Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(k8s): add support for vulnerability detection #5268

Merged
merged 33 commits into from
Oct 14, 2023
Merged

feat(k8s): add support for vulnerability detection #5268

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
a92a5c4
chore(deps): bump trivy-kubernetes
knqyf263 Sep 28, 2023
3bf3125
chore(deps): replace trivy-db
knqyf263 Sep 28, 2023
2f0646f
fix(purl): skip empty qualifiers
knqyf263 Sep 28, 2023
8d6275c
refactor(purl): add Class()
knqyf263 Sep 28, 2023
5e309e6
feat(k8s) add support for vulnerability detection
knqyf263 Sep 28, 2023
7bbd0d0
test(k8s): fix PURL for kubelet
knqyf263 Sep 29, 2023
8a4430d
add sbom analyzer test and integration test
DmitriyLewen Sep 29, 2023
d2cf197
fix typo
DmitriyLewen Sep 29, 2023
b49fe17
update KBOM golden file
DmitriyLewen Sep 29, 2023
88160f5
move test to cyclonedx unmarshal
DmitriyLewen Sep 29, 2023
0765482
feat: support other k8s vendor purl
chen-keinan Oct 4, 2023
96a64a4
Merge branch 'main' into k8s_purl
knqyf263 Oct 4, 2023
0ef7fba
Merge branch 'main' into k8s_purl
knqyf263 Oct 5, 2023
d6bd096
Merge branch 'main' into k8s_purl
knqyf263 Oct 5, 2023
9defd4a
test: multi k8s provider purl
chen-keinan Oct 5, 2023
a640837
test: multi k8s provider purl
chen-keinan Oct 5, 2023
af27321
chore: refer upstream
knqyf263 Oct 5, 2023
5c9d2d0
docs: add a spec for the k8s type
knqyf263 Oct 5, 2023
a0d815d
fix: revert a regression
knqyf263 Oct 5, 2023
a960978
refactor: use strings.Cut
knqyf263 Oct 5, 2023
0ef60ec
fix: skip cloud k8s distributions
knqyf263 Oct 5, 2023
46347bb
test: fix PURLs
knqyf263 Oct 5, 2023
9c35374
chore: downgrade to go 1.20
knqyf263 Oct 5, 2023
07365c6
test(integration): fix k8s PURLs
knqyf263 Oct 5, 2023
e06442d
docs: add info about scan k8s components
DmitriyLewen Oct 6, 2023
241002c
docs: move usage info to kubernetes target
DmitriyLewen Oct 6, 2023
7c98227
docs: specify Kubernetes components
DmitriyLewen Oct 6, 2023
24f2a8b
feat: add cloud k8s distributions
knqyf263 Oct 13, 2023
fe161ce
Merge branch 'main' into k8s_purl
knqyf263 Oct 13, 2023
25bc6c6
fix: add nolint
knqyf263 Oct 13, 2023
10a3dde
docs: typo
knqyf263 Oct 13, 2023
37688b0
fix: use the correct const
knqyf263 Oct 13, 2023
2b2153b
Merge branch 'main' into k8s_purl
knqyf263 Oct 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ require (
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.5.7
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d
github.com/aws/aws-sdk-go v1.45.3
github.com/aws/aws-sdk-go-v2 v1.21.0
github.com/aws/aws-sdk-go-v2/config v1.18.38
Expand Down Expand Up @@ -403,3 +403,5 @@ require (
// oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
// cf. https://github.com/oras-project/oras-go/pull/527
replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af

replace github.com/aquasecurity/trivy-db => github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: refer to aquasecurity/trivy-db

8 changes: 4 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,12 +344,10 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.5.7 h1:+tIrSnIkvweL+cuK0SSiYxF8EvKT3Xk1iuE9EWduV+c=
github.com/aquasecurity/trivy-kubernetes v0.5.7/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d h1:5urHj0NMGflp/M9Ll5QlKfo0Kf6nJ01RED1HRgl0CeE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
Expand Down Expand Up @@ -556,6 +554,8 @@ github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAc
github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
github.com/cheggaaa/pb/v3 v3.1.4 h1:DN8j4TVVdKu3WxVwcRKu0sG00IIU6FewoABZzXbRQeo=
github.com/cheggaaa/pb/v3 v3.1.4/go.mod h1:6wVjILNBaXMs8c21qRiaUM8BR82erfgau1DQ4iUXmSA=
github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57 h1:6vTdIRGhNGCaGKduufNEgfvim84k8RGtNwvX2BdWAqE=
github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57/go.mod h1:y6HstYX/kTxFLuojCZ8S72LyHGzUuiiXnaVYCDGUdSE=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
Expand Down
9 changes: 9 additions & 0 deletions integration/sbom_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,15 @@ func TestSBOM(t *testing.T) {
},
golden: "testdata/fluentd-multiple-lockfiles.json.golden",
},
{
name: "minikube KBOM",
args: args{
input: "testdata/fixtures/sbom/minikube-kbom.json",
format: "json",
artifactType: "cyclonedx",
},
golden: "testdata/minikube-kbom.json.golden",
},
{
name: "centos7 in in-toto attestation",
args: args{
Expand Down
5 changes: 5 additions & 0 deletions integration/testdata/fixtures/db/data-source.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,3 +144,8 @@
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- key: kubernetes::Official Kubernetes CVE Feed
value:
ID: "kubernetes"
Name: "Official Kubernetes CVE Feed"
URL: "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"
16 changes: 16 additions & 0 deletions integration/testdata/fixtures/db/k8s.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
- bucket: "kubernetes::Official Kubernetes CVE Feed"
pairs:
- bucket: k8s.io/kubelet
pairs:
- key: CVE-2023-2431
value:
PatchedVersions:
- 1.24.14
- 1.25.9
- 1.26.4
- 1.27.1
VulnerableVersions:
- "< 1.24.14"
- ">= 1.25.0, < 1.25.9"
- ">= 1.26.0, < 1.26.4"
- ">= 1.27.0, < 1.27.1"
14 changes: 14 additions & 0 deletions integration/testdata/fixtures/db/vulnerability.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1037,6 +1037,20 @@
ghsa: 3.0
nvd: 3.0
redhat: 3.0
- key: CVE-2023-2431
value:
Title: "Bypass of seccomp profile enforcement "
Description: "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement..."
Severity: LOW
VendorSeverity:
kubernetes: 1
CVSS:
kubernetes:
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
V3Score: 3.4
References:
- https://github.com/kubernetes/kubernetes/issues/118690
- https://www.cve.org/cverecord?id=CVE-2023-2431
- key: CVE-2021-3712
value:
CVSS:
Expand Down
Loading