-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(k8s): add support for vulnerability detection #5268
Conversation
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
go.mod
Outdated
@@ -403,3 +403,5 @@ require ( | |||
// oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2 | |||
// cf. https://github.com/oras-project/oras-go/pull/527 | |||
replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af | |||
|
|||
replace github.com/aquasecurity/trivy-db => github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: refer to aquasecurity/trivy-db
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
{ | ||
"bom-ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5", | ||
"type": "operating-system", | ||
"name": "ubuntu", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created this KBOM file using Trivy.
Why don't we include OS packages like in table format?
➜ trivy -d k8s cluster --report all
...
registry.k8s.io/kube-proxy:v1.27.4 (debian 11.6)
================================================
Total: 36 (UNKNOWN: 0, LOW: 22, MEDIUM: 12, HIGH: 2, CRITICAL: 0)
pkg/k8s/scanner/scanner.go
Outdated
@@ -254,6 +256,7 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Comp | |||
Type: cdx.ComponentTypeApplication, | |||
Properties: toProperties(comp.Properties, k8sCoreComponentNamespace), | |||
Components: imageComponents, | |||
PackageURL: generatePURL(comp.Name, comp.Version), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might need to have special handling for pre-release versions (I mean skip these versions) example:
v1.25.4-hotfix.20221216
or or 1.24.10-gke.2300
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might need to have special handling for pre-release versions (I mean skip these versions) example:
Could you elaborate on why we need to skip pre-release versions? If trivy k8s
finds the version in the cluster, it means the pre-release version is used in production, doesn't it?
pkg/k8s/scanner/scanner.go
Outdated
@@ -386,7 +390,7 @@ func nodeComponent(nf bom.NodeInfo) *core.Component { | |||
}, | |||
}, | |||
PackageURL: &purl.PackageURL{ | |||
PackageURL: *packageurl.NewPackageURL(golang, "", kubelet, kubeletVersion, packageurl.Qualifiers{}, ""), | |||
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, "k8s.io", "kubelet", kubeletVersion, packageurl.Qualifiers{}, ""), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
Signed-off-by: chenk <[email protected]>
Signed-off-by: chenk <[email protected]>
Signed-off-by: chenk <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
pkg/purl/purl.go
Outdated
if p.Namespace == "" { | ||
return ftypes.K8sComponent | ||
} | ||
// Cloud k8s distributions, such as EKS, are not supported yet. | ||
return TypeUnknown |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please explain this part ? don't we want to add support for cloud providers in code and just add advisory data later (so we do not need to change code) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was unsure how we wanted to match cloud distributions for vulnerabilities. I've added the current idea. Please let me know if you have any feedback.
24f2a8b
pkg/purl/purl.go
Outdated
case NamespaceOCP: | ||
return ftypes.OCP | ||
case "": | ||
return ftypes.Kubernetes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ftypes.Kubernetes
is ConfigType
. Or am i missing something?
return ftypes.Kubernetes | |
return ftypes.K8sUpstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right.
pkg/k8s/scanner/scanner.go
Outdated
@@ -208,6 +208,17 @@ const ( | |||
func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Component, error) { | |||
var coreComponents []*core.Component | |||
var cInfo *core.Component | |||
|
|||
// Find the fist node name to identify AKS cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Find the fist node name to identify AKS cluster | |
// Find the first node name to identify AKS cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
namespace = purl.NamespaceOCP | ||
} | ||
return &purl.PackageURL{ | ||
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, namespace, name, ver, nil, ""), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: note sure if for now , it will be better to use option pattern
to avoid passing nil
and empty strings
case "": | ||
return ftypes.K8sUpstream | ||
} | ||
return TypeUnknown |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
case "": | |
return ftypes.K8sUpstream | |
} | |
return TypeUnknown | |
case "": | |
return ftypes.K8sUpstream | |
default: | |
return TypeUnknown | |
} | |
Description
Add support for vulnerability detection.
Example
TODO
debian gnu/linux
)Related issues
Related PRs
Checklist