Container Vulnerability - FAQs

Why is the CVSS score for a vulnerability missing (N/A)?

Amazon AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.

Some CVE do not have a complete entry in NVD. If we do not get a CVSS score from NVD for a CVE reported by a distribution or library, Lacework shows N/A.

Why does the CVSS score not map to the corresponding severity?

Lacework retrieves the severity of a vulnerability from the OS vendor and the CVSS score from NVD. OS vendors often reclassify NVD vulnerabilities with a different severity, which means the CVSS score may not map to the NVD severity. The OS vendor's severity is usually more accurate than NVD as it takes into account package-specific configuration, compilation, etc.

How does Lacework's registry-based scanning work?

Lacework uses Docker V2-compatible APIs to derive image layer manifests and their composition to assess the packages within them. Though Lacework uses the docker pull implementation, Lacework consumes only the manifest; Lacework does not store or cache the images.

How does Lacework handle initial scanning for different registry services?

Behavior can be categorized into managed registries and unmanaged registries. Managed registries (ECR, GCR, GitHub) offer efficiencies for automatic initial scans and periodic polling completely through APIs without running additional infrastructure on your side. This provides maximum value with least effort, allowing you to set your credentials and make it work. Unmanaged registries do not offer this functionality within their APIs and span the spectrum in regards to conformance with the Docker V2 API standard. This requires additional workflows. Lacework supports automated scanning via registry notifications as new images are built, but to seed existing images, Lacework requires manual image scans through the CLI or API.

Does Lacework support scanning of Fat JARs?

Scanning of Fat JARs is fully supported when using the Lacework scanner. Fat JARs are single JAR files that contain all the dependencies needed for a project or to run a service (including the service code itself). The Lacework scanner will scan all the dependent packages within the Fat JAR and report back with any vulnerabilities.

How often does Lacework update their CVE database?

The Lacework platform ingests a new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD), including from CVE Sources for Language Libraries.

Are host operating system kernel packages excluded from container vulnerability scanning?

Operating System Kernel vulnerabilities are excluded from Container scans when using the Platform, Proxy, or Inline Scanners.

Containers do not run a kernel of their own, but instead rely on the Host OS for kernel features. As such, these packages are excluded during container image scans.

How often are my active images reassessed for vulnerabilities?

Lacework reassesses active container images for new vulnerabilities on a daily basis.

What is the unique identifier for an image assessment?

All Lacework vulnerability scanning uses the SHA256 of an image as the unique identifier for each assessment.

As such, each unique SHA256 image ID found by Lacework equals one image assessment.

Why is the CVSS score for a vulnerability missing (N/A)?​

Why does the CVSS score not map to the corresponding severity?​

How does Lacework's registry-based scanning work?​

How does Lacework handle initial scanning for different registry services?​

Does Lacework support scanning of Fat JARs?​

How often does Lacework update their CVE database?​

Are host operating system kernel packages excluded from container vulnerability scanning?​

How often are my active images reassessed for vulnerabilities?​

What is the unique identifier for an image assessment?​