This article provides a short summary of criterium for users looking to understand how the "Full Path to Resource" UI feature is designed, including how Scanning & Scanning results are effected by the use of package managers in building images. Aqua users should understand the implications of package manager use and how this may effect results after completion.
When Aqua analyzes an image it first attempts to create an inventory of resources on the image:
It must determine the packages installed, programming language packages installed, and potentially common standalone binaries (those not installed by a package manager).
Aqua then uses this list to determine critical vulnerabilities, malware, and exploits. This process is done in a way that does not impact overall performance, yet provides the most accurate results.
Important Parameters to know:
- If an image is based on a distribution, then information about packages installed is pulled from the package managers associated with the distribution. In the case where a package is discovered via the OS package manager, the full path is not listed.
- If an image is "distroless" then the information about packages is compiled in a way that allows us to include the full path.
- If an image includes packages from supported programming languages, then the full path is found. Details on the programming languages supported is here: https://docs.aquasec.com/docs/image-scanning-details#programming-language-component
- If an image includes standalone binaries ( https://docs.aquasec.com/docs/image-scanning-details#section-standalone-binaries) from a predefined list, then the full path is found.
- Depending on what exactly the customer is compiling and installing, an image will either fall into the category of a "supported programming language" or it will fall into the category of a "standalone binary".
Did you find it helpful?Send feedback