Software containers greatly facilitate the deployment and reproducibility of scientific data analyses in various platforms. However, container images often contain outdated or unnecessary software packages, which increases the number of security vulnerabilities in the images, widens the attack surface in the container host, and creates substantial security risks for computing infrastructures at large. This paper presents a vulnerability analysis of container images for scientific data analysis. We compare results obtained with four vulnerability scanners, focusing on the use case of neuroscience data analysis, and quantifying the effect of image update and minification on the number of vulnerabilities. We find that container images used for neuroscience data analysis contain hundreds of vulnerabilities, that software updates remove about two thirds of these vulnerabilities, and that removing unused packages is also effective. We conclude with recommendations on how to build container images with a reduced amount of vulnerabilities.

翻译：然而,集装箱图像往往含有过时或不必要的软件包,增加了图像中的安全脆弱性,扩大了集装箱主机的攻击面面,给整个计算机基础设施带来了巨大的安全风险。本文件对集装箱图像的脆弱性进行了分析,以进行科学数据分析。我们把所取得的成果与四个脆弱性扫描仪进行了比较,重点是神经科学数据分析的使用情况,并量化了图像更新和简化对脆弱性数量的影响。我们发现,用于神经科学数据分析的集装箱图像包含数百个脆弱性,软件更新消除了这些脆弱性的三分之二左右,去除未使用的软件包也是有效的。我们最后建议如何在脆弱性减少的情况下建立集装箱图像。