Container Registry

3. Analysis

  • Container Analysis is a service that provides vulnerability scanning and metadata storage for software artifacts. 
  • The service performs vulnerability scans on built software artifacts, such as the images in Container Registry, then stores the resulting metadata and makes it available for consumption through an API. 
  • The metadata may come from several sources, including vulnerability scanning, other Cloud services, and third-party providers.
  • Container Analysis performs vulnerability scans on images in Container Registry and monitors the vulnerability information to keep it up to date. This process comprises two main tasks:
  • With incremental scanning, Container Analysis scans new images when they're uploaded to Container Registry
  • The scan gathers metadata based on the container manifest and updates this metadata every time the image is re-uploaded (re-pushed).
  • With continuous analysis, Container Analysis continuously monitors the metadata of scanned images in Container Registry for new vulnerabilities. 
  • As Container Analysis receives new and updated vulnerability information from vulnerability sources, it re-analyzes the containers to keep the list of vulnerability occurrences for already scanned images up-to-date. 
  • It creates new occurrences for new notes, and deletes occurrences that are no longer valid. 
  • This type of analysis pertains only to package vulnerabilities and does not include other kinds of metadata.
  • Container Analysis performs continuous analysis only for images that have been pulled in the last 30 days.
  • When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.
  • The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. 
  • If a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.
  • Effective severity  is the severity level assigned by the Linux distribution. 
  • If distribution-specific severity levels are unavailable, Container Analysis uses the severity level assigned by the note provider.
  • CVSS score is the Common Vulnerability Scoring System score and associated severity level. 
  • For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. 
  • Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.
  • A high-level piece of metadata, such as a vulnerability or build information, is called a note. 
  • When Container Analysis analyzes an image, each instance of a note that it finds is identified as an occurrence.