On the usage of JavaScript, Python and Ruby packages in Docker Hub images

• Published in: Science of computer programming Vol. 207; p. 102653
• Main Authors: Zerouali, Ahmed, Mens, Tom, De Roover, Coen
• Format: Journal Article
• Language: English
• Published: Elsevier B.V 01.07.2021
• Subjects: Docker; Outdated software; Software containerization; Software vulnerability; Third-party library; Outdated software; Software vulnerability; Docker; Third-party library; Software containerization
• ISSN: 0167-6423; 1872-7964
• DOI: 10.1016/j.scico.2021.102653

Docker is one of the most popular containerization technologies. A Docker container can be saved into an image including all environmental packages required to run it, such as system and third-party packages from language-specific package repositories. Relying on its modularity, an image can be shared and included in other images to simplify the way of building and packaging new software. However, some package managers allow to include duplicated packages in an image, increasing its footprint; and outdated packages may miss new features and bug fixes or contain reported security vulnerabilities, putting the image in which they are contained at risk. Previous research has focused on studying operating system packages within Docker images, but little attention has been given to third-party packages. This article empirically studies installation practices, outdatedness and vulnerabilities of JavaScript, Python and Ruby packages installed in 3,000 popular community Docker Hub images. In many cases, these installed packages missed important releases leading to potential vulnerabilities of the images. Our findings suggest that maintainers of Docker Hub community images should invest more effort in updating outdated packages contained in those images in order to significantly reduce the number of vulnerabilities. In addition to this, Python community images are generally much less outdated and much less subject to vulnerabilities than NodeJS and Ruby community images. Specifically for NodeJS community images, elimination of duplicate package releases could lead to a significant reduction in their image footprint. •The number of installed third-party packages is not related to the used operating system.•The elimination of duplicate node package releases could lead to a significant reduction in Docker images' footprint.•Third-party core packages are more outdated than non-core ones.•Python images are much less outdated and much less subject to vulnerabilities than node and Ruby images.•Having more up-to-date packages can significantly reduce the number of vulnerabilities.