Skip to content

le3cm/container-cve-tracker

Repository files navigation

Container CVE Tracker

A unified toolchain for automated container vulnerability analysis, API mapping, source extraction, and AST-based call flow visualization. This script orchestrates:

  1. Trivy vulnerability scan of a Docker image tar file.
  2. Mapping of detected CVEs to relevant Python API calls using a local library-to-CVE-API database.
  3. Extraction of the application layer from the container filesystem.
  4. AST-based call flow analysis highlighting external, internal-only, and unused APIs.

Prerequisites

  • Python 3.10+

  • Trivy (v0.30.0+)

  • Graphviz (for AST call graph rendering)

  • Required Python packages (install via pip):

    pip install python_api_extractor python_ast_visualizer search_source trivy_extracter graphviz

Installation

  1. Clone this repository:

    git clone https://github.com/your-org/container-cve-tracker.git
    cd container-cve-tracker
  2. Install dependencies as listed in the Prerequisites.

Usage

python main.py <path-to-image.tar>
  • <path-to-image.tar>: Path to the Docker image tarball to analyze.

Example

python main.py ubuntu-app.tar

Upon completion, results will be available under the DB/ directory:

DB/
├── trivy_analysis_result.json       # Raw Trivy JSON output
├── LIB2CVE2API.json                 # Mapped CVE → API calls database
├── <image_name>/source/             # Extracted application layer files
└── <image_name>_analysis_result/    # AST graphs and api_info.json
    ├── ast_graph.png
    └── api_info.json                # External/internal/unused API lists

Workflow Steps

  1. Trivy Scan (step 1)

    • Invokes trivy_func.scan_vulnerabilities on the image tarball.
    • Saves results to DB/trivy_analysis_result.json.
  2. API Mapping (step 2)

    • Loads Trivy JSON and builds a mapping of CVE → Python APIs via python_api_extractor.extracter.build_cve_api_mapping.
    • Outputs DB/LIB2CVE2API.json.
  3. Layer Extraction (step 3)

    • Uses layer_extracter.extract_app_layer to extract the application layer into DB/<image_name>/source/.
  4. AST Analysis (step 4)

    • Parses target API list from LIB2CVE2API.json.
    • Walks extracted source files, generates a call-flow graph via ast_to_png.visualize_call_flow.
    • Produces .png graphs and a JSON of categorized APIs (api_info.json).

Configuration

  • Paths: Modify constants at the top of main.py if you need custom output locations.
  • Filters: Adjust file inclusion/exclusion in the layer_extracter.extract_app_layer call.
  • Graphviz options: Customize node/edge styling by editing python_ast_visualizer.utils.ast_to_png parameters.

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages