Modelling security degradation of base Docker images using a rate-based metric
Main Article Content
Abstract
Topicality. Base Docker images are reused as long-lived software-supply-chain artifacts in pipelines. Unlike runtime-oriented software ageing, their degradation is primarily informational: the image may remain unchanged, while its scanner-observable security state changes as new vulnerabilities are disclosed and vulnerability databases evolve. Point-in-time scanner outputs identify known vulnerabilities at the scan date, but they do not show how quickly vulnerability burden has accumulated relative to image age, base operating-system family, and dependency footprint. This creates a scientific and technical contradiction: long-term base-image selection requires reproducible comparison of functionally suitable immutable artifacts, while existing indicators mainly describe current vulnerability state, static severity burden, package freshness, or short-term exploitability priority. Therefore, DevSecOps teams lack sufficient evidence for selecting candidates with a longer observable security horizon and lower expected security-maintenance burden. Purpose and objectives. The purpose of this study is to improve the scientific and practical grounding of long-term base Docker image selection in pipelines by formalizing observable security degradation as an age-normalized and base-family-contextualized accumulation process. To achieve this purpose, the study develops and empirically evaluates a layered comparative measurement model for identifying base-image candidates with longer observable security horizons. The objectives are to formalize severity-weighted vulnerability burden, normalize this burden by image age, contextualize degradation within base-image families, compare candidate variants at repository level, and evaluate whether the proposed metric provides information beyond raw vulnerability counts, static severity burden, vulnerability density, image age, and exploitability-oriented signals. Methods. The study uses a time-windowed dataset of Linux-based Docker images from popular Docker Hub repositories. Vulnerabilities are identified using a four-scanner ensemble consisting of Trivy, Grype, Docker Scout, and Snyk, deduplicated by vulnerability identifier, weighted by severity, and normalized by image age. The model is evaluated through family-level comparison, repository-level candidate comparison, and threshold-oriented security-horizon interpretation. Results. The proposed model links current vulnerability burden with age-normalized degradation intensity and interprets this signal within base-family, repository-level, and threshold-oriented contexts. Base operating-system families differ substantially. Repository-level comparisons show lower degradation intensity for reduced-footprint candidates than for higher-footprint candidates within same-ecosystem contexts, and lower degradation intensity for Alpine-based and Ubuntu-based candidates than for Debian-based candidates in repositories where direct comparison is available. Conclusions. The novelty of the study lies in formalizing base Docker image selection as a degradation-rate comparison problem. The proposed model differs from point-in-time vulnerability counts, static severity summaries, technical-lag measures, Exploit Prediction Scoring System, or Known Exploited Vulnerabilities, the proposed model provides an artifact-level signal for comparing candidate base images by the observed rate at which scanner-detected vulnerability burden accumulates over image age. The model is a reproducible comparative measurement procedure for long-term base-image selection. Practically, the model supports DevSecOps teams in selecting base-image candidates, prioritizing rebuilds, defining review policies, and governing pipelines by comparing images according to current vulnerability burden, observed degradation rate, base ecosystem, dependency-footprint context, and threshold-oriented security horizon.

