DockerCleaner: Automatic repair of security smells in dockerfiles

Publikationstyp
Conference Paper
Date Issued
2023-10
Sprache
English
Author(s)
Bui, Quang Cuong  
Software Security E-22  
Laukotter, Malte
Scandariato, Riccardo  
Software Security E-22  
TORE-URI
https://hdl.handle.net/11420/45265
Start Page
160
End Page
170
Article Number
195314
Citation
39th IEEE International Conference on Software Maintenance and Evolution (ICSME 2023)
Contribution to Conference
39th IEEE International Conference on Software Maintenance and Evolution, ICSME 2023  
Publisher DOI
10.1109/ICSME58846.2023.00026
Scopus ID
2-s2.0-85181542668
Publisher
Institute of Electrical and Electronics Engineers Inc.
Docker is a widely adopted platform that enables developers to create lightweight and isolated containers for deploying applications. These containers can be replicated from a single blueprint specified by a text file known as a Dockefile. The Dockerfile smells might not only hinder the performance of containers but also potentially introduce security risks. State-of-The-Art scanning tools, such as Hadolint and KICS, are available to efficiently detect Dockerfile smells. Still, there is a lack of approaches focusing on resolving these issues. Therefore, we present DockerCleaner, an automated repair tool that suggests fixes for eleven Dockerfile security smell types. Our tool employs the repair actions inspired by the best security practices for writing Dockerfiles. The evaluation results show that DockerCleaner can remove the artificially injected security smells from 92.67% of the Dockerfiles and guarantee the buildability for 99.33% of them. Specifically for security smells in real Dockerfiles, DockerCleaner outperforms the state-of-The-Art repair tool by a wide margin. Finally, we leveraged the fixes generated by DockerCleaner to propose improvements to twelve official Docker images. Eight pull requests have been accepted and merged by the developers.
Subjects
Automatic Repair
Docker
Security Smells
DDC Class
620: Engineering