Method and system for automatically identifying and correcting security vulnerabilities in containers
US-2021173935-A1 · Jun 10, 2021 · US
Determination of mitigation priority values of vulnerabilities in container images
US2023376604A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2023376604-A1 |
| Application number | US-202217748819-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 19, 2022 |
| Priority date | May 19, 2022 |
| Publication date | Nov 23, 2023 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to access vulnerabilities identified in a set of container images and to identify, from a set of reference vulnerabilities, which reference vulnerabilities the identified vulnerabilities match, in which each of the reference vulnerabilities is assigned one of a plurality of mitigation priority values. The processor may also determine mitigation priority values of the identified vulnerabilities based on the mitigation priority values assigned to the reference vulnerabilities to which the identified vulnerabilities match. In addition, the processor may output the determined mitigation priority values of the identified vulnerabilities.
First claim
Opening claim text (preview).
What is claimed is: 1 . An apparatus comprising: a processor; and a memory on which is stored machine-readable instructions that when executed by the processor, cause the processor to: access vulnerabilities identified in a set of container images; identify, from a set of reference vulnerabilities, which reference vulnerabilities the identified vulnerabilities match, wherein each of the reference vulnerabilities is assigned one of a plurality of mitigation priority values; determine mitigation priority values of the identified vulnerabilities based on the mitigation priority values assigned to the reference vulnerabilities to which the identified vulnerabilities match; and output the determined mitigation priority values of the identified vulnerabilities. 2 . The apparatus of claim 1 , wherein the instructions cause the processor to: access identifiers of the identified vulnerabilities; and compare the identifiers of the identified vulnerabilities against identifiers of the reference vulnerabilities to identify the reference vulnerabilities to which the identified vulnerabilities match. 3 . The apparatus of claim 1 , wherein the mitigation priority values correspond to respective average lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated. 4 . The apparatus of claim 1 , wherein the instructions cause the processor to: access identifications of the reference vulnerabilities in a plurality of container images; determine respective lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated; assign the mitigation priority values to the reference vulnerabilities in the plurality of container images based on the determined respective lengths of time corresponding to the reference vulnerabilities; and store the assigned mitigation priority values of the reference vulnerabilities and the mitigation priority values assigned to the reference vulnerabilities. 5 . The apparatus of claim 4 , wherein the instructions cause the processor to: determine when the reference vulnerabilities were mitigated based on when versions of the container images containing the reference vulnerabilities were updated and/or patched. 6 . The apparatus of claim 4 , wherein the instructions cause the processor to: assign higher mitigation priority values to the reference vulnerabilities that were mitigated within shorter lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated. 7 . The apparatus of claim 4 , wherein the instructions cause the processor to: store the assigned mitigation priority values of the reference vulnerabilities and the mitigation priority values assigned to the reference vulnerabilities in a look up table. 8 . The apparatus of claim 1 , wherein the set of container images are stored in a registry owned by an organization, and wherein the instructions cause the processor to: output the determined mitigation priority values of the identified vulnerabilities to a member of the organization. 9 . The apparatus of claim 1 , wherein the instructions cause the processor to: perform an image scanning operation on the container images included in the set of container images to identify the vulnerabilities; and/or receive the identified vulnerabilities from an entity outside of the apparatus. 10 . A method comprising: determining, by a processor, which reference vulnerabilities that a plurality of vulnerabilities identified in a set of container images match, wherein each of the reference vulnerabilities is assigned one of a plurality of mitigation priority values, and wherein the mitigation priority values correspond to respective lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated; assigning, by the processor, respective mitigation priority values to the identified vulnerabilities in the set of container images that are equal to the mitigation priority values assigned to the reference vulnerabilities determined to match the identified vulnerabilities; and outputting, by the processor, the identified vulnerabilities and the mitigation priority values assigned to the identified vulnerabilities. 11 . The method of claim 10 , further comprising: accessing identifiers of the identified vulnerabilities; and comparing the identifiers of the identified vulnerabilities against identifiers of the reference vulnerabilities to identify the reference vulnerabilities to which the identified vulnerabilities match. 12 . The method of claim 10 , further comprising: determining respective lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated; assigning the mitigation priority values to the reference vulnerabilities in a plurality of container images based on the determined respective lengths of time corresponding to the reference vulnerabilities; and storing the assigned mitigation priority values of the reference vulnerabilities and the mitigation priority values assigned to the reference vulnerabilities. 13 . The method of claim 12 , further comprising: determining when the reference vulnerabilities were mitigated based on when versions of the container images containing the reference vulnerabilities were updated and/or patched. 14 . The method of claim 12 , further comprising: assigning higher mitigation priority values to the reference vulnerabilities that were mitigated within shorter lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated. 15 . The method of claim 10 , wherein the set of container images are stored in a registry owned by an organization, the method further comprising: outputting the identified vulnerabilities and the mitigation priority values assigned to the identified vulnerabilities to a member of the organization. 16 . The method of claim 10 , further comprising: performing an image scanning operation on the container images included in the set of container images to identify the vulnerabilities; and/or receiving the identified vulnerabilities from an outside entity. 17 . A computer-readable medium on which is stored computer-readable instructions that when executed by a processor, cause the processor to: assign mitigation priority values to a plurality of reference vulnerabilities based on respective lengths of time between when the reference vulnerabilities were identified and when the reference vulnerabilities were mitigated; determine which of the plurality of reference vulnerabilities that a plurality of vulnerabilities identified in a set of container images match; assign respective mitigation priority values to the identified vulnerabilities in the set of container images that are equal to the mitigation priority values assigned to the reference vulnerabilities determined to match the identified vulnerabilities; and output the identified vulnerabilities and the mitigation priority values assigned to the identified vulnerabilities. 18 . The computer-readable medium of claim 17 , wherein the instructions further cause the processor to: access identifiers of the identified vulnerabilities; and compare the identifiers of the identified vulnerabilities against identifiers of the reference vulnerabilities to identify the reference vulnerab
Assignees
Inventors
Classifications
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
Test or assess software · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2023376604A1 cover?
- According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to access vulnerabilities identified in a set of container images and to identify, from a set of reference vulnerabilities, which reference vulnerabilities the identified vulnerabilities match, in which each of the reference vulnerabilities is as…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/577. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Nov 23 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).