Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: scan vulns on k8s core component apps #5418

Merged
merged 1 commit into from
Nov 1, 2023
Merged

feat: scan vulns on k8s core component apps #5418

merged 1 commit into from
Nov 1, 2023

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented Oct 20, 2023
edited
Loading

Description

scan vulns on k8s core component apps

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).

Example (Summary) :

trivy k8s cluster --scanners vuln  --report summary

40.61 MiB / 40.61 MiB [---------------------------------------------------------------------------------------------------------------------------------] 100.00% 13.89 MiB p/s 3.1s
220 / 220 [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 67 p/s

Summary Report for kind-kind


Workload Assessment
┌────────────────────┬────────────────────────────────────────────────┬───────────────────────┐
│     Namespace      │                    Resource                    │    Vulnerabilities    │
│                    │                                                ├────┬────┬────┬────┬───┤
│                    │                                                │ C  │ H  │ M  │ L  │ U │
├────────────────────┼────────────────────────────────────────────────┼────┼────┼────┼────┼───┤
│ local-path-storage │ Deployment/local-path-provisioner              │ 4  │ 32 │ 10 │ 2  │   │
│ kube-system        │ Pod/etcd-kind-control-plane                    │    │    │    │    │ 6 │
│ kube-system        │ Deployment/coredns                             │    │ 10 │ 7  │ 1  │   │
│ kube-system        │ DaemonSet/kube-proxy                           │ 18 │ 43 │ 39 │ 78 │ 2 │
│ kube-system        │ ControlPlaneComponents/k8s.io/apiserver        │    │    │ 3  │    │   │
│ kube-system        │ Pod/kube-apiserver-kind-control-plane          │    │    │    │    │ 4 │
│ kube-system        │ DaemonSet/kindnet                              │ 18 │ 53 │ 49 │ 78 │ 2 │
│ kube-system        │ Pod/kube-controller-manager-kind-control-plane │    │    │    │    │ 4 │
│ kube-system        │ Pod/kube-scheduler-kind-control-plane          │    │    │    │    │ 4 │
│                    │ NodeComponents/kind-control-plane              │    │ 4  │ 6  │ 2  │   │
└────────────────────┴────────────────────────────────────────────────┴────┴────┴────┴────┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Example (All) :

trivy k8s cluster --scanners vuln  --report all

220 / 220 [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 77 p/s

ControlPlaneComponents/k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

NodeComponents/kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-2431  │ LOW      │ fixed  │ 1.21.1            │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ Bypass of seccomp profile enforcement             │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25741 │ HIGH     │        │                   │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

kind-control-plane (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2022-23471      │ MEDIUM   │ fixed  │ 1.5.2             │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │ HIGH     │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ insecure handling of image volumes                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │ MEDIUM   │        │                   │ 1.5.18, 1.6.18        │ Supplementary groups are not set up properly                 │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ OCI image importer memory exhaustion                         │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-43816      │ HIGH     │        │                   │ 1.5.9                 │ Unprivileged pod may bind mount any privileged regular file  │
│                                  │                     │          │        │                   │                       │ on disk                                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │ MEDIUM   │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

@chen-keinan chen-keinan marked this pull request as ready for review October 22, 2023 11:39
@chen-keinan
Copy link
Contributor Author

chen-keinan commented Oct 22, 2023
edited
Loading

@knqyf263 please review and see if it fit. it is missing the client/server k8s scanning as ScanTarget is not exposed in client/server mode

@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. and removed kind/bug Categorizes issue or PR as related to a bug. labels Oct 23, 2023
@DmitriyLewen DmitriyLewen mentioned this pull request Oct 24, 2023
Closed
8 tasks
knqyf263
knqyf263 approved these changes Oct 30, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

it is missing the client/server k8s scanning as ScanTarget is not exposed in client/server mode

Does trivy k8s support client/server?

@chen-keinan
Copy link
Contributor Author

chen-keinan commented Oct 30, 2023
edited
Loading

Looks good!

it is missing the client/server k8s scanning as ScanTarget is not exposed in client/server mode

Does trivy k8s support client/server?

apparently not, I think only cli flags are missing

@knqyf263
Copy link
Collaborator

apparently not, I think only cli flags are missing

Do you want to add support for client/server in k8s scanning, and then merge this PR? If not, we can merge the PR now.

@chen-keinan
Copy link
Contributor Author

chen-keinan commented Oct 31, 2023
edited
Loading

apparently not, I think only cli flags are missing

Do you want to add support for client/server in k8s scanning, and then merge this PR? If not, we can merge the PR now.

Lets merge it and I'll add client/server support on a separate PR
Related issue #5487

@knqyf263 knqyf263 added this pull request to the merge queue Nov 1, 2023
Merged via the queue into aquasecurity:main with commit f3de7bc Nov 1, 2023
13 checks passed
This was referenced Nov 5, 2023
Merged
Closed
@jkroepke jkroepke mentioned this pull request Nov 7, 2023
Closed
2 tasks
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for k8s core components vulns scanning
2 participants
@chen-keinan @knqyf263