Skip to content

Commit

Permalink
feat(k8s): add support for vulnerability detection (#5268)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: chenk <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: chenk <[email protected]>
  • Loading branch information
3 people authored Oct 14, 2023
1 parent 24a0d92 commit cbbd1ce
Show file tree
Hide file tree
Showing 21 changed files with 1,451 additions and 117 deletions.
9 changes: 5 additions & 4 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The following packages are supported.

- [OS packages](#os-packages)
- [Language-specific packages](#language-specific-packages)
- [Kubernetes components (control plane, node and addons)](#kubernetes-components-control-plane-node-and-addons)

Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).

Expand Down Expand Up @@ -106,9 +107,9 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components.

### Data Sources

| Vendor | Source |
| ------------- | ------------------------------------------------------------ |
| Kubernetes | [Kubernetes Official CVE feed][^1] |
| Vendor | Source |
| ------------- |---------------------------------------------|
| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |

[^1]: Some manual triage and correction has been made.

Expand Down Expand Up @@ -195,4 +196,4 @@ Currently, specifying a username and password is not supported.

[nvd]: https://nvd.nist.gov/vuln

[Kubernetes Official CVE feed]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.5.7
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d
github.com/aws/aws-sdk-go v1.45.19
github.com/aws/aws-sdk-go-v2 v1.21.0
github.com/aws/aws-sdk-go-v2/config v1.18.38
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -343,12 +343,12 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.5.7 h1:+tIrSnIkvweL+cuK0SSiYxF8EvKT3Xk1iuE9EWduV+c=
github.com/aquasecurity/trivy-kubernetes v0.5.7/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d h1:5urHj0NMGflp/M9Ll5QlKfo0Kf6nJ01RED1HRgl0CeE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
Expand Down
9 changes: 9 additions & 0 deletions integration/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,15 @@ func TestSBOM(t *testing.T) {
},
golden: "testdata/fluentd-multiple-lockfiles.json.golden",
},
{
name: "minikube KBOM",
args: args{
input: "testdata/fixtures/sbom/minikube-kbom.json",
format: "json",
artifactType: "cyclonedx",
},
golden: "testdata/minikube-kbom.json.golden",
},
{
name: "centos7 in in-toto attestation",
args: args{
Expand Down
5 changes: 5 additions & 0 deletions integration/testdata/fixtures/db/data-source.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,3 +144,8 @@
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- key: k8s::Official Kubernetes CVE Feed
value:
ID: "k8s"
Name: "Official Kubernetes CVE Feed"
URL: "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"
16 changes: 16 additions & 0 deletions integration/testdata/fixtures/db/k8s.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
- bucket: "k8s::Official Kubernetes CVE Feed"
pairs:
- bucket: k8s.io/kubelet
pairs:
- key: CVE-2023-2431
value:
PatchedVersions:
- 1.24.14
- 1.25.9
- 1.26.4
- 1.27.1
VulnerableVersions:
- "< 1.24.14"
- ">= 1.25.0, < 1.25.9"
- ">= 1.26.0, < 1.26.4"
- ">= 1.27.0, < 1.27.1"
14 changes: 14 additions & 0 deletions integration/testdata/fixtures/db/vulnerability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1037,6 +1037,20 @@
ghsa: 3.0
nvd: 3.0
redhat: 3.0
- key: CVE-2023-2431
value:
Title: "Bypass of seccomp profile enforcement "
Description: "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement..."
Severity: LOW
VendorSeverity:
k8s: 1
CVSS:
k8s:
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
V3Score: 3.4
References:
- https://github.com/kubernetes/kubernetes/issues/118690
- https://www.cve.org/cverecord?id=CVE-2023-2431
- key: CVE-2021-3712
value:
CVSS:
Expand Down
Loading

0 comments on commit cbbd1ce

Please sign in to comment.