"trivy kubernetes" (v0.47.0) panics in GitLab CI pipeline job

[elchenberg]

Description

I have a GitLab CI pipeline job that runs trivy kubernetes [...]. It runs without issues with Trivy v0.46.1 but when I try to update to Trivy v0.47.0 it panics.

I suspect that this might be related to the kubeconfig: There is no kubeconfig in the pipeline job.

$ kubectl config view
apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

Instead of a kubeconfig kubectl uses the job's serviceaccount token (located at /var/run/secrets/kubernetes.io/serviceaccount/token).

Desired Behavior

No panic.

Actual Behavior

Panic.

Reproduction Steps

1. Have a GitLab Runner using a Kubernetes executor.
2. Have a pipeline job that runs `trivy kubernetes`:


trivy kubernetes:
  image: docker.io/aquasec/trivy:0.47.0
  script:
    - trivy --debug kubernetes --exit-code 1 --namespace=default --no-progress --report all --scanners config --severity MEDIUM,HIGH,CRITICAL all

Target

Kubernetes

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2023-11-14T17:33:45.723Z	DEBUG	Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2023-11-14T17:33:45.724Z	DEBUG	Ignore statuses	{"statuses": null}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x6478eb4]
goroutine 1 [running]:
github.com/aquasecurity/trivy-kubernetes/pkg/k8s.(*cluster).ClusterNameVersion(0xc0014ef810)
	/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/k8s/k8s.go:507 +0xf4
github.com/aquasecurity/trivy-kubernetes/pkg/k8s.(*cluster).getClusterBomInfo(0xc000828000?, {0xc001eb2000, 0x20, 0x21}, {0xc00194d500, 0x6, 0x8})
	/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/k8s/k8s.go:487 +0x4d
github.com/aquasecurity/trivy-kubernetes/pkg/k8s.(*cluster).CreateClusterBom(0x0?, {0x8cd9090, 0xc0018fbf20})
	/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/k8s/k8s.go:347 +0x47f
github.com/aquasecurity/trivy-kubernetes/pkg/trivyk8s.(*client).ListBomInfo(0xc0004ad400, {0x8cd9090, 0xc0018fbf20})
	/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/trivyk8s/trivyk8s.go:221 +0x7f
github.com/aquasecurity/trivy-kubernetes/pkg/trivyk8s.(*client).ListArtifacts(0xc0004ad400, {0x8cd9090, 0xc0018fbf20})
	/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/trivyk8s/trivyk8s.go:159 +0x39e
github.com/aquasecurity/trivy/pkg/k8s/commands.namespaceRun({_, _}, {{{0x78de96c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc00089e030, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/k8s/commands/namespace.go:26 +0x245
github.com/aquasecurity/trivy/pkg/k8s/commands.Run({_, _}, {_, _, _}, {{{0x78de96c, 0xa}, 0x0, 0x0, 0x1, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:50 +0x34c
github.com/aquasecurity/trivy/pkg/commands.NewKubernetesCommand.func2(0xc00037ac00, {0xc00132b080, 0x1, 0xc})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:943 +0x1d6
github.com/spf13/cobra.(*Command).execute(0xc00037ac00, {0xc00132afc0, 0xc, 0xc})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004f00)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(0x7941b91?)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992 +0x19
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:35 +0x16a
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:17 +0x19

### Operating System

Docker

### Version

```bash
docker.io/aquasec/trivy:0.47.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[apinter]

So no... apparently I didn't do my research properly 🙃
Same issue: #5621

[apinter]

For the record, I'm also not using a kube config, but rely on the token from the serviceAccount the pod receives when deployed.

[knqyf263]

@chen-keinan Please take a look.

[chen-keinan]

created issue #5628 5628