Container Image Support
Lacework continues to expand its coverage of Operating Systems, Languages and package managers that it works with. All Lacework scanners share the same capabilities listed in this section.
Image Format
Lacework supports the Docker and OCI image formats. Lacework is agnostic to the build system used to build these images (such as docker or bazel).
Operating System Support
Lacework finds known vulnerabilities in the following base operating systems:
Operating System | Versions |
---|---|
Alpine Linux | 3.x |
Amazon Linux | 2 |
Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
CentOS | 5, 6, 7 |
Debian | 7, 8, 9, 10, unstable |
Oracle Linux | 8.3, 8.4, 8.5 |
Red Hat Enterprise Linux | 5, 6, 7, 8 Minimal OS images are not supported except for UBI. |
Rocky Linux (Public Preview) | 8.4, 8.5, 8.6, 8.7, 9.0, 9.1 |
Ubuntu | 12.04 and above, snap |
SUSE SLES | 12 SP3, 12 SP4, 12 SP5 |
openSUSE Leap | 15.x |
Distroless (Bazel) + Scratch | Any |
Package Assessment Support
Lacework assesses operating system packages using the sources listed in the following table:
Linux Distribution | Severity Attribution | CVSS Score Attribution | CVE Source |
---|---|---|---|
Alpine Linux | NVD Score (CVSS v3 supersedes CVSS v2) | NVD | https://github.com/alpinelinux/aports.git |
Amazon Linux | Distro | See Amazon Linux CVSS Scores. | https://alas.aws.amazon.com/ |
CentOS | Distro | NVD | 1. Risk Based Security (RBS) - VulnDB 2. https://www.redhat.com/security/data/oval/v2/ |
Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker |
Oracle Linux | Distro | NVD | https://linux.oracle.com/security/oval/ |
Red Hat Enterprise Linux (including UBI) | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
Rocky Linux (Public Preview) | Distro | NVD | Risk Based Security (RBS) - VulnDB |
Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker https://ubuntu.com/security/cves |
SUSE Linux Enterprise Server (SLES) | Distro | NVD | https://www.suse.com/security/cve/ https://ftp.suse.com/pub/projects/security/oval/ |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Lacework assesses the severity and CVSS score for vulnerabilities from different sources. Distributions often reclassify vulnerabilities with a different severity than the NIST National Vulnerability Database (NVD). It is not uncommon that the severity displayed by Lacework is associated with a different CVSSv3 score coming from a different source.
More information about CVSS scoring can be found in the Severity Attribution section.
Supported Language Libraries and Package Managers
Lacework offers support on the following programming language libraries and package managers:
Library name | Package manager | Version format | CVE Sources |
---|---|---|---|
Java | maven | maven | RBS |
Ruby | bundler | bundler | RBS |
PHP | composer | composer | RBS |
Go | go | go | RBS |
npm (node / react / typescript) | npm yarn | npm yarn | RBS |
.NET | nuget | nuget | RBS |
Python | pip poetry python | pip poetry pep440 | RBS |
Rust | cargo | cargo | RBS |
CVE Sources for Language Libraries and Package Managers
Lacework uses the following CVE Sources for language libraries:
Lacework uses NVD for the severity and CVSS score associated with the CVEs.
note
When an NVD CVSS score is not available for a given GitHub Security Advisory (GHSA) package, Lacework uses the CVSS score directly from GHSA for that package.
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lock
files that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path in a container or on a host's root volume.
Files Scanned
The files scanned for each supported language library or package manager depends on the type of integration:
Platform, Inline, and Proxy Scanner Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
Language or Package manager | Files scanned |
---|---|
Java | *.jar *.war *.ear Fat JAR files are also scanned for their dependencies. |
Ruby | *.gemspec |
PHP | composer.lock |
Go | *.sum Any executable binaries built by Go |
npm | package-lock.json yarn.lock |
.NET | packages.lock.json |
Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
Rust | *Cargo.lock |
note
For .NET packages, *.csproj
files are not yet supported by Lacework container scanning. These files are used by Microsoft Visual Studio 2017 onwards.
Agentless Workload Scanning Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
Language or Package manager | Files scanned |
---|---|
Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
Ruby | *Gemfile.lock |
PHP | composer.lock |
Go | *.sum Any executable binaries built by Go |
npm | package-lock.json yarn.lock |
NuGet | packages.lock.json |
Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
Rust | *Cargo.lock |
Disable Language Libraries Support
Disable language libraries support for container images by following the steps in relevant section for your integration type:
Platform, Inline, and Proxy Scanner
This feature is enabled by default from v4.42 onwards, see the following sections for instructions to disable it.
Platform Scanner
New Integrations
- For new integrations, create a registry integration up to when you reach the Optional Settings page.
- Uncheck the Non-OS Package Support checkbox.
- Finish configuring any other optional settings and click Save.
Existing Integrations
- For existing integrations, go to Settings > Integrations > Container Registries in the Lacework Console.
- Select the registry by clicking the checkbox on the left-hand column and click the Edit icon .
- Proceed to the Optional Settings page and uncheck the Non-OS Package Support checkbox.
- Click Save when complete.
- Ensure that in Settings > General, you have enabled Reassess active images.
Inline Scanner
Disable this feature in your inline scanner(s) by using one of these three methods:
- Run the
lw-scanner configure scanner
command and enterfalse
when the Scan Library packages prompt appears. - Set the following environment variable in your local or CI/CD system:
export LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=true
- Use the
--disable-library-package-scanning
flag when running theimage evaluate
orimage scan
commands.
inline scanner releases prior to v0.2.4
Prior to v0.2.4, inline scanner releases will not have had this feature enabled by default.
See Inline Scanner and/or CI pipelines for further references to these configuration options.
Proxy Scanner
Set the disable_non_os_package_scanning
field to true
in the config.yml
to disable this feature.
See Proxy Scanner for further reference to this configuration option.
Agentless Workload Scanning
It is not currently possible to disable language library scanning of container images when using Agentless Workload Scanning. You can disable container image scanning altogether, but this will also stop scans of operating system packages.
Follow the steps below if you still want to disable all scanning of container images with Agentless:
- In the Lacework Console, go to Settings > Integrations: Cloud accounts.
- Find and select your integration in the table.
- Click the Edit option.
- Uncheck the Scan containers option.
- Click Save.
Usage of CVE/Vulnerability Sources
Lacework uses multiple CVE / vulnerability sources and will determine the best source for new and existing vulnerabilities.
The vulnerability source used is based on the quality of the data returned on a given vulnerability (such as affected version range, fix version, and data schema).
In some cases, a certain vulnerability source may be used solely for a given operating system, language library, or package manager. This is often the case when other vulnerability sources are lacking detail or specificity for that particular operating system, language library, or package manager.
Registry Errors
If there is a registry error while scanning an image, Lacework retries the scan (based on the HTTP response code).
- If the registry displays a 400 or 500 HTTP response code, Lacework retries the scan three times.
- If the registry displays a 404 HTTP response code, it means that the image data does not exist.
Lacework does not retry this scan and it displays an error message in the Console.
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for each CVE. Scores range from 0 to 10. Severities can be Info, Low, Medium, High, or Critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3.x (if available) and CVSS v2.0. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity
- Lacework converts the CVSS v3 score to a severity
- Lacework converts the CVSS v2 score to a severity
Severities are rated using the following scale (ref: FIRST.org):
Rating | CVSS Score |
---|---|
Info | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
Amazon Linux CVSS Scores
Amazon Machine Image (AMI) security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.