Let's review several technical concepts behind Aqua's Vulnerability Scanning.


Vulnerability Scanning Results

The following terms are key in understanding the scan results:

  • Resources and vulnerabilities: 
    Applications running on top of container images have dependencies on packages that might have known vulnerabilities. When scanning images, the service analyzes these packages and dependencies and checks whether they are vulnerable. The scan results include the "image-resources-vulnerabilities" relationship for each scanned image, so you can trace the vulnerability source.

  • Fixable vulnerabilities: 
    Vulnerabilities that have an available official fix are marked as fixable. In addition, the earliest version of the fixed package appears in the results, to help you remediate the vulnerability by upgrading. You can filter the image scan results to view only the fixable vulnerabilities.

  • Vulnerability severity: 
    The vulnerability severity is mapped from NVD CVSS v3 or CVSS v2 for vulnerabilities that were published before 2015.

The mapping to the severity is:

  • Critical: 10.0 - 9.0
  • High: 8.9 – 7.0
  • Medium: 6.9 – 4.0
  • Low: 3.9 - 0

Process Flow

The following is a conceptual description of the Vulnerability Scanning flow:

  1. New images are periodically discovered and pulled into the Aqua service
  2. The service analyzes each image to discover the list of packages installed in it
  3. The list of packages are saved in the Aqua database
  4. The service checks for vulnerabilities in these packages 
  5. The scan results are also saved in the Aqua database
  6. The original images, containing potentially customer-sensitive information, are never stored in the Aqua database
  7. Re-scans are executed daily based on the previously analyzed list of installed packages

Supported OS Packages

The image scanning leverages the Trivy by Aqua open source project and supports the same comprehensive list of OS packages. At this time this includes - Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS, Debian GNU/Linux, Ubuntu, Distroless. 

Trivy is updated regularly. Please see the latest spec at the Trivy's list of supported OS packages.