A unified toolchain for automated container vulnerability analysis, API mapping, source extraction, and AST-based call flow visualization. This script orchestrates:
- Trivy vulnerability scan of a Docker image tar file.
- Mapping of detected CVEs to relevant Python API calls using a local library-to-CVE-API database.
- Extraction of the application layer from the container filesystem.
- AST-based call flow analysis highlighting external, internal-only, and unused APIs.
-
Python 3.10+
-
Trivy (v0.30.0+)
-
Graphviz (for AST call graph rendering)
-
Required Python packages (install via pip):
pip install python_api_extractor python_ast_visualizer search_source trivy_extracter graphviz
-
Clone this repository:
git clone https://github.com/your-org/container-cve-tracker.git cd container-cve-tracker -
Install dependencies as listed in the Prerequisites.
python main.py <path-to-image.tar><path-to-image.tar>: Path to the Docker image tarball to analyze.
python main.py ubuntu-app.tarUpon completion, results will be available under the DB/ directory:
DB/
├── trivy_analysis_result.json # Raw Trivy JSON output
├── LIB2CVE2API.json # Mapped CVE → API calls database
├── <image_name>/source/ # Extracted application layer files
└── <image_name>_analysis_result/ # AST graphs and api_info.json
├── ast_graph.png
└── api_info.json # External/internal/unused API lists
-
Trivy Scan (
step 1)- Invokes
trivy_func.scan_vulnerabilitieson the image tarball. - Saves results to
DB/trivy_analysis_result.json.
- Invokes
-
API Mapping (
step 2)- Loads Trivy JSON and builds a mapping of CVE → Python APIs via
python_api_extractor.extracter.build_cve_api_mapping. - Outputs
DB/LIB2CVE2API.json.
- Loads Trivy JSON and builds a mapping of CVE → Python APIs via
-
Layer Extraction (
step 3)- Uses
layer_extracter.extract_app_layerto extract the application layer intoDB/<image_name>/source/.
- Uses
-
AST Analysis (
step 4)- Parses target API list from
LIB2CVE2API.json. - Walks extracted source files, generates a call-flow graph via
ast_to_png.visualize_call_flow. - Produces
.pnggraphs and a JSON of categorized APIs (api_info.json).
- Parses target API list from
- Paths: Modify constants at the top of
main.pyif you need custom output locations. - Filters: Adjust file inclusion/exclusion in the
layer_extracter.extract_app_layercall. - Graphviz options: Customize node/edge styling by editing
python_ast_visualizer.utils.ast_to_pngparameters.