Scanning Java packages in images

Kaspersky Container Security can scan Java packages contained in registry images. For this purpose, the solution uses Java vulnerability databases.

Scanning for Java packages is available in Kaspersky Container Security v1.2.1 and later. If you have an earlier version installed, you must update the solution to v1.2.1. to use this functionality.

You can configure scanning of Java packages by setting the value of the ENABLE_JAVA_VULN environment variable in the values.yaml file. If ENABLE_JAVA_VULN = true, Kaspersky Container Security performs scanning using the Java vulnerability databases. If ENABLE_JAVA_VULN = false, Java packages are not scanned.

By default, ENABLE_JAVA_VULN is set to false.

The kcs-updates component v1.2.1 provided in the distribution kit contains Java vulnerability databases. Using this component, you should make sure that the environment variables in the values.yaml file are defined as follows:

ENABLE_JAVA_VULN = true

KCS_UPDATES_TAG=v1.2.1

KCS_UPDATES=true

If Java packages scanning is activated ( ENABLE_JAVA_VULN = true), the kcs-scanner solution component downloads Java vulnerability databases and notifies kcs-middleware and kcs-ih accordingly. Then the kcs-ih component receives the database files from kcs-scanner, assembles and validates the database, and uses it during scanning.

Vulnerabilities found using the Java vulnerability database are displayed in the image scanning results.

Kaspersky Container Security can also scan Java packages in images in external registries and during the CI/CD process when an external scanner is used. In this case, you must use the scanner with the v1.2.1-with-db-java tag, which contains a pre-installed Java vulnerability database. The specified scanner is configured and used similarly to the v1.2.1-with-db scanner.