docsCreated with Sketch.

Advisory database sources and matching service

Early Access

Docker Scout secures the complete software supply chain by providing image analysis, real-time vulnerability identification, contextual remediation recommendations, and more. Now available in early access.

Learn more on the Docker Scout product pageopen_in_new.

Docker Scout is a service that helps developers and security teams build and maintain a secure software supply chain. A key component of this is the ability to assess your software artifacts against a reliable source of vulnerability information. Different tools collect vulnerability information from different sources, and use different methods to identify matches against software artifacts. This can lead to differing results between tools.

To help you understand why different tools can provide different results when assessing software for vulnerabilities, this page explains how the Docker Scout advisory database and CVE-to-package matching service works.

Docker Scout’s advisory database sources

Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers, such as:

Docker Scout correlates this data by making a full inventory of a container image and storing that inventory in a software bill of materials (SBOM)open_in_new.

The SBOM summarizes the contents of the image and how the contents got there meaning that when there is information about a new vulnerability, Docker Scout correlates it with the SBOM. If Docker Scout finds a match for a vulnerability, it can identify the artifact that’s now vulnerable, why, and where it’s in use.

When a customer enrolls with Docker Scout, the organization receives their own instance of the database. This database tracks timestamped metadata about your images that Docker Scout can then match to CVEs. Find more details on how this works in the image analysis page.

Docker Scout is ideal for analyzing images in Docker Desktop and Docker Hub, but the flexibility of the approach also means it can integrate with other systems, see Integrating Docker Scout with other systems.

How Docker Scout makes more precise matches

Many other tools use fuzzy Common Product Enumeration (CPE)open_in_new matching with wild cards to known vulnerabilities with the versions of software packages they affect. This can return a lot of false positives which you need to triage.

The typical structure of a CPE match looks like this:

cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

For example cpe:*:*:*:calendar:*:*:*:*:*:*:* returns a match on anything with the product name “calendar”. If there is a vulnerability present in an NPM package, this CPE match would also return packages and modules for all other languages too.

Instead, Docker Scout matches CVEs to SBOMs using package URL (PURL) linksopen_in_new that are a more precise, universal schema for matching software packages. A PURL link can help you only identify the relevant packages with far less false positives.

Continuing this example, a PURL can match the specific package name to a language and version.

pkg:npm/calendar@12.0.2

This only matches a node package with the name “calendar” and the version “12.0.2”. For relevant packages, you can specify architectures and operating system versions to make more precise matches.

In summary, Docker Scout’s technique improves matching accuracy and reduces the number of results that turn out to be false-positives.

Package ecosystems supported by Docker Scout

By sourcing vulnerability data from the providers above, Docker Scout is able to support analyzing the following package ecosystems:

  • .NET
  • GitHub packages
  • Go
  • Java
  • JavaScript
  • PHP
  • Python
  • RPM
  • Ruby
  • alpm (Arch Linux)
  • apk (Alpine Linux)
  • deb (Debian Linux and derivatives)