Security Vulnerabilities in Docker Images: A Cross-Tag Study of Application Dependencies
Docker containers are widely used in modern enterprise applications and cloud environments for their efficiency, portability, and rapid deployment. As a leading containerization technology, Docker enables applications to be stored as images containing all required runtime dependencies. Nonetheless, the growing popularity of containers has also raised security concerns as the libraries and dependencies included in Docker images can contain security vulnerabilities. Previous research has predominantly focused on operating system vulnerabilities, with some investigations into application vulnerabilities originating from vulnerable dependencies. However, these studies have focused solely on the latest tag (version) of each Docker image repository, without offering insights into the prevalence and potential resolution of vulnerabilities across different releases. This limitation restricts our understanding of how effectively they are managed over time. In this study, we investigate the prevalence of vulnerable JavaScript packages within Docker containers across multiple release tags. Our time-based analysis enables us to assess the extent to which maintainers resolve these vulnerabilities in subsequent releases, as well as the time required to address them. We analyzed 6,292 unique images gathered from 1,573 active repositories. Our findings indicate that the majority of Docker images contain multiple vulnerabilities across various tags. Nearly 61% of repositories have vulnerabilities in every examined tag. While some of these vulnerabilities are resolved by maintainers in subsequent releases, many remain unaddressed within our observation timeframe. Moreover, we found that only 10% of vulnerabilities are typically addressed within the first 6 months, leaving many unattended for considerably longer durations. We also discovered that common repository attributes, including popularity, contributor count, and automation usage, have no significant effect on the timeliness of vulnerability resolution.