Mitigating vulnerabilities in container images is, most of the time, a straight-forward task: update the base image, use a newer version of Node or Java, bump the patch version of a project dependency, etc. However, all useful pieces of software are complex and vulnerability scanning tools fall short on explaining why they are flagging some edge-cases. This session walks you through mitigating critical vulnerabilities in popular container images like Java-based ones, from the obvious to the sneaky ones, and how to leverage layer explorer tools to narrow the search field for the latter. It is meant to be a hands-on session, first we will use Aqua’s Trivy scanner to analyze an image generated for a Spring Boot app and then wagoodman's dive to explore in which layer we are introducing a version of a library with critical vulnerabilities, while Maven seems to tell us otherwise.
Click here to view captioning/translation in the MeetingPlay platform!
