Snyk recently released its annual State of Open-Source Security Report for 2019, which highlights the current landscape of open-source security, as a whole, and clearly illustrates that vulnerabilities in container images are no exception.

The report showed results from data collected in a recent survey of more than 500 open-source developers and maintainers, data from public application registries, library datasets, GitHub repositories, and Snyk’s comprehensive vulnerability database continuously pulling in data from hundreds of thousands of projects monitored and protected by Snyk.

Known Vulnerabilities in System Libraries

System libraries are, of course, common artifacts in operating systems, which Docker images are built upon. With more system libraries and tools bundled in a Docker image, the risk of finding a security vulnerability in the image increases.

Snyk tracked information about the state of security disclosures that were made public on some of the most popular Linux distributions, based on data Snyk gathered from cvedetails. Snyk found that security vulnerabilities in RedHat Enterprise Linux, Ubuntu, and Debian grew four-fold in 2018. That’s right, there’s no decimal place missing; it grew by almost three and a half times.

As can be seen in the graph Snyk compiled, the increase of new vulnerabilities being discovered in any of these distributions is growing very steeply.

As Snyk takes a look at a breakdown of vulnerabilities by their severity, you can see that 2017 and 2018 continue the trend in an increase in the number of high and critical vulnerabilities being disclosed.

Known Vulnerabilities in Docker Images

Docker images almost always bring known vulnerabilities alongside their great value.

The findings show that in every Docker image scanned, Snyk was able to find vulnerable versions of system libraries. Each of the top ten most popular default docker images contains at least 30 vulnerable system libraries, and the official Node.js image ships 580 vulnerable system libraries.

In Docker, the top ten images all carry dozens of vulnerable dependencies, greatly outnumbering the number of vulns found in the Dockerfile themselves. However, fixing these vulnerabilities can be a task this is easy to execute. Out of 44 percent of scanned docker images, Snyk found that it is possible to fix known vulnerabilities simply by updating their base image tag.

Most vulnerabilities come from libraries you don’t explicitly use. In most ecosystems, 75 percent or more of your dependencies are indirect, implicitly pulled in by the libraries you use and Snyk found that 78 percent of overall vulnerabilities tracked are from indirect dependencies.

As containers continue to explode onto the IT landscape in 2019, container security threats continue to present themselves, and organizations are now more than ever placing a higher level of importance on ensuring image security is a top priority.

You can find in the full report about The State of Open-Source Security for 2019 at https://snyk.io/opensourcesecurity-2019/.