In Use

The In Use feature identifies vulnerable packages and libraries loaded in runtime workloads, so you can prioritize the vulnerabilities that are actively executing.

Overview

The In Use feature determines which packages are effectively loaded during execution and are therefore a direct security threat to your infrastructure.

Prioritizing vulnerabilities that represent imminent risks to your organization is vital to a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is very large.

Many prioritization criteria are commonly used and accepted to start filtering the list: Severity and CVSS scoring, Exploitability metrics, Runtime scope, and other environmental considerations. In Use is a new criterion, supported by observed runtime behavior, to add to the vulnerability management tool belt. In Use can considerably reduce the working set of vulnerabilities that must be addressed as a priority.

Terminology

  • In Use: The designation for packages that are effectively loaded and executing at runtime. In Use serves as a vulnerability prioritization criterion and is surfaced in the In Use column on the Vulnerability Findings page.
  • EVE: Effective Vulnerability Exposure, an earlier term. The installation settings may still refer to the eveConnector and eveEnablement.

Technology Details

To understand how the In Use feature is architected:

The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behavior of runtime workloads. Some of the information collected includes:

  • Image runtime behavior profile: accessed files, processes in execution, system calls.
  • The Software Bill Of Material (SBOM) associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.
  • The combination of the SBOM and the Packages/Libraries identified as running make a Runtime Bill of Materials (RBOM).

By correlating these three pieces of information, we can differentiate between packages installed in the image and packages loaded at execution time. Sysdig propagates this information to vulnerability scan results, and can share it with partner integrations.

Enable and Disable In Use

The In Use feature requires the Vulnerability Management engine in Sysdig Secure. Make sure you are using the correct documentation: Which Scanning Engine to Use.

In Use supports a specific set of languages; see Language Support. For the full range of packages and formats that Vulnerability Management scans, see Supported Operating Systems, Packages and Languages.

Supported environments for In Use prioritization include:

  • Kubernetes Workloads
  • Linux Hosts
  • Non-Kubernetes Containers (Docker, Podman)

Understand the In Use Column

In Use insights appear on the Vulnerability Findings page, in the In Use column.

The In Use designation lets you focus first on the packages containing vulnerabilities that are actually being executed at runtime. If an image has 180 packages and 160 have vulnerabilities, but only 45 are used at runtime, then much of the vulnerability notification noise can be reduced by focusing on the latter.

Data will appear in the In Use column approximately 12 hours after the feature is deployed.

To view In Use vulnerabilities:

  1. Log in to Sysdig Secure.

  2. Select Attack Surface > Vulnerability Findings.

    The Vulnerability Findings page is shown.

  3. Select the In Use button to filter the list by vulnerabilities being executed at runtime.

    The list updates to show only findings whose packages are loaded at runtime. For each listing, the number of Critical, High, and Medium severity In Use vulnerabilities is highlighted in the In Use column.

  4. Select any one of the severities to drill down.

    The view shows the individual In Use vulnerabilities for that severity, along with their affected packages, so you can prioritize the ones that are actively executing.

Language Support

In Use is a distinct capability from vulnerability scanning: a package type can be scanned for vulnerabilities without being tracked as In Use at runtime.

In Use currently supports the following languages:

  • Go
  • Java
  • JavaScript/TypeScript
  • Python

In Use does not currently support the following languages:

  • C# (.NET)
  • PHP
  • Rust
  • Dart
  • Swift
  • Ruby