Chainguard Takes Aim At Vulnerable Java Libraries
Chainguard has made its name in recent years through its growing collection of Chainguard Images, open source container images that are free of critical vulnerabilities that can infiltrate applications and kick off software supply chain attacks.
The common vulnerabilities and exposures (CVE)-free container images have been a success for the Kirkland, Washington-based startup, which will celebrate its fourth birthday later this year. Chainguard has raised more than $250 million in its short life and last year saw rapid, five-fold growth in the number of customers. In February, the vendor introduced CVE Visualizations, a way for organizations to gauge and quantify the benefits they’re getting by using these images.
At Assemble today, Chainguard’s inaugural event in San Francisco, company executives are introducing the next steps they’re taking to make the developers’ world safer and vulnerability-free. They’re unveiling Chainguard Libraries, a collection of language libraries — with an initial focus on Java — that are built on source and malware-free on Supply-chain Levels for Software Artifacts (SLSA) Level 2 infrastructure.
In addition, the vendor is rolling out a new product line focused on virtual machines (VMs). With Chainguard VMs, software engineers now have container host images that are likewise free of vulnerabilities and add another layer of protection for the critical development components.
An Eye on the Stack
The announcements of Chainguard Libraries and Chainguard VMs give a glimpse of the roadmap the company is following as it looks to extend its reach beyond container images and into other parts of the open source software development lifecycle.
“Today, organizations use our container image and then their developers go and run their applications on our container image,” Ed Sawma, vice president of product marketing at Chainguard, told The New Stack. “Those developers are pulling in additional open source libraries from public repositories like Maven Central for Java, and these repositories have thousands and thousands of libraries that they pull in.”
A concern is that these libraries are often built in relatively unsecure environments, such as a developer’s laptop, and then uploaded into Sonatype’s Maven Central or other repositories, which can lead to malicious code getting into these open source packages, Sawma said, pointing to a Sonatype study that found that more than 700,000 malicious packages have been detected since 2019.
The Need for Clean Libraries
The same study found that in 2023, Maven Central had more than 1.5 trillion downloads of libraries, highlighting how dependent developers are on libraries from public registries. However, such registries tend to favor the convenience of library publishers over the security and safety of the enterprises using them, Chainguard executives said in announcing the company’s libraries offering.
Most public registries are designed to be low friction, they said, with minimal vetting of artifacts that are uploaded to their repositories. Also, those uploading the packages into them don’t have to ensure the package integrity or build security via digital attestations.
“This is a big problem, particularly for large enterprises that are operating at scale [and] that have thousands and thousands of developers using these things,” Sawma said. “We’ve built Chainguard Libraries, where we go to the source code for these Java libraries. We build them in our SLSA Level 2 build environment, and we ensure that there is no compromise of that code as we build it into a package that developers can then take and use in their environment.”
CVE-Free at Birth
That view dovetails with Chainguard’s argument about container images — that the primary packages themselves don’t have CVEs in them. The vulnerabilities are in the operating systems they’re built on top of. The source code of the Java libraries is CVE-free, and Chainguard wants to ensure they stay that way.
Chainguard Libraries for Java.
“We go directly to the source code — the source code that we know is the most secure — and we pull that into our protected building,” he said. “That’s where the SLSA Level 2 framework is really important. … We pull that into our environment, and we’re able to build that soft artifact in a much more secure way, and then plug directly into how you distribute code to your developers.”
Chainguard integrates with software repository managers JFrog Artifactory, Cloudsmith, and Sonatype Nexus, which organizations use to make code available for developers internally, he said, adding that “you just point them at us and you get the secure version of all those.”
Multiple Problems To Solve
As with container images, Chainguard, through its Java libraries, is trying to solve two core problems. The first is eliminating vulnerabilities, which Sawma said largely means keeping up-to-date with the latest updates in every piece of software. The other is ensuring that developers know exactly what’s in the software they’re getting, and that comes by going to the source code. With Chainguard Libraries, the vendor is expanding beyond containers and into another layer of the stack.
However, while some organizations are trying to build golden images for containers, there are few alternatives when it comes to libraries. Most aren’t going to rebuild the library of artifacts in Maven Central, he said. Instead, they may try to run thorough scans to detect a malicious artifact in their environments, which also leads to many false positives.
The Balancing Act
Finding a balance between ease and safety isn’t easy. If organizations take a hard line, they block libraries their developers want to use or builds they’re trying to get into production. They may have developers vet libraries on their own, but that creates a tax on the developers; it’s more work they have to do, and it’s difficult, Sawma said.
“It’s a little bit hard for a developer to go and … really know if this package [they’re] downloading hasn’t been tampered with at all,” he said. “There are no really great alternatives to our Chainguard Libraries, and it’s a big area of risk that organizations know is there.”
Chainguard is starting off with more than 20,000 Java dependencies in the Chainguard Libraries that come with five years of version coverage. It’s in beta now, with general availability expected later this year.
VMs in the Mix
Sawma didn’t want to give many details when asked about what the future for Chainguard looks like, but said that “everywhere that an enterprise is consuming open source, we’ll be heading in that direction. You can imagine additional points in the stack [and] other languages.”
Another one of those areas is VMs. At the Assemble show, the company is unveiling Chainguard VMs, offering VM images that, again, are built from source and have no CVEs. The VMs are aimed at cloud workloads and housed in guarded host images.
VMs are key tools for running workloads in the cloud and require a container host, a specific VM that includes the runtime environment to run the container, according to Chainguard executives. Enterprises typically rely on general-purpose servers from Linux distro providers for container hosts, but those systems tend to contain a lot of CVEs and components that aren’t needed for the hosts.
Chainguard is offering container host images, which are in early access now, that are built for each major cloud provider and include versions for such managed container services as Amazon’s Elastic Kubernetes Service (EKS) or container deployments managed by organizations on Amazon Web Services (AWS), Google Cloud Engine, or Microsoft Azure.
