Online / 6 & 7 February 2021


Composition analysis of Docker images and other rootfs

Container and VM images contain many packages and are quite a challenge for composition analysis.

Linux root filesystems, virtual machine disk and container images routinely contain thousands of system packages, application packages and other custom software components.

Each of these components may have a different provenance, may be modified or vulnerable. Such a large number of packages creates a fertile ground for bugs, security and license issues to go unnoticed. Join me to discover approaches and FOSS tools to perform static composition analysis of a root filesystem with specific techniques for container and Docker images or virtual machines to uncover all the known and unknown third-party code they are composed of.

With this knowledge, we can validate if an image has been modified or tempered, if packages are subject to known vulnerabilities and what is their license: these are essential items to proactively vet and safely reuse these and build safely larger systems using these as a base.


Photo of Philippe Ombredanne Philippe Ombredanne