Skip to main content

Container Vulnerability - FAQs

Why is the CVSS score for a vulnerability missing (N/A)?

Amazon AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.

Some CVE do not have a complete entry in NVD. If we do not get a CVSS score from NVD for a CVE reported by a distribution or library, Lacework shows N/A.

Why does the CVSS score not map to the corresponding severity?

Lacework retrieves the severity of a vulnerability from the OS vendor and the CVSS score from NVD. OS vendors often reclassify NVD vulnerabilities with a different severity, which means the CVSS score may not map to the NVD severity. The OS vendor's severity is usually more accurate than NVD as it takes into account package-specific configuration, compilation, etc.

How does Lacework's registry-based scanning work?

Lacework uses Docker V2-compatible APIs to derive image layer manifests and their composition to assess the packages within them. Though Lacework uses the docker pull implementation, Lacework consumes only the manifest; Lacework does not store or cache the images.

How does Lacework handle initial scanning for different registry services?

Behavior can be categorized into managed registries and unmanaged registries. Managed registries (ECR, GCR, GitHub) offer efficiencies for automatic initial scans and periodic polling completely through APIs without running additional infrastructure on your side. This provides maximum value with least effort, allowing you to set your credentials and make it work. Unmanaged registries do not offer this functionality within their APIs and span the spectrum in regards to conformance with the Docker V2 API standard. This requires additional workflows. Lacework supports automated scanning via registry notifications as new images are built, but to seed existing images, Lacework requires manual image scans through the CLI or API.

Does Lacework support scanning of Fat JARs?

Scanning of Fat JARs is fully supported when using the Lacework scanner. Fat JARs are single JAR files that contain all the dependencies needed for a project or to run a service (including the service code itself). The Lacework scanner will scan all the dependent packages within the Fat JAR and report back with any vulnerabilities.

What is an active image?

An active image is an image running in a container (Kubernetes or Docker) that is observed by the Lacework Agent installed on the same host or Kubernetes cluster.

On the Container Vulnerability page, containers will display as active if the image was in use either 24 hours or 1 hour prior to your current time. This depends on which Container Status filter is selected.

Why is there no new assessment for my active images?

Lacework continuously reassesses active container images for new vulnerabilities. A new assessment report will be generated only in a case of a new vulnerability discovered, or a change of severity. No new assessment will be created if there is no change in vulnerabilities.

How often does Lacework update their CVE database?

The Lacework platform ingests a new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD), including from CVE Sources for Language Libraries.

Are host operating system kernel packages excluded from container vulnerability scanning?

Operating System Kernel vulnerabilities are excluded from Container scans when using the Platform, Proxy, or Inline Scanners.

Containers do not run a kernel of their own, but instead rely on the Host OS for kernel features. As such, these packages are excluded during container image scans.