How to use Chainguard Security Advisories and the Diff API

How to use security advisories and the diff API to investigate vulnerabilities affecting Chainguard images

Tools used in this video

Related Article

See How to Use Chainguard Security Advisories for a written article covering similar content to this video.


0:05 So a question we sometimes get asked is how to investigate vulnerabilities found in Chainguard images and how you can figure out if there’s a fix

0:15 so thanks to a new website and some new tooling this is pretty

0:19 straightforward so in this example we’re

0:21 going to look at a slightly old golang

0:23 image and if we run Docker Scout or a

0:26 similar scanner we do get some results

0:31 so you can see in this image we found 11

0:35 vulnerabilities and we’re going to

0:37 investigate this one 2023

0:42 44487 and we can see we’re interested in

0:45 the nghttp2 package so I’m going to

0:50 copy that and I’m going to move to a

0:56 browser and here I have opened and I can search by

1:02 that cve so that comes up. If I click

1:06 into this I can filter by packages so if

1:09 I put in nghttp2

1:12 we can see that comes up

1:15 here and interestingly we can see see

1:19 the status is fixed it’s fixed in

1:21 version 1.57 point0 r0 um and this

1:25 happened a while ago on October the 11th

1:29 so now now I’m fairly

1:34 sure that that vulnerability will be

1:36 gone because the image will have been

1:37 updated and indeed there we see there’s

1:40 no vulnerabilities detected but we can

1:42 do bit more than that with a new diff

1:44 API we can actually look into the

1:46 differences between the 121.2 image and

1:49 the 121.5 image um this will take a

1:53 little moment to run note that I’ve

1:55 piped this through jq to format the

1:57 output and I’ve also saved it out to

1:59 file um so we can scroll through it and

2:02 see the output and look at it a little

2:04 bit easier so if I open this

2:08 file and we look at the bottom what we

2:11 have here is a list of the

2:13 vulnerabilities that have been removed

2:15 between the two versions of the image so

2:18 in this list I should see that 4487

2:20 indeed it’s here we’re saying this cve was

2:24 addressed and also if we search for NG

2:28 http2 we find it here and we see the

2:32 version has been updated so in the in

2:36 this version of the image we’re running

2:39 on a newer version of nghttp2

2:42 which is why that vulnerability has gone

2:44 away so there you have it that’s how you

2:47 can investigate CVEs and find out how

2:50 they were addressed and Chainguard

2:51 images please do give this a go and let

2:54 me know how you get on

Last updated: 2024-01-18 15:21