RQ1: Symptoms
The figure below presents the hierarchical taxonomy of symptoms of container bugs in CRSs, organized into 4 major categories: Build Failure, Unexpected Termination, Unexpected Functionality and Poor Performance. Each high-level category is further subdivided into subcategories based on distinctive characteristics.
To highlight the security vulnerabilities in CRSs, we labeled part of subcategories, i.e., leaf nodes in the taxonomy tree using red color. To distinguish the severity of each category, we adopt four color intensities based on the average CVSS score of the bugs.
Findings
We identified a total of 16 distinct leaf categories of bug symptoms. Among these categories, 5 (31.25%) exhibit the association with the security vulnerabilities of CRSs.
A total of 7.69% of the bugs fall under the category of Build Failure, which is mainly attributed to the inherent requirement for CRSs to be platform-agnostic, leading to cross-platform compatibility issues such as package or API dependency errors.
20.98% of the collected bugs manifest as Unexpected Termination. These symptoms are highly related to the features of CRSs workflow from managing runtime daemon managing different plugins to communicating with the host using system calls.
The most common category of bugs in CRSs (59.44%) is Unexpected Functionality, with Incorrect Execution Output being the most prevalent subcategory (70.59%). From a security perspective, the most critical symptom is Escalated Privilege, often resulting from authorization errors. This symptom is closely related to the inherent characteristics of CRSs.
Bugs with Poor Performance symptom account for 11.89% of all bugs and can manifest as the abnormal behaviors. These bugs are primarily attributed to the complexities involved in managing memory and storage within containerized environments.
Detailed symptoms distribution result can be found in Google Sheet: Manual Analysis Data