Container CVE Tracker

A AI-assited toolchain for automated container vulnerability analysis of container images, including CVE-to-API mapping, source extraction, and AST based call flow visualization.

Orchestrates:

1. Trivy vulnerability scan of a Docker image tar file.
2. Mapping of detected CVEs to relevant Python API calls using a local library-to-CVE-API database.
3. Grok-based CVE-API analysis to enhance vulnerability insights
4. Extraction of the application layer from the container filesystem.
5. AST-based call flow analysis highlighting external, internal-only, and unused APIs.

---

Prerequisites

• Python 3.10+

• Trivy (v0.30.0+)

• Graphviz (for AST call graph rendering)

• Required Python packages (install via pip):

  pip install python_api_extractor python_ast_visualizer search_source trivy_extracter graphviz cve_api_mapper

  or

  pip install -r requirements.txt

Installation

1. Clone this repository:

   git clone https://github.com/container-security-to-graduate/container-cve-tracker.git
   cd container-cve-tracker

2. Install Trivy

   sudo apt update
   sudo snap install trivy

Usage

python main.py <path-to-image.tar>

• <path-to-image.tar>: Path to the Docker image tarball to analyze.

Example

python main.py ubuntu-app.tar

Upon completion, results will be available under the DB/ directory:

DB/
├── trivy_analysis_result.json       # Raw Trivy JSON output
├── LIB2CVE2API.json                 # Mapped CVE → API calls database
├── grok_response.json               # Raw Grok API responses
├── grok_analysis_result.json        # Grok-analyzed CVE-API mappings
├── <image_name>/source/             # Extracted application layer files
└── <image_name>_analysis_result/    # AST graphs and api_info.json
    ├── ast_graph.png
    └── api_info.json                # External/internal/unused API lists

Workflow Steps

1. Trivy Scan (step 1)

   • Invokes trivy_func.scan_vulnerabilities on the image tarball.
   • Saves results to DB/trivy_analysis_result.json.

2. API Mapping (step 2)

   • Loads Trivy JSON and builds a mapping of CVE → Python APIs via python_api_extractor.extracter.build_cve_api_mapping.
   • Outputs DB/LIB2CVE2API.json.

3. Grok CVE-API Analysis (step 3)

   • Uses cve_api_mapper.api_mapper.query_grok to analyze CVE-API mappings with Grok.
   • Stores raw Grok responses in DB/grok_response.json and processed results in DB/grok_analysis_result.json.

4. Layer Extraction (step 4)

   • Uses layer_extracter.extract_app_layer to extract the application layer into DB/<image_name>/source/.

5. AST Analysis (step 5)

   • Parses target API list from LIB2CVE2API.json.
   • Walks extracted source files, generates a call-flow graph via ast_to_png.visualize_call_flow.
   • Produces .png graphs and a JSON of categorized APIs (api_info.json).

Demonstration Video

> Watch Demo Video

Configuration

• Paths: Modify constants at the top of main.py if you need custom output locations.
• Filters: Adjust file inclusion/exclusion in the layer_extracter.extract_app_layer call.
• Graphviz options: Customize node/edge styling by editing python_ast_visualizer.utils.ast_to_png parameters.
• Grok Analysis: Configure Grok query parameters in cve_api_mapper.api_mapper.query_grok for custom analysis depth or output formatting.

Full AST Visualization Example

Contributors

• Capstone Project 2025 - 졸업시켜조
  Korea University · Department of Cyber Security
  LEE CHANG-MIN – Profile · 2020270127@korea.ac.kr
  LEE SEOJUN – Profile · pwned@korea.edu
  CHOE SE-YOUNG – Profile · choe6562@korea.ac.kr