- Container Analysis is a service that provides vulnerability scanning and metadata storage for software artifacts.
- The service performs vulnerability scans on built software artifacts, such as the images in Container Registry, then stores the resulting metadata and makes it available for consumption through an API.
- The metadata may come from several sources, including vulnerability scanning, other Cloud services, and third-party providers.
- Container Analysis performs vulnerability scans on images in Container Registry and monitors the vulnerability information to keep it up to date. This process comprises two main tasks:
- With incremental scanning, Container Analysis scans new images when they're uploaded to Container Registry.
- The scan gathers metadata based on the container manifest and updates this metadata every time the image is re-uploaded (re-pushed).
- With continuous analysis, Container Analysis continuously monitors the metadata of scanned images in Container Registry for new vulnerabilities.
- As Container Analysis receives new and updated vulnerability information from vulnerability sources, it re-analyzes the containers to keep the list of vulnerability occurrences for already scanned images up-to-date.
- It creates new occurrences for new notes, and deletes occurrences that are no longer valid.
- This type of analysis pertains only to package vulnerabilities and does not include other kinds of metadata.
- Container Analysis performs continuous analysis only for images that have been pulled in the last 30 days.
- When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.
- The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability.
- If a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.
- Effective severity is the severity level assigned by the Linux distribution.
- If distribution-specific severity levels are unavailable, Container Analysis uses the severity level assigned by the note provider.
- CVSS score is the Common Vulnerability Scoring System score and associated severity level.
- For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity.
- Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.
- A high-level piece of metadata, such as a vulnerability or build information, is called a note.
- When Container Analysis analyzes an image, each instance of a note that it finds is identified as an occurrence.