Evaluating DAVS Approach for Docker Images Static Analysis

Evaluating DAVS Approach for Docker Images Static Analysis

연구 분야: Verification

학회: International Conference on Availability, Reliability and Security

Docker, the most widely used container platform, raises security concerns due to its layered image structure–vulnerabilities in a base image are inherited by all derived images. As a result, thorough and reliable image scanning is essential to maintaining system security. The DAVS approach [4] improves static vulnerability detection by specifically targeting software installed manually in Docker images. By combining traditional static tools with scanning of suspicious layers, DAVS demonstrated higher detection efficiency. This paper extends the DAVS work in three key ways. First, we developed an open-source implementation of the approach. Second, we validated it using multiple static analysis tools, including Trivy and Grype. Third, we constructed a recent dataset of 132 Docker images, including top-pulled, intentionally vulnerable, and randomly selected images. Our results support previous findings [4] and show that our tool enhances existing scanners by detecting additional vulnerabilities–up to 751 previously missed issues, even in widely used images. By combining static and binary analysis, our method offers a more comprehensive solution for container image security.