“Fuzzy images”—container images with filesystems unintentionally modified during build or runtime—evade detection by conventional Software Composition Analysis (SCA) tools, hindering identification of outdated or vulnerable dependencies in production environments. Method: We propose Mask-Resilient Analysis, the first systematic study exposing the prevalence of fuzzy containers across major public image registries. Our approach introduces a unified, format-agnostic framework integrating static filesystem parsing, metadata reconstruction, and multi-stage analysis to recover obscured layers and dependencies across diverse container formats and layering schemes. Contribution/Results: We release ORCA, an open-source implementation. Evaluated on 600 popular container images, ORCA achieves a median 40% improvement in file coverage over baseline SCA tools—significantly outperforming Docker Scout and Syft—and substantially enhances SCA reliability and dependency visibility in real-world production deployments.

Modern software development increasingly depends on open-source libraries and third-party components, which are often encapsulated into containerized environments. While improving the development and deployment of applications, this approach introduces security risks, particularly when outdated or vulnerable components are inadvertently included in production environments. Software Composition Analysis (SCA) is a critical process that helps identify and manage packages and dependencies inside a container. However, unintentional modifications to the container filesystem can lead to incomplete container images, which compromise the reliability of SCA tools. In this paper, we examine the limitations of both cloud-based and open-source SCA tools when faced with such obscure images. An analysis of 600 popular containers revealed that obscure containers exist in well-known registries and trusted images and that many tools fail to analyze such containers. To mitigate these issues, we propose an obscuration-resilient methodology for container analysis and introduce ORCA (Obscuration-Resilient Container Analyzer), its open-source implementation. We reported our findings to all vendors using their appropriate channels. Our results demonstrate that ORCA effectively detects the content of obscure containers and achieves a median 40% improvement in file coverage compared to Docker Scout and Syft.