Detect vulnerabilities in unpackaged software
Typically, software is added to container images and hosts with a package manager, such as apt, yum, npm. Prisma Cloud has a diverse set of upstream vulnerability data sources covering many different package managers across operating systems, including coverage for Go, Java, Node.js, Python, and Ruby components. Prisma Cloud typically uses the package manager’s metadata to discover installed components and versions, comparing this data to the data in the Intelligence Stream’s realtime CVE feed.
Sometimes, you might install software without a package manager. For example, software might be built from source and then added to an image with the Dockerfile ADD instruction or your developers might unzip software from a tar ball to a location on a host, and utilize the application. In these cases, there is no package manager data associated with the application.
Prisma Cloud uses a variety of analysis techniques to detect metadata about software not installed by package managers. These are purpose built differently for images and hosts. This analysis augments existing vulnerability detection and blocking mechanisms, giving you a single view of all vulnerabilities, regardless of how the software is installed (distro’s package manager, language runtime package manager, or without a package manager).
The following list shows examples of the apps currently supported.
- Hashicorp Vault
- Hashicorp Consul
Nothing is required to enable the functionality described in this article. It is enabled by default. For some apps such as for Python packages, the path is not included in the package info details for scan results on Monitor > Vulnerabilities.
When vulnerabilities are detected in an unpackaged app, scan reports list the
Vulnerabilities of type
Applicationare carried in the Intelligence Stream’s
appfeed. Go to the CVE statistics section on the
Manage > System > Intelligencepage for more information.