1. Overview

Because Prisma Cloud knows the state of all the images in your environment, it can show you all the places you might be at risk to a given set of vulnerabilities. To generate a risk tree, provide a CVE, and Prisma Cloud returns:

  • A list of images that contain packages affected by the specified CVE.

  • A list of running containers (created from the images listed above) that are affected by the specified CVE.

  • A list of namespaces where the containers affected by the specified CVE reside.

  • A list of hosts where the images affected by the specified CVE reside.

  • A list of serverless functions that are affected by the specified CVE.

The risk tree lets you create a detailed map of your exposure to a vulnerability, and can help you identify the best way to resolve it in your upstream images.

2. Generating a risk tree

Prisma Cloud’s Vulnerability Explorer shows you risk trees for the top ten vulnerabilities in your container ecosystem. To see the risk tree for any arbitrary CVE, use the search tool at the top of the "Top Ten lists" table or Prisma Cloud API.

To generate a risk tree, submit a CVE to the API. The API returns an ordered tree of the images that contain those vulnerabilities, containers that are derived from those images, namespaces where these containers reside, and hosts where those images live. This allows you to automate, with a single API call, the creation of a detailed map of your exposure to the vulnerabilities.

To generate a risk tree, use the following endpoint:

GET /api/v1/stats/vulnerabilities/impacted-resources?cve=<CVE-ID>

For example, to generate a risk tree for CVE-2016-2109:

GET /api/v1/stats/vulnerabilities/impacted-resources?cve=CVE-2016-2109

The following listing shows an example response. For complete details about the response object, see the API reference.

{
  "_id": "CVE-2017-6983",
  "riskTree": {
    "sha256:154de23b60b2a0651401012afff4c2da485f8076043e7241288bbeb88c9965fa": [
      {
        "image": "docker.io\/library\/ubuntu-exploit:latest",
        "container": "",
        "host": "",
        "namespace": "",
        "factors": {
          "network": false,
          "internet": false,
          "rootPrivilege": false,
          "noSecurityProfile": false,
          "privilegedContainer": false
        }
      }
    ],
    "sha256:45919d98e870eeb1b1d4ccb9458f992f372d9fadc5f3efd034bc569a575f0ff9": [
      {
        "image": "docker.io\/morello\/docker-whale:latest",
        "container": "confident_archimedes",
        "host": "ian-23.c.cto-sandbox.internal",
        "namespace": "",
        "factors": {
          "network": false,
          "internet": false,
          "rootPrivilege": true,
          "noSecurityProfile": false,
          "privilegedContainer": false
        }
      }
    ],
    "sha256:67759a80360cbaef77ec1eee8aa0590f07ba04c26ef496efbc90391f217fd9d6": [
      {
        "image": "docker.io\/library\/ubuntu:14.04",
        "container": "",
        "host": "",
        "namespace": "",
        "factors": {
          "network": false,
          "internet": false,
          "rootPrivilege": false,
          "noSecurityProfile": false,
          "privilegedContainer": false
        }
      }
    ]
  },
  "registryImages": {

  },
  "hosts": [
    "ian-23.c.cto-sandbox.internal"
  ],
  "functions": {
  }
}