Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy k8s: Not able to ignore vulnerabilities for k8s core components #5675

Closed
2 tasks done
chen-keinan opened this issue Nov 29, 2023 Discussed in #5673 · 0 comments · Fixed by #5713
Closed
2 tasks done

trivy k8s: Not able to ignore vulnerabilities for k8s core components #5675

chen-keinan opened this issue Nov 29, 2023 Discussed in #5673 · 0 comments · Fixed by #5713
Assignees
@chen-keinan
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@chen-keinan
Copy link
Contributor

Discussed in #5673

Originally posted by torbenstruever November 28, 2023

Description

With release 0.47.0 a feature was introduced to "trivy k8s" command which scans k8s core components.
Since then I get the following CVEs reported for my kubernetes 1.26.6:

NodeComponents/aks-toolsv2mz-41823432-vmss000003 (kubernetes)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ 1.26.6            │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │

I would like to ignore these, as I only run linux nodes, but its not possible. I know my ignorefile gets read as I am able to ignore other vulnerabilities which do not come from core components

Content of ignorefile:

# Ignore the following vulnarability IDs
# <ID>
CVE-2023-3676
CVE-2023-3955

content of configfile:

timeout: 10m
quiet: false
debug: true
format: table
exit-code: 1
severity:
  - HIGH
  - CRITICAL
vulnerability:
  ignore-unfixed: true
scan:
  scanners:
    - vuln
report: all

Desired Behavior

Be able to ignore k8s core component vulnerabilities

Actual Behavior

Vulnerabilities are shown, even if they are in trivyignore file

Reproduction Steps

1. run `trivy k8s -n <namespace> --config <configfile> --ignorefile <ignorefile> all`

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

➜  infrastructure git:(ts-securityv2) ✗ trivy k8s -n external-secrets --config ci-cd/trivy/trivy-image.conf --ignorefile ci-cd/trivy/trivyignoe-external-secrets-image.conf --kubeconfig /home/torben/repos/infrastructure/k8s-cluster/ansible/inventory/prod-europe-west/kubeconfig all     
2023-11-28T14:42:23.649+0100    INFO    Loaded ci-cd/trivy/trivy-image.conf
2023-11-28T14:42:23.653+0100    DEBUG   Severities: ["HIGH" "CRITICAL"]
2023-11-28T14:42:23.654+0100    DEBUG   Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-11-28T14:42:26.707+0100    DEBUG   cache dir:  /home/torben/.cache/trivy
2023-11-28T14:42:26.709+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-11-28T14:42:26.709+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-28 12:13:10.475790436 +0000 UTC, NextUpdate: 2023-11-28 18:13:10.475789504 +0000 UTC, DownloadedAt: 2023-11-28 13:38:49.133167144 +0000 UTC
14 / 14 [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3 p/s

NodeComponents/aks-kubernetes-15995198-vmss000001 (kubernetes)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ 1.26.6            │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Operating System

Ubuntu 20.04.6 LTS

Version

➜  infrastructure git:(ts-securityv2) ✗ trivy --version
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-28 12:13:10.475790436 +0000 UTC
  NextUpdate: 2023-11-28 18:13:10.475789504 +0000 UTC
  DownloadedAt: 2023-11-28 13:38:49.133167144 +0000 UTC

Checklist
@chen-keinan chen-keinan added the kind/bug Categorizes issue or PR as related to a bug. label Nov 29, 2023
@chen-keinan chen-keinan self-assigned this Nov 29, 2023
@chen-keinan chen-keinan mentioned this issue Dec 3, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chen-keinan chen-keinan

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: filter k8s core components vuln results chen-keinan/trivy
1 participant
@chen-keinan