The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Japan 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Japan Standard Time (UTC+9:00). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
Sign up or log in to bookmark your favorites and sync them to your phone or calendar.
When using container image vulnerability scanners like Trivy, a large number of vulnerabilities may be detected. However, not all of them necessarily require an action. This is because not all libraries or command-line tools included in the container image are actually utilized.
For example, the `python:3.12.4` image includes a `git` binary with the vulnerability CVE-2024-32002. This vulnerability does not need an immediate action if it is known that the Python application being run does not execute `git` commands.
VEX (Vulnerability-Exploitability eXchange) formats such as OpenVEX can be used to suppress such false alarms. However, VEX is still not widely adopted due to the difficulty of manual analysis and classification of vulnerabilities.
This presentation introduces VexLLM, a tool that helps writing VEX by leveraging LLMs. VexLLM is available as a plugin for Trivy.
Akihiro Suda is a software engineer at NTT Corporation. He has been a maintainer of Moby (dockerd), BuildKit, containerd, runc, etc. He is also a founder of nerdctl and Lima (CNCF project).
