Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(k8s): add support for vulnerability detection #5268

Merged
merged 33 commits into from
Oct 14, 2023

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Sep 28, 2023

Description

Add support for vulnerability detection.

Example

$ trivy k8s --format cyclonedx cluster -o kbom.json
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300    INFO    Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300    WARN    unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...

Kubernetes (kubernetes)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version          │                      Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5        │ runAsNonRoot logic bypass for Windows containers │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-25749       │
│                ├────────────────┼──────────┤        │                   ├─────────────────────────────────┼──────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-2431        │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘

TODO

  • Generate PURLs for k8s components
  • Unmarshal KBOM
  • Detect vulnerabilities
  • Fix the OS format (debian gnu/linux)
  • Write tests
  • Write docs

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Sep 28, 2023
go.mod Outdated
@@ -403,3 +403,5 @@ require (
// oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
// cf. https://github.com/oras-project/oras-go/pull/527
replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af

replace github.com/aquasecurity/trivy-db => github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: refer to aquasecurity/trivy-db

{
"bom-ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"type": "operating-system",
"name": "ubuntu",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created this KBOM file using Trivy.
Why don't we include OS packages like in table format?

➜  trivy -d k8s cluster --report all
...
registry.k8s.io/kube-proxy:v1.27.4 (debian 11.6)
================================================
Total: 36 (UNKNOWN: 0, LOW: 22, MEDIUM: 12, HIGH: 2, CRITICAL: 0)

@@ -254,6 +256,7 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Comp
Type: cdx.ComponentTypeApplication,
Properties: toProperties(comp.Properties, k8sCoreComponentNamespace),
Components: imageComponents,
PackageURL: generatePURL(comp.Name, comp.Version),
Copy link
Contributor

@chen-keinan chen-keinan Oct 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might need to have special handling for pre-release versions (I mean skip these versions) example:
v1.25.4-hotfix.20221216 or or 1.24.10-gke.2300

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might need to have special handling for pre-release versions (I mean skip these versions) example:

Could you elaborate on why we need to skip pre-release versions? If trivy k8s finds the version in the cluster, it means the pre-release version is used in production, doesn't it?

@@ -386,7 +390,7 @@ func nodeComponent(nf bom.NodeInfo) *core.Component {
},
},
PackageURL: &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(golang, "", kubelet, kubeletVersion, packageurl.Qualifiers{}, ""),
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, "k8s.io", "kubelet", kubeletVersion, packageurl.Qualifiers{}, ""),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@knqyf263 knqyf263 marked this pull request as ready for review October 5, 2023 20:26
docs/docs/target/kubernetes.md Outdated Show resolved Hide resolved
docs/docs/scanner/vulnerability.md Outdated Show resolved Hide resolved
pkg/purl/purl.go Outdated
Comment on lines 148 to 152
if p.Namespace == "" {
return ftypes.K8sComponent
}
// Cloud k8s distributions, such as EKS, are not supported yet.
return TypeUnknown
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please explain this part ? don't we want to add support for cloud providers in code and just add advisory data later (so we do not need to change code) ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unsure how we wanted to match cloud distributions for vulnerabilities. I've added the current idea. Please let me know if you have any feedback.
24f2a8b

@itaysk itaysk mentioned this pull request Oct 11, 2023
6 tasks
pkg/purl/purl.go Outdated
case NamespaceOCP:
return ftypes.OCP
case "":
return ftypes.Kubernetes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ftypes.Kubernetes is ConfigType. Or am i missing something?

Suggested change
return ftypes.Kubernetes
return ftypes.K8sUpstream

Copy link
Collaborator Author

@knqyf263 knqyf263 Oct 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right.

@@ -208,6 +208,17 @@ const (
func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Component, error) {
var coreComponents []*core.Component
var cInfo *core.Component

// Find the fist node name to identify AKS cluster
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Find the fist node name to identify AKS cluster
// Find the first node name to identify AKS cluster

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

namespace = purl.NamespaceOCP
}
return &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, namespace, name, ver, nil, ""),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: note sure if for now , it will be better to use option pattern to avoid passing nil and empty strings

Comment on lines +160 to +163
case "":
return ftypes.K8sUpstream
}
return TypeUnknown
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
case "":
return ftypes.K8sUpstream
}
return TypeUnknown
case "":
return ftypes.K8sUpstream
default:
return TypeUnknown
}

@knqyf263 knqyf263 added this pull request to the merge queue Oct 14, 2023
Merged via the queue into aquasecurity:main with commit cbbd1ce Oct 14, 2023
17 checks passed
@knqyf263 knqyf263 deleted the k8s_purl branch October 14, 2023 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

kbom component matching with k8s vulndb
3 participants