( 19 ) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No .: US 2020/0097662 A1
`( 43 ) Pub . Date :
`Mar. 26 , 2020
`Hufsmith et al .
`
`US 20200097662A1
`
`IN
`
`( 54 ) COMBINED THREAT SCORE FOR
`CONTAINER IMAGES
`( 71 ) Applicant : CA , Inc. , Islandia , NY ( US )
`( 72 ) Inventors : Brian Hufsmith , Islandia , NY ( US ) ;
`William Mcallister , Islandia , NY ( US ) ;
`Mitchell Engel , Islandia , NY ( US )
`( 21 ) Appl . No .: 16 / 146,717
`Sep. 28 , 2018
`( 22 ) Filed :
`Related U.S. Application Data
`( 60 ) Provisional application No. 62 / 736,162 , filed on Sep.
`25 , 2018 .
`Publication Classification
`
`( 51 ) Int . Ci .
`GO6F 21/57
`H04L 9/06
`
`( 2006.01 )
`( 2006.01 )
`
`( 52 ) U.S. CI .
`CPC
`
`G06F 21/577 ( 2013.01 ) ; GO6F 2221/033
`( 2013.01 ) ; H04L 9/0643 ( 2013.01 )
`
`ABSTRACT
`( 57 )
`Provided is a process for determining threat scores for
`container images or distributed applications that consider the
`results of a multitude of different scanners and other factors
`such as context information which may include information
`about a given execution environment for the container
`image . Scanner results , or scanner properties , are deter
`mined for a container image or container images in a
`multi - container distributed application by various vulner
`ability scanners . The scanner properties determined by each
`vulnerability scanner are adjusted responsive to properties of
`the context and normalized to determine component threat
`scores for the container image . Then the component threat
`scores for the container image are combined to generate a
`combined threat score for the container image within the
`context of the execution environment .
`
`schema translator
`
`Axtr
`
`B xšt
`
`***
`
`C xlts
`
`controller
`
`results engine
`
`scan selecto :
`
`layer evaluator
`
`scais configurer
`
`vulnerability scanning engine
`
`12
`
`dev . comp .
`
`58
`
`cont . gs .
`
`scanner app . A
`
`scanner app . B
`
`scanner app . Z
`
`16
`
`16
`
`36
`
`36
`
`37 .
`
`apo
`COM
`
`52
`
`plugin
`
`vin .
`repository
`
`image
`18 ,
`sexsitory
`composition file
`respository
`
`app .
`
`spp .
`
`21
`
`cont .
`
`cont .
`
`cont .
`
`conta
`
`cont .
`
`container engine
`
`? ?
`
`container engine
`
`kere
`
`-32
`
`30
`
`kerne
`
`NIC
`Computing device
`
`NIC
`Mem
`coniputing device
`
`WIZ, Inc. EXHIBIT - 1078
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication Mar. 26 , 2020 Sheet 1 of 10
`
`US 2020/0097662 A1
`
`schema translator
`
`B xitr
`
`* Na
`
`scan selector
`
`layer evaluator
`
`48 .
`
`scan configurer
`
`results engine
`54
`
`SO
`
`vulnerability scanning engine
`dev , comp .
`
`12
`
`20
`
`plugin
`
`58
`
`62
`
`scanner app . B
`
`16
`
`scanner app , Z
`
`164
`36
`
`app
`comp
`
`o 56
`
`repository
`
`18
`
`image
`repository
`respository
`
`app .
`
`container engine
`
`34
`
`37
`
`computing device
`26
`
`28
`
`FIG . 1A
`
`container engine
`
`OS
`
`CPU
`
`computing device
`
`

`

`Patent Application Publication
`
`Mar. 26 , 2020 Sheet 2 of 10
`
`US 2020/0097662 A1
`
`
`
`Container Score Record 101N
`
`
`
`
`
`Container Score Database
`
`102
`
`
`
`
`
`
`
`
`
`
`
`Properties 126 Version Container Score Record 101A Context
`
`History 127
`
`
`
`
`
`Score History 128
`
`Environments 129
`
`
`
`
`Config . Properties 106
`
`
`
`Properties 116 CVE Properties 111 Malware
`
`
`
`
`
`CWE Properties 121
`
`
`
`
`
`Container Scores 131
`
`100
`
`110
`
`
`
`CVE Evaluator
`
`
`
`Results Engine 54
`
`
`
`
`
`CWE Evaluator 120
`
`
`
`Container Scorer 130
`
`21
`
`Config . Evaluator
`105
`
`
`
`Malware Evaluator 115
`
`
`
`Context Evaluator 125
`
`
`
`Score Evaluator 135A
`
`
`
`Container Manager
`
`
`
`Score Evaluator 135B
`
`Dev . Comp . 58
`
`DE 60
`
`Plugin 62
`
`

`

`Patent Application Publication Mar. 26 , 2020 Sheet 3 of 10
`
`US 2020/0097662 A1
`
`obtain container image
`
`202
`
`200
`
`224
`
`filter potential vulnerabilities
`
`204
`
`layers ?
`yes
`
`select next layer
`
`206
`
`208
`
`210
`
`calculate metrics on potential vulnerabilities
`
`226
`
`228
`
`store results
`
`230
`
`cause results to be presented
`
`214
`
`designate selected scanner to scan
`selected layer in unified schema command
`
`select next scanner criteria
`
`216
`
`selected
`criteria satisfied by
`selected layer ?
`
`yes
`
`212
`
`translate unified schema command
`into scanner - specific schema command
`
`218
`
`command selected scanner to scan
`
`220
`
`receive results in scanner - specific schema
`
`222
`
`translate scanner - specific schema
`results into unified schema results
`
`

`

`Patent Application Publication Mar. 26 , 2020 Sheet 4 of 10
`
`US 2020/0097662 A1
`
`F obtain source code of a container image k
`
`352
`
`no
`
`analyze
`command ?
`
`354
`
`350
`
`command add a
`layer ?
`
`356
`
`Yes
`parse identifier of added code
`or other resource from command
`
`358
`
`query vulnerability repository with request
`for security vulnerabilities associated with
`added code or other resource
`
`360
`
`mitigated by other
`
`yes
`
`362
`
`annotate source code with an
`indication of vulnerability
`
`364
`
`yes
`
`sel . diff .
`
`366
`
`370
`
`additional
`info , req ?
`yes
`display vulnerability report
`
`368
`
`FIG . 3A
`
`

`

`Patent Application Publication
`
`Mar. 26 , 2020 Sheet 5 of 10
`
`US 2020/0097662 A1
`
`* o ***
`
`308
`
`
`
`Click here lana LERIE
`
`
`
`
`
`
`
`
`
`
`
`
`
`KUN apt - get install my softwaremmoperties - CORROR python Static analysis threat level is lowmmwm 306
`
`
`
`
`
`
`
`
`
`
`
`FIG . 38
`
`302
`
`302
`
`
`
`
`
`1998 199 200
`
`302
`
`300
`
`

`

`Patent Application Publication
`
`Mar. 26 , 2020 Sheet 6 of 10
`
`US 2020/0097662 A1
`
`302
`
`302
`
`zos / 1 . * { ******** / AM ) u " spau / UTP / 10 / 4 ) )
`
`FIG . 3C
`
`
`
`
`
`
`
`Image scan Results as of Mon Nov 27 12 16:28 EST 2017 for uhaantales COXOX than
`
`
`
`
`
`
`
`
`
`302 1 testing
`
`???
`
`30 %
`
`
`
`destolec untitled
`
`

`

`Patent Application Publication Mar. 26 , 2020 Sheet 7 of 10
`
`US 2020/0097662 A1
`
`400
`
`428
`
`Update Distributed
`Application Score
`Record
`
`402
`
`406
`
`408
`
`Obtain Container Image
`
`Determine Scanner
`Properties
`
`Create Container Score
`Record
`
`Obtain Distributed
`Application
`
`Determine Identifier ( s )
`for Container Image
`
`Create Distributed
`Application Score
`Record
`
`420
`
`421
`
`422
`
`426
`
`Yes
`
`Next
`Container ?
`
`430
`
`End
`
`FIG . 4
`
`

`

`Patent Application Publication Mar. 26 , 2020 Sheet 8 of 10
`
`US 2020/0097662 A1
`
`500
`
`Receive Request for
`Combined Threat Score
`
`502
`
`400
`
`No
`
`Score Record ?
`
`508
`
`Determine Weights for
`Scanner Properties
`
`Yes
`
`Scanner
`Property
`Weights
`
`504
`
`506
`
`512
`
`-510
`
`Determine Context
`Properties
`
`No
`
`Context
`Property
`Weights
`
`514
`
`Determine Weights for
`Context Properties
`
`516
`
`Yes
`Modify Scanner
`Property Weights based
`on Context Property
`Weights
`
`518
`
`520
`
`Generate Combined
`Threat Score
`
`Report Combined
`Threat Score
`
`FIG . 5
`
`

`

`Patent Application Publication
`
`Mar. 26 , 2020 Sheet 9 of 10
`
`US 2020/0097662 A1
`
`371
`
`
`
`Threat Score
`
`843
`
`
`
`Threat Score
`
`617
`
`
`
`Threat Score
`
`HIGH
`
`
`
`Threat Level
`
`
`
`Threat Level
`
`LOW
`
`
`
`Threat Level
`
`MEDIUM
`
`605
`
`603
`
`FIG . 6
`
`600
`
`
`
`Ubuntu Containers
`
`Ubuntu V1 5010
`
`
`
`
`
`mongo report card
`
`
`
`
`
`
`
`Last Scan Date : 01/05/18 05:00 PM
`
`Ubuntu V3 591A
`
`
`
`
`
`mongo report card
`
`Last Scan Date : 01/01/18 12:00 AM
`
`
`
`
`
`
`
`
`
`
`
`mongo report card
`
`
`
`
`
`
`
`Last Scan Date : 01/12/18 04:00 AM
`
`607
`
`+
`
`Ubuntu V2 5018
`
`

`

`Patent Application Publication
`
`Mar. 26 , 2020 Sheet 10 of 10 US 2020/0097662 A1
`
`NETWORK
`
`V / O DEVICE ( S )
`
`I / O DEVICE
`
`PROCESSOR 10109
`
`INSTRUCTIONS
`
`PROCESSOR
`
`FIG . 7
`
`

`

`US 2020/0097662 Al
`
`1
`
`Mar. 26 , 2020
`
`COMBINED THREAT SCORE FOR
`CONTAINER IMAGES
`
`CROSS - REFERENCE TO RELATED
`APPLICATIONS
`[ 0001 ] The present application claims the benefit of U.S.
`Provisional Patent Application No. 62 / 736,162 , filed on 25
`Sep. 2018 , which is incorporated by reference herein in its
`entirety .
`
`BACKGROUND
`
`1. Field
`[ 0002 ] The present disclosure relates generally to tooling
`for software development related to distributed applications
`and , more specifically , to techniques that combine metrics of
`heterogeneous vulnerability scans of container images .
`2. Description of the Related Art
`[ 0003 ] Distributed applications are computer applications
`implemented across multiple network hosts . The group of
`computers , virtual machines , or containers often each
`execute at least part of the application's code and cooperate
`to provide the functionality of the application . Examples
`include client - server architectures , in which a client com
`puter cooperates with a server to provide functionality to a
`user . Another example is an application having components
`replicated on multiple computers behind a load balancer to
`provide functionality at larger scales than a single computer .
`Some examples have different components on different
`computers that execute different aspects of the application ,
`such as a database management system , a storage area
`network , a web server , an application program interface
`server , and a content management engine .
`[ 0004 ] The different components of such applications ,
`such as those that expose functionality via a network
`address , can be characterized as services , which may be
`composed of a variety of other services , which may them
`selves be composed of other services . Examples of a service
`include an application component ( e.g. , one or more execut
`ing bodies of code ) that communicates via a network ( or
`loopback network address ) with another application com
`ponent , often by monitoring network socket of a port at a
`network address of the computer upon which the service
`executes .
`[ 0005 ]
`In many cases , the bodies of code and other
`resources by which the services are implemented can be
`challenging to secure . Often , the range of services is rela
`tively diverse and arises from diverse sets of bodies of code
`and other resources , thereby increasing the number of poten
`tial vulnerabilities . Further , such bodies of code and other
`resources can undergo relatively frequent version changes ,
`and in many cases the bodies of code and other resources ,
`are downloaded from third parties that create the bodies of
`code and other resources , such as public repositories that
`may be un - trusted or accorded less trust than code built
`in - house . Consequently , detecting and managing potential
`vulnerabilities in distributed application code and other
`resources can be particularly complex .
`[ 0006 ] Moreover , even in instances where potential vul
`nerabilities are detected , a degree to which they pose a threat
`in a given , and potentially highly complex , execution envi
`ronment of distributed application code and other resources
`
`is difficult to quantify or express in a usable manner . As a
`result , resources are often used without despite vulnerabili
`ties ( even if an administrator or developer is capable of
`performing a thorough analysis ) due to the computational
`and cognitive load associated with appropriately processing
`surfaced vulnerabilities .
`
`SUMMARY
`[ 0007 ] The following is a non - exhaustive listing of some
`asp
`of the present techniques . These and other aspects
`are described in the following disclosure .
`[ 0008 ] Some aspects include a process including : obtain
`ing , with one or more processors , a plurality of scanner
`properties pertaining to a container , the scanner properties at
`least comprising one or more Common Vulnerabilities and
`Exposures ( CVE ) scanner properties determined for the
`container by a first scanner and one or more Common
`Weakness Enumeration ( CWE ) scanner properties deter
`mined for the container be a second scanner ; determining
`weights for the plurality of scanner properties , each scanner
`property having an associated metric and value ; obtaining ,
`with one or more processors , context properties pertaining to
`an execution environment of the container ; determining ,
`with one or more processors , to which scanner properties
`each of the context properties applies within the execution
`environment and weights for the context properties ; modi
`fying , by one or more of the weights determined for one or
`more respective context properties , the weights for the
`scanner properties to which the respective context properties
`apply to determine modified weights for at least some of the
`scanner properties ; determining a combined threat score for
`the container based on the at least some of the scanner
`properties having the modified weights and the other scanner
`properties , and storing , with one or more processors , the
`combined threat score in memory .
`[ 0009 ] Some aspects include a tangible , non - transitory ,
`machine - readable medium storing instructions that when
`executed by a data processing apparatus cause the data
`processing apparatus to perform operations including the
`above - mentioned process .
`[ 0010 ] Some aspects include a system , including : one or
`more processors ; and memory storing instructions that when
`executed by the processors cause the processors to effectuate
`operations of the above - mentioned process .
`BRIEF DESCRIPTION OF THE DRAWINGS
`[ 0011 ] The above - mentioned aspects and other aspects of
`the present techniques will be better understood when the
`present application is read in view of the following figures
`in which like numbers indicate similar or identical elements :
`[ 0012 ]
`FIG . 1A is a block logical and physical architecture
`diagram of a computing environment having a scanning
`engine in accordance with some embodiments of the present
`techniques ;
`[ 0013 ] FIG . 1B is a block logical and physical architecture
`diagram of a computing environment having a results engine
`in accordance with some embodiments of the present tech
`niques ;
`[ 0014 ] FIG . 2 is a flowchart of an example of a process
`executed by the scanning engine of FIG . 1A to generate and
`apply test specifications in accordance with some embodi
`ments of the present techniques ;
`
`

`

`US 2020/0097662 A1
`
`2
`
`Mar. 26 , 2020
`
`FIG . 3A is a flowchart of an example of a process
`[ 0015 ]
`executed by a plugin of a integrated development environ
`ment to annotate code specifying container images with
`alerts relating to potential security vulnerabilities in accor
`dance with some embodiments of the present techniques ;
`[ 0016 ] FIG . 3B is an example of a user interface created
`by the process of FIG . 3A in accordance with some embodi
`ments of the present techniques ;
`[ 0017 ]
`FIG . 3C is another example of a user interface
`created by the process of FIG . 3A in accordance with some
`embodiments of the present techniques ;
`[ 0018 ]
`FIG . 4 is a flowchart of an example of a process
`executed by the scanning engine of FIG . 1A to generate
`container score records in accordance with some embodi
`ments of the present techniques ;
`[ 0019 ] FIG . 5 is a flowchart of an example of a process
`executed by the results engine of FIG . 1A or 1B to generate
`a combined threat score in accordance with some embodi
`ments of the present techniques ;
`[ 0020 ]
`FIG . 6 is an example of a user interface showing a
`combined threat score in accordance with some embodi
`ments of the present techniques ; and
`[ 0021 ] FIG . 7 is a block diagram of an example of a
`computing device with which the above - describe techniques
`may be implemented .
`[ 0022 ] While the present techniques are susceptible to
`various modifications and alternative forms , specific
`embodiments thereof are shown by way of example in the
`drawings and will herein be described in detail . The draw
`ings may not be to scale . It should be understood , however ,
`that the drawings and detailed description thereto are not
`intended to limit the present techniques to the particular
`form disclosed , but to the contrary , the intention is to cover
`all modifications , equivalents , and alternatives falling within
`the spirit and scope of the present techniques as defined by
`the appended claims .
`DETAILED DESCRIPTION OF CERTAIN
`EMBODIMENTS
`[ 0023 ] To mitigate the problems described herein , the
`inventors had to both invent solutions and , in some cases just
`as importantly , recognize problems overlooked ( or not yet
`foreseen ) by others in the field of software development
`tooling . Indeed , the inventors wish to emphasize the diffi
`culty of recognizing those problems that are nascent and will
`become much more apparent in the future should trends in
`industry continue as the inventors expect . Further , because
`multiple problems are addressed , it should be understood
`that some embodiments are problem - specific , and not all
`embodiments address every problem with traditional sys
`tems described herein or provide every benefit described
`herein . That said , improvements that solve various permu
`tations of these problems are described below .
`[ 0024 ] Several techniques are described below under dif
`ferent headings in all - caps . These techniques may be used
`together or independently , which is not to suggest that other
`descriptions are limiting .
`[ 0025 ] Selectively Applying Heterogeneous Vulnerability
`Scans to Layers of Container Images
`[ 0026 ] The above - described challenges with managing
`vulnerabilities in distributed applications are amplified when
`those applications are built with a particular type of archi
`tecture that has seen increased use in recent years . Many
`developers have migrated from instantiating services as
`
`discrete virtual machines to instantiating services as con
`tainers , for instance , DockerTM containers , Open Container
`Initiative ( OCI ) containers , or with KubernetesTM ( which is
`not to suggest that items in this list or any other herein
`describe mutually exclusive categories of items ) . Containers
`generally virtualize at the operating system level , in contrast
`to virtual machines that emulate the underlying hardware as
`well . OS - level virtualization affords a number of benefits ,
`including lower computational load , faster spin up , and
`sharing of resources across multiple containers within a
`given computing device , in some cases with multiple con
`tainers implemented on a single kernel . This should not be
`read to suggest that containers and virtual machines are
`incompatible , as some implementations may include one or
`more containers executed within a virtual machine , which
`may be one of several virtual machines on a given comput
`ing device .
`[ 0027 ] Another advantage of some container implemen
`tations is that container images are often constructed from
`multiple layers , also called intermediate images of read - only
`bodies of code and other resources ( other than a top layer )
`that can be reused across multiple container images .
`Mutable aspects of the container image , in some embodi
`ments , are isolated to a top , read - write layer , and the overall
`container image may be described as a collection of accu
`mulated differences between layers , in some cases , as speci
`fied by a Dockerfile document . As a result , container images
`are often relatively extensible , lightweight , and fast to
`deploy relative to other types of tooling for distributed
`applications serving a similar role .
`[ 0028 ] Some of the features that provide these perfor
`mance benefits , however , can make securing the distributed
`application more difficult . Various ones of the scanning
`engines available today provide different views into the
`vulnerabilities associated with a binary or a package in the
`operating system . The various scanning engines generally
`provide disparate and often conflicting information about the
`exposure surface with respect to the files and packages . This
`can get confusing and results in many false positives when
`occurring in the context of containers , and it can make it
`difficult to provide a holistic view into the exposure for a
`container , due to the layered nature of the container . Typical
`scanning techniques in this space do not provide multi
`sourced vulnerability assessments , which could leave expo
`sures undetected and unchecked . Further , a multi - source
`approach which includes both Common Vulnerabilities and
`Exposures ( CVE ) and Common Weakness Enumeration
`( CWE ) information is lacking . The terms “ common ” and
`“ weakness ” in these acronyms are not terms of degree and
`are , rather , part of the names of respective ontologies of
`documented vulnerabilities .
`[ 0029 ] Moreover , the various scanning engines available
`today do not quantify a degree to which the disparate
`potential vulnerabilities they detect pose a threat in a given ,
`and often highly complex , execution environment of dis
`tributed applications . Thus , in addition to the lack of a
`multi - sourced vulnerability assessment , there exists no
`multi - sourced vulnerability assessment that scores potential
`vulnerabilities within a context of a given execution envi
`ronment . As a result , a combined threat score for container
`images is lacking .
`[ 0030 ] None of this is to suggest that all embodiments
`must address all of these needs , as independently useful
`techniques are described , and some techniques may address
`
`

`

`US 2020/0097662 A1
`
`3
`
`Mar. 26 , 2020
`
`only a subset of these or other issues . Further , the preceding
`should not be taken to suggest that systems that suffer from
`these issues are disclaimed , and this qualification should not
`be read to suggest that any other subject matter described
`elsewhere herein is disclaimed .
`[ 0031 ] Some embodiments examine each ( e.g. , each of at
`least some of all , or each and every ) of the layers in a
`container image and determine consistency with respect to
`files and packages ( and other resources ) in each layer . Then
`based on the file / package information , some embodiments
`submit those files / packages and other resources to various
`vulnerability scanning engines ( including VeracodeTM and
`others enumerated below ) for vulnerability assessment .
`Based on results , some embodiments provide a relatively
`comprehensive report of the exposure associated with that
`container image .
`[ 0032 ] Some embodiments examine the scanner results , or
`scanner properties , determined for the container image by
`each of the various vulnerability scanning engines in view of
`a context of a given execution environment for the container
`image . The scanner properties determined by each vulner
`ability scanning engine are adjusted responsive to properties
`of the context and normalized to determine component
`threat scores for the container image . Then the component
`threat scores for the container image are combined to
`generate a combined threat score for the container image
`within the context of the execution environment . In this way ,
`the combined threat score represents an overall measure of
`the exposure associated with that container image within the
`context of the execution environment .
`[ 0033 ] By analyzing the data in each of the layers of a
`container , some embodiments extract the binaries and send
`them to the most appropriate scanning technique across
`multiple scanning engines . The binary and package infor
`mation may be assessed and sent to engines to acquire the
`CVE and CWE information for the binary . Once this is
`complete , some embodiments may apply algorithms to the
`results to generate a comprehensive view into the image to
`obtain a threat assessment , remediation recommendations
`and exposure report . Some embodiments engage multiple
`engines to obtain a vulnerability report and use the results of
`that report to provide a much more accurate threat level for
`any given package / binary in a container image relative to
`traditional approaches .
`[ 0034 ] Some embodiments determine a combined threat
`score for the container image as a whole , which in some
`cases takes into account the threat levels determined for the
`packages , binaries , and other resources within the container
`image and additional information to better represent an
`overall evaluation of risk associated with utilizing the con
`tainer . In some embodiments , this additional information , or
`context , includes properties relating to an execution envi
`ronment of the container image or other properties ( e.g. ,
`historical information ) relating to the container image that
`are not accounted for in traditional scanning techniques .
`Thus , for example , the threat levels for the packages , bina
`ries , and other resources may be adjusted based on the
`context properties to determine a combined threat score that
`accurately represents the exposure associated with using the
`container image .
`[ 0035 ] By using the multi - source scanning approach ,
`some embodiments may include information from the OS
`vendors as well as binary assessments from tools such as
`VeracodeTM . Further , some embodiments are extensible in
`
`virtue of a unified application program interface ( API ) , so
`other scanning results can be engaged as they become
`available without undertaking expensive and cumbersome
`rewrites of substantial portions of the code of some embodi
`ments .
`[ 0036 ] As container images are submitted to be scanned ,
`in some embodiments , a layer evaluator may break down the
`layers and submit detected binaries ( and other resources )
`over to other portions of the scanning engine to be evaluated .
`The scanning engine , in some embodiments , examines the
`information to determine the most appropriate ( or at least
`suitable ) scanning engine or engines to be used for the
`information submitted . The scanning engine may use one or
`more sources for the scans to run on . Each of at least some
`( or all ) of the scanners may use a shared scanner API ,
`allowing the results scanner properties to be reported
`back in
`a similar format despite the different scanning
`techniques . Once the full scan is complete , in some embodi
`ments , the information is packaged up and may be sent over
`to a result engine to be formatted and reported back .
`Additionally , the result engine may remove commonalities ,
`provide scoring information and mask out at least some
`( e.g. , all ) previously identified false positives . Further , in
`some embodiments , the result engine may analyze and
`modify one or more of the scanner properties based on
`contextual information . The information reported back may
`include one or more combined threat scores that takes into
`account the contextual information and the scanner proper
`ties .
`[ 0037 ] Algorithms in some embodiments of the scanning
`engine may to determine the best or suitable scanners among
`a diverse set of scanners , e.g. , so that packages go into
`package scanners , binaries are sent to binary scanners ( such
`as VeracodeTM ) , and so on for various resources types .
`Additionally , candidate scans may be evaluated for chance
`( or other measure ) of success . For example , binaries that
`include machine code without debug symbols , which would
`not succeed with a particular scanner that requires debug
`symbols , may be detected and , in response , sent to
`a
`different scanner . Jar files and scripts that can easily be
`scanned by multiple scanners may be submitted to any
`available suitable scanner in some embodiments , e.g. , by
`applying load balancing techniques based on a work queues
`of the various scanners .
`[ 0038 ]
`In some embodiments , these techniques may be
`implemented in a computing environment 10 ( e.g. , including
`each of the illustrated components ) shown in FIG . 1A by
`executing processes described below with reference to FIG .
`2 , 3A , 4 or 5 upon computing devices like those described
`below with reference to FIG . 7. In some mbodiments , the
`computing environment 10 may include a vulnerability
`scanning engine 12 , a plurality of computing devices 14 ,
`scanner applications 16 , a composition file repository 18 , a
`container manager 20 , and an image repository 22. These
`components may communicate with one another via a
`network 21 , such as the Internet and various other local area
`networks .
`[ 0039 ]
`In some embodiments , the computing environment
`10 may execute a plurality of different distributed applica
`tions , in some cases intermingling components of these
`distributed applications on the same computing devices and ,
`in some cases , with some of the distributed applications
`providing software tools by which other distributed appli
`cations are deployed , monitored , and adjusted . It is helpful
`
`

`

`US 2020/0097662 A1
`
`4
`
`Mar. 26 , 2020
`
`to generally discuss these applications before addressing
`specific components thereof within the computing environ
`ment 10. In some cases , such applications may be catego
`rized as workload applications and infrastructure applica
`tions . The workload applications may service tasks for
`which the computing environment is designed and provided ,
`e.g. , hosting a web - based service , providing an enterprise
`resource management application , providing a customer
`relationship management application , providing a document
`management application , providing an email service , or
`providing an industrial controls application , just to name a
`few examples . In contrast , infrastructure applications may
`exist to facilitate operation of the workload application .
`Examples include vulnerability scanning applications ,
`monitoring applications , logging applications , container
`management applications , and the like .
`[ 0040 ]
`In some embodiments , the computing devices 14
`may execute a ( workload or infrastructure ) distributed appli
`cation that is implemented through a collection of services
`that communicate with one another via the network 21 .
`Examples of such services include a web server that inter
`faces with a web browser executing on a client computing
`device via network 21 , an application controller that maps
`requests received via the web server to collections of respon
`sive functional actions , a database management service that
`reads or writes records responsive to commands from the
`application controller , and a view generator that dynamically
`composes webpages for the web server to return to the user
`computing device . Some examples have different compo
`nents on different computers that execute different aspects of
`the application , such as a database management system , a
`storage area network , a web server , an application program
`interface server , and a content management engine . Other
`examples include services that pertain to other application
`program interfaces , like services that process data reported
`by industrial equipment or Internet of things appliances .
`Often , the number of services is expected to be relatively
`large , particularly in multi - container applications imple
`menting a microservices architecture , where functionality is
`separated into relatively fine - grained services of a relatively
`high number , for instance more than 10 , more than 20 , or
`more than 100 different microservices . In some cases , there
`may be multiple instances of some of the services , for
`instance behind load balancers , to accommodate relatively
`high computing loads , and in some cases , each of those
`instances may execute within different containers on the
`computing devices as described below . These applications
`can be characterized as a service composed of a variety of
`other services , which may themselves be composed of other
`services . Services composed of other services generally
`form a service hierarchy ( e.g. , a service tree ) that terminates
`in leaf nodes composed of computing hardware each execut
`ing a given low level service . In some cases , a given node
`of this tree may be present in multiple trees for multiple root
`services .
`[ 0041 ] As multi - container applications or other distributed
`applications have grown more complex in recent years , and
`the scale of computing loads has grown , many distributed
`applications have been designed ( or redesigned ) to use
`more , and more diverse , services . Functionality that might
`have previously been implemented within a single thread on
`a single computing device ( e.g. , as different sub - routines in
`a given executable ) has been broken - up into distinct services
`that communicate via a network interface , rather than by
`
`a
`
`function calls within a given thread . Services in relatively
`granular architectures are sometimes referred to as
`“ microservice . ” These microservice architectures afford a
`number of benefits , including ease of scaling to larger
`systems by instantiating new components , making it easier
`for developers to reason about complex systems , and
`increased reuse of code across applications . It is expected
`that the industry will move towards increased us