It's been awhile, so let's do another CVE Deep Dive! This time, let's look at CVE-2022-46908, a critical vulnerability in sqlite! This currently shows up in all three scanners tested (snyk, trivy, and grype) against the GCP Distroless Python 3 image. Looking in the NVD, we can see that this is a sanitization bug in the "safe" mode of operating sqlite, where some unsafe functions are still allowed to be called: nvd.nist.gov/vuln/detail/CV…

Today, the Senate will discuss and mark up the Today, the Senate will discuss and mark up the "Securing Open Source Act".

Lots has been said about it already, here's my take!

🧵time!

#OpenSource

congress.gov/bill/117th-con… The gov. needs to get involved here, but a better would be "Securing the Usage of Open Source Act", because you can't secure OSS itself.

Open source is free expression, and it comes with no warranties. Securing/regulating it would be the same as regulating free speech.

New PCI Guidance for Containerized Environments just dropped! See @raesene's post for a more detailed look: raesene.github.io/blog/2022/09/1…

Here's a 🧵on the supply chain security, parts! The doc is pretty short actually and the tables take up a lot of content, you should read the entire thing: raesene.github.io/blog/2022/09/1…

Sections 1&2 are background, and contain info on when not to use containers. This part is pretty funny:

Here's the next installment in the CVE Tales Series!

Last week we talked about false negatives, let's bring back some (false) positivity with CVE-2008-1688, which shows up today in all 3 scanners (snyk, grype, trivy) in the official node image.

nvd.nist.gov/vuln/detail/CV… This CVE is over 14 years old, and was first filed in April of 2008, so how is it still showing up in our latest Node.js images?

Looking at the NVD data page, the description is a bit... sparse and confusing. There might be arbitary code execution!

CVE deep dive!

Today I'll look at how scanners work rather than a CVE.

I'll focus on how they find packages, because that's the first step in looking for CVEs.

I'll show a blind spot scanners have with many popular docker images, and how you might be missing a LOT of vulns. As a test image, we'll use the node from DockerHub, and the syft tool to inspect it!

The syft tool can dump out the list of packages from an image, so lets run it on node to see what's inside.

The full output is here: gist.github.com/dlorenc/2128d2…

Everyone has heard of @kubernetesio, but few understand the power.

Here are 137 lines you can't run a container without! apiVersion: apps/v1

Funding OSS is a hot topic today! I got to spend a lot of time over the last two years working on paying OSS maintainers at @Google.

We spent a few million dollars and funded some relatively high profile work, in addition to a lot of smaller projects.

A 🧵on problems I saw! This is going to sound blunt, but it's a distribution problem not a funding problem. $ is easy.

Corporations have budget and are willing to spend, but it takes too much time. Finding projects that need help and maintainers willing to help in exchange for money is hard.