feat: add k8s vulns #332
feat: add k8s vulns #332
Conversation
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
31a7cfe
to
d9d2f2f
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
e889744
to
a64f3d3
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
f6a9b98
to
431aab6
Compare
There was a problem hiding this comment.
I have some feedback on vuln-list-k8s.
This should be as below:
"cvssv3": {
"vector"* "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"score": 6.5
}
The score is calculated based on the vector. They should be put together. Also, CVSS v4 is coming soon.
- Component name
It looks likek8s.iois not only the prefix.
- Affected version
The following affected version is wrong.
The advisory says - secrets-store-csi-driver < 1.3.3, but another advisory says v1.27.0 - v1.27.1, which means 1.27.0 <= k8s <= 1.27.1. The k8s advisory format is not standardized, unfortunately. We must be aware of < or <=.
OSV defines them differently.
"events": [ {
"introduced": string,
"fixed": string,
"last_affected": string,
"limit": string
} ],
fixed is <, and last_affected is <=. It might be a good idea to adopt the same structure.
|
I think #338 attempts to add support for |
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
2 times, most recently
from
7e7235f
to
859175b
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
96d7fbe
to
83b9d51
Compare
|
@knqyf263 all comments has been addressed, please have another look. |
There was a problem hiding this comment.
Looks like we need to improve advisories more. I picked up some examples, but I saw many advisories with problems.
No patched version.
https://github.com/aquasecurity/vuln-list-k8s/blob/main/k8s/cves/CVE-2018-1002102.json
The version range seems wrong.
https://github.com/aquasecurity/vuln-list-k8s/blob/7a48561f95d894417cd493f6c7366d9de206efec/k8s/cves/CVE-2017-1002102.json#L8-L67
https://github.com/aquasecurity/vuln-list-k8s/blob/7a48561f95d894417cd493f6c7366d9de206efec/k8s/cves/CVE-2018-1002105.json#L8-L156
No last affected or fixed
https://github.com/aquasecurity/vuln-list-k8s/blob/main/k8s/cves/CVE-2019-11244.json
https://github.com/aquasecurity/vuln-list-k8s/blob/main/k8s/cves/CVE-2023-2728.json#L11-L15
Wrong introduced
https://github.com/aquasecurity/vuln-list-k8s/blob/main/k8s/cves/CVE-2020-10749.json
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
0488be4
to
500564d
Compare
|
@knqyf263 I have fixed the collector and validated all CVEs content. |
|
@chen-keinan It seems to be challenging to correctly parse the official CVE feed. How did you improve that? |
What I did was to pick to vulnerable versions and cve data from a more structure (JSON) external vuln source (as appear in k8s db) so in high level its a combination of both |
|
Can I review the script first? Where is it maintained? The vulnerability data is essential. |
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
9c21e71
to
5affb9a
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
5affb9a
to
41557ee
Compare
|
Thanks. I'll take a look after completing all the tasks for v0.45.0. |
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
41557ee
to
d59136d
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
d59136d
to
02cff0e
Compare
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
51ec206
to
8c64f7e
Compare
|
@knqyf263 comments has been addressed |
|
I had this branch on my local computer, but force-push broke it. Any benefits on force-push? Actually, I also used to force-push when rebasing the main branch so that a merge commit won't be created, but I stopped doing that after talking with Simar because we currently use "squash and merge". The merge commit doesn't matter. It is more important to keep the commit history in PR, but please let me know if you have a specific reason. |
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
d1e5b3f
to
4d46664
Compare
|
@DmitriyLewen thanks for the comment test data has been fixed |
Signed-off-by: chenk <hen.keinan@gmail.com>
chen-keinan
force-pushed
the
feat/add-k8s-vulns
branch
from
dd453e9
to
866816f
Compare
|
We'll review the k8s advisories and merge this PR. |
|
@chen-keinan What if we skip storing FYI: |
I prefer to keep |
I also think that we can fallback |
Do you mean you have an idea to find |
I did that in vuln-list-k8s. If the advisory says |
I have an idea , but I do not like it , thinking on better way still. anyway I would like to keep the |
Got it. |
|
Oh, my local branch is broken again. @chen-keinan Did you force-push again for some reason? |
Signed-off-by: knqyf263 <knqyf263@gmail.com>
We discussed a custom type in PURL, and agreed on "k8s". It is better to use the same values. Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Description
Feat: add k8s vulns
Related #4029
Related aquasecurity/trivy#5020
Depend on: aquasecurity/vuln-list-update#239