CVE on

Sea-curing Software #1 - Fighting Vulnerabilities

Tue, 25 Jul 2023 15:35:05 +0000

What Are Software Vulnerabilities and CVEs?

Fri, 30 Jun 2023 19:10:09 +0000

A software vulnerability is a weakness in a program which, if left unaddressed, may be used by attackers to access, manipulate, or compromise a computer system. Vulnerabilities can be introduced at different stages of development and vary in their scope, criticality, and potential attack vector depending on their root cause. As a consequence, software developers spend time and resources triaging, remediating, and patching vulnerabilities to harden their software security and to prevent attackers from exploiting unintended program behavior.

Why Care About Software Vulnerabilities?

Thu, 13 Jul 2023 19:46:58 +0000

Software products are prone to vulnerabilities which, if exploited by an attacker, may negatively impact the systems and consumers relying on them. Attacks against vulnerable software systems can result in the unintended exposure and misuse of sensitive data (like the theft of user account credentials). In other cases, these attacks could affect the provision of a service, or compromise critical infrastructure that relies on the software. Given the considerable threat that they can pose, it is important that developers spend time mitigating vulnerabilities to protect against hackers seeking to exploit them.

Infamous Software Vulnerabilities

Fri, 21 Jul 2023 19:16:39 +0000

Software vulnerabilities vary in their severity – some are difficult to exploit and have minimal implications, while others can be exploited easily, giving an attacker significant leverage over a computer system. In cases where widely-implemented software contains high-severity vulnerabilities, the damage caused by their exploitation can affect millions of developers and services worldwide.

In this article, you will learn how the KEV Catalog tracks known exploited software vulnerabilities, and how it serves as a tool for developers and federal agencies. In addition, you will explore Log4Shell, Heartbleed, and Shellshock, three infamous software vulnerabilities which have had major impacts on software security worldwide.

Software Vulnerability Remediation

Mon, 31 Jul 2023 14:04:10 +0000

At worst, a software vulnerability can impose a critical security flaw that warrants attention. Developers care about mitigating software vulnerabilities because their presence may harm the integrity of their product, negatively affect downstream users, or slow down efforts toward meeting regulatory requirements. However, modern software development practices which incorporate third-party packages in addition to newly scripted code can complicate the vulnerability remediation process. Keeping track of how and where vulnerabilities are introduced, as well as what introduced them, is an arduous task when multitudes of dependencies are working together.

Strategies for Minimizing your CVE Risk

Thu, 16 Nov 2023 11:07:52 +0200

Common vulnerabilities and exposures (CVEs) are an increasing concern for developers and organizations, which is why Chainguard developed its minimal container images that reduce the attack surface. A new CVE in a widely-used application or a vulnerability scan with numerous positive results can significantly impact security posture, compliance requirements, and development timelines.

Chances are, your software has already been impacted by a CVE. It’s likely there are active CVEs in software you are using. After all, there are software vulnerabilities currently in existence that haven’t even been discovered (known as zero-day vulnerabilities). With that said, this conceptual article aims to highlight a few practices and strategies you and your team can use to reduce the risk of CVEs on your software. It also includes a section on tools recommended by Chainguard that can help to reduce your attack surface area and minimize your risk of CVEs.

CVE remediation for Chainguard Libraries

Thu, 11 Sep 2025 00:00:00 +0000

CVE remediation for Chainguard Libraries provides protection against critical and high CVEs. Applications often rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions. Chainguard addresses this gap by backporting vulnerability fixes from newer releases to older releases, particularly in cases where maintainers are no longer able to support and provide fixes.

CVE remediation helps reduce risk for organizations that cannot always upgrade quickly, especially when moving to a newer version would introduce disruptive changes. Remediated artifacts are published as incremental patch versions, allowing teams to take a targeted fix for a CVE without taking on a broader upgrade at the same time.

How End-of-Life Software Accumulates Vulnerabilities

Wed, 04 Dec 2024 11:07:52 +0200

Typically, specific versions of software receive updates on a schedule for a set amount of time. Eventually, though, every version of software will stop receiving support. When project maintainers stop providing updates, it’s known as the End-of-Life (EOL) stage.

Because it’s no longer being actively maintained, software begins to collect vulnerabilities when it reaches EOL. This problem can become compounded when using container images, as they often come with extra components from underlying base images which are all prone to accruing vulnerabilities. This can lead to images with hundreds of components, each collecting vulnerabilities and forming part of the attack surface.

How to Use Chainguard Security Advisories

Wed, 27 Dec 2023 11:07:52 +0200

When using scanners such as Grype or Docker Scout to scan for vulnerabilities in Chainguard Containers, you’ll often find that there are few or no CVEs present. However, CVEs can sometimes be found in Chainguard Containers, and you may also encounter CVEs if you’re using older tags. In these cases, you will likely wish to check Chainguard’s security advisories for information on which CVEs will cause security issues in your deployment.

To help demystify the nature of CVEs within Chainguard Containers, we’ve created a self-service Security Advisories page that lists every security advisory published for Chainguard Containers. Having this information available allows you to view whether Chainguard is aware of a specific vulnerability reported to exist within a Chainguard Container and whether we’ve mitigated or are planning to mitigate the CVE.

How Chainguard Issues Security Advisories

Fri, 26 Jul 2024 18:09:12 +0000

When you scan a newly-built Chainguard Container with a vulnerability scanner, typically, no CVEs will be reported. However, as software packages age, more vulnerabilities are reported and CVEs will begin to accumulate in container images. When this happens, Chainguard releases security advisories to communicate these vulnerabilities to downstream images users.

Note: Advisory timestamps represent when updates are made to the advisory page, not when they were first detected and triaged by Chainguard.

Using wolfictl to Manage Security Advisories

Mon, 05 Aug 2024 20:23:51 +0000

Note: This document is deprecated as of June 2025.

Chainguard operates its own Security Advisories page to alert users about the status of vulnerabilities found in Chainguard Containers. To maintain this database, we use wolfictl, a tool developed for working with the Wolfi un-distro.

In this guide, you will walk through using wolfictl to create an advisory for a vulnerable package. You’ll also learn how to update this advisory as more information about the vulnerability is disclosed over time. To follow along, you will need to have git and the Go programming language installed on your machine.

False Positives and False Negatives with Container Images Scanners

Thu, 14 Sep 2023 16:59:04 +0000

A vulnerability scanner is a tool that analyzes your software components and reports any CVEs it finds. Using a vulnerability scanner to find CVEs that impact your system is a critical step in software vulnerability remediation, but as you begin to triage scanner-reported vulnerabilities, you may find that your scanner’s results are not perfectly accurate.

The goal of a vulnerability scanner is to identify the vulnerabilities that impact your container images, which can be considered true positive vulnerabilities. Sometimes, a scanner surfaces CVEs which are not actually impacting your images, which are called false positive vulnerabilities. Your scanner may even miss some vulnerabilities that are impacting you, termed false negative vulnerabilities.

Using Grype to Scan Software Artifacts

Thu, 06 Jun 2024 20:00:00 +0200

Grype is a vulnerability scanner for container images and filesystems developed and maintained by Anchore and written in the Go programming language. Grype can scan from Docker, OCI, Singularity, podman, image archives, and local directory. Grype is compatible with SBOMs generated by Syft, and Grype’s vulnerability database draws from a wide variety of sources.

Grype is appropriate for one-off detection for manual CVE mitigation and in automated use in CI pipelines. Chainguard maintains a low-to-no CVE Chainguard Image for Grype based on our lightweight Wolfi distribution.

Using Trivy to Scan Software Artifacts

Wed, 03 Jul 2024 20:00:00 +0200

Trivy is a vulnerability scanner for a wide variety of software artifacts and deployments. Trivy is written in the Go programming language and is maintained by Aqua Security. Trivy targets container images, VMs, filesystems, remote GitHub repositories, and Kubernetes and Amazon Web Services deployments. The tool can be used to detect known vulnerabilities (CVEs), generate SBOMs, analyze licenses, and scan for misconfigurations and exposed secrets. Trivy can be installed from package managers or as a binary, and can also be run as a container image.