Advisory database sources and matching service
Docker Scout secures the complete software supply chain by providing image analysis, real-time vulnerability identification, contextual remediation recommendations, and more. Now available in early access.
Learn more on the Docker Scout product pageopen_in_new.
Docker Scout is a service that helps developers and security teams build and maintain a secure software supply chain. A key component of this is the ability to assess your software artifacts against a reliable source of vulnerability information. Different tools collect vulnerability information from different sources, and use different methods to identify matches against software artifacts. This can lead to differing results between tools.
To help you understand why different tools can provide different results when assessing software for vulnerabilities, this page explains how the Docker Scout advisory database and CVE-to-package matching service works.
Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers, such as:
- Alpine secdbopen_in_new
- Amazon Linux Security Centeropen_in_new
- CISA Known Exploited Vulnerability Catalogopen_in_new
- Debian Security Bug Trackeropen_in_new
- GitHub Advisory Databaseopen_in_new
- GitLab Advisory Databaseopen_in_new
- Golang VulnDBopen_in_new
- inTheWild, a community-driven open database of vulnerability exploitationopen_in_new
- National Vulnerability Databaseopen_in_new
- Oracle Linux Securityopen_in_new
- Python Packaging Advisory Databaseopen_in_new
- RedHat Security Dataopen_in_new
- RustSec Advisory Databaseopen_in_new
- SUSE Security CVRFopen_in_new
- Ubuntu CVE Trackeropen_in_new
- Wolfi Security Feedopen_in_new
- Chainguard Security Feedopen_in_new
Docker Scout correlates this data by making a full inventory of a container image and storing that inventory in a software bill of materials (SBOM)open_in_new.
The SBOM summarizes the contents of the image and how the contents got there meaning that when there is information about a new vulnerability, Docker Scout correlates it with the SBOM. If Docker Scout finds a match for a vulnerability, it can identify the artifact that’s now vulnerable, why, and where it’s in use.
When a customer enrolls with Docker Scout, the organization receives their own instance of the database. This database tracks timestamped metadata about your images that Docker Scout can then match to CVEs. Find more details on how this works in the image analysis page.
Docker Scout is ideal for analyzing images in Docker Desktop and Docker Hub, but the flexibility of the approach also means it can integrate with other systems, see Integrating Docker Scout with other systems.
Many other tools use fuzzy Common Product Enumeration (CPE)open_in_new matching with wild cards to known vulnerabilities with the versions of software packages they affect. This can return a lot of false positives which you need to triage.
The typical structure of a CPE match looks like this:
cpe:*:*:*:calendar:*:*:*:*:*:*:* returns a match on anything with
the product name “calendar”. If there is a vulnerability present in an NPM
package, this CPE match would also return packages and modules for all other
Instead, Docker Scout matches CVEs to SBOMs using package URL (PURL) linksopen_in_new that are a more precise, universal schema for matching software packages. A PURL link can help you only identify the relevant packages with far less false positives.
Continuing this example, a PURL can match the specific package name to a language and version.
This only matches a node package with the name “calendar” and the version “12.0.2”. For relevant packages, you can specify architectures and operating system versions to make more precise matches.
In summary, Docker Scout’s technique improves matching accuracy and reduces the number of results that turn out to be false-positives.
By sourcing vulnerability data from the providers above, Docker Scout is able to support analyzing the following package ecosystems:
- GitHub packages
deb(Debian Linux and derivatives)