports only releases of platforms that are currently supported by the vendor of that platform.

Table 1. Supported Docker base images that Vulnerability Advisor 4 checks for vulnerable packages
Docker base image	Supported versions	Source of security notices
Alpine	All stable versions with vendor security support.	Alpine SecDB database.
Debian	All stable versions with vendor security support. CVEs on binary packages that are associated with the Debian source package `linux`, such as `linux-libc-dev`, are not reported. Most of these binary packages are kernel and kernel modules, which are not run in container images.	Debian Security Bug Tracker.
GoogleContainerTools distroless	All stable versions with vendor security support.	GoogleContainerTools distroless
Red Hat® Enterprise Linux® (RHEL)	RHEL/UBI 7, RHEL/UBI 8, and RHEL/UBI 9	Red Hat Security Data API.
Ubuntu	All stable versions with vendor security support.	Ubuntu CVE Tracker.

Configuration issues

Configuration issues are not supported in Vulnerability Advisor version 4.

Setting the Vulnerability Advisor version

To retrieve results from version 4, run the following ibmcloud cr va-version-set command. The only valid value is v4.

ibmcloud cr va-version-set v4

Alternatively, you can set an environment variable va_version, and specify the Vulnerability Advisor version that you want to use. The only valid value is v4.

If you try to set an invalid version of Vulnerability Advisor, you get en error, see Why do I get an error about an invalid version of Vulnerability Advisor being specified? for assistance.

Reviewing a vulnerability report

Before you deploy an image, you can review its Vulnerability Advisor report for details about any vulnerable packages and nonsecure container or app settings.

You can also check whether the image is compliant with organizational policies.

If you don't address any discovered issues, those issues can impact the security of containers that are using that image. If you use enforcement in your container runtime environment, you might be prevented from deploying that image unless all issues are exempted by your policy.

If your image does not meet the requirements that are set by your organization's policy, you must configure the image to meet those requirements before you can deploy it. For more information about how to view and change the organization policy, see Setting organizational exemption policies.

Reviewing a vulnerability report by using the console

You can review the security of Docker images that are stored in your namespaces in IBM Cloud Container Registry by using the IBM Cloud console. Version 4 does not support viewing vulnerability reports in the console, but you can use the CLI or the API.

Log in to IBM Cloud.
Click the Navigation menu icon, then click Container Registry.
Click Images. A list of your images and the security status of each image is displayed in the Images table.
To see the report for the image that is tagged latest, click the row for that image. The Image details tab opens showing the data for that image. If no latest tag exists in the repository, the most recent image is used.
If the Security status column shows any issues, to find out about the issues, click the Issues by type tab. The Vulnerabilities and Configuration Issues tables are displayed.
- Vulnerabilities table. This table shows the Vulnerability ID for each issue, the policy status for that issue, the affected packages and how to resolve the issue. To see more information about that issue, expand the row. A summary of that issue is displayed that contains a link to the vendor security notice for that issue. Lists packages that contain known vulnerability issues.
  
  The list is updated daily by using published security notices for the Docker image types that are listed in Types of vulnerabilities. Typically, for a vulnerable package to pass the scan, a later version of the package is required that includes a fix for the vulnerability. The same package can list multiple vulnerabilities and in this case, a single package update can correct multiple issues. Click the security notice code to view more information about the package and for steps to update the package.
- Configuration issues table. This table shows the configuration issue ID for each issue, the policy status for that issue, and the security practice. To see more information about that issue, expand the row. A summary of that issue is displayed that contains a link to the security notice for that issue.
  
  The list contains suggestions for actions that you can take to increase the security of the container and any application settings for the container that are nonsecure. Expand the row to view how to resolve the issue.
Complete the corrective action for each issue shown in the report, and rebuild the image.

Reviewing a vulnerability report by using the CLI

You can review the security of Docker images that are stored in your namespaces in IBM Cloud Container Registry by using the CLI.

List the images in your IBM Cloud account. A list of all images is returned, independent of the namespace where they are stored.
```
ibmcloud cr image-list
```
Check the status in the SECURITY STATUS column.
- No Issues No security issues were found.
- <X> Issues The number of potential security issues or vulnerabilities that are found, where <X> is the number of issues.
- Scanning The image is being scanned and the final vulnerability status is not determined.
- Unsupported OS The scan found no supported operating system (OS) distribution and no active configuration issues.
To view the details for the status, review the Vulnerability Advisor report:
```
ibmcloud cr va <region>.icr.io/<my_namespace>/<my_image>:<tag>
```
In the CLI output, you can view the following information about the configuration issues.
- Security practice A description of the vulnerability.
- Corrective action Details about how to fix the vulnerability.

Setting organizational exemption policies

If you want to manage the security of an IBM Cloud organization, you can use your policy setting to determine whether an issue is exempt or not.

You can deploy containers from any image regardless of security status.

To find out more about the required permissions for working with exemptions, see Access roles for configuring IBM Cloud Container Registry.

Using Portieris to block the deployment of images with issues that are found by Vulnerability Advisor is deprecated.

Setting exemption policies by using the console

If you are using the IBM Cloud console, you can set a namespace, repository, or tag as the scope of the exemption policy. If you want to use the digest as the scope, you must use the CLI, see Setting organizational exemption policies by using the CLI.

If you want to set exemptions from the policy by using the IBM Cloud console, complete the following steps:

Log in to IBM Cloud. You must be logged in to see Vulnerability Advisor in the IBM Cloud console.
Click the Navigation menu icon, then click Container Registry.
Click Settings.
In the Security policy exemptions section, click Create.
Select the issue type.
Enter the issue ID.

You can find this information in your vulnerability report. The Vulnerability ID column contains the ID to use for CVE or security notice issues; the Configuration Issue ID column contains the ID to use for configuration issues.
Select the registry namespace, repository, image, and tag that you want the exemption to apply to.
Click Create.

You can also edit and remove exemptions by hovering over the relevant row and clicking the open and close list of options icon.

Setting exemption policies by using the CLI

If you are using the CLI, you can set a namespace, repository, digest, or tag as the scope of the exemption policy.

If you want to set exemptions from the policy by using the CLI, you can run the following commands:

To create an exemption for a security issue, run the ibmcloud cr exemption-add command.
To list your exemptions for security issues, run the ibmcloud cr exemption-list command.
To list the types of security issues that you can exempt, run the ibmcloud cr exemption-types command.
To delete an exemption for a security issue, run the ibmcloud cr exemption-rm command.

For more information about the commands, you can use the --help option when you run the command.