Can't perform a scan of a Kubernetes cluster: get k8s artifacts error

[chen-keinan]

Discussed in #5547

^{Originally posted by nlamirault November 9, 2023}

Description

I would like to perform a scan of the Kubernetes cluster and i've got an error.

SBOM works fine in this cluster:

$ trivy k8s cluster --format cyclonedx --output kbom.json
2023-11-09T08:00:05.502+0100    INFO    "k8s with --format cyclonedx" disable security scanning

$ trivy sbom kbom.json
2023-11-09T08:00:12.366+0100    INFO    Vulnerability scanning is enabled
2023-11-09T08:00:12.366+0100    INFO    Detected SBOM format: cyclonedx-json
2023-11-09T08:00:12.377+0100    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-11-09T08:00:12.377+0100    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-11-09T08:00:12.377+0100    INFO    Detected OS: ubuntu
2023-11-09T08:00:12.377+0100    WARN    This OS version is not on the EOL list: ubuntu 22.04.3
2023-11-09T08:00:12.377+0100    INFO    Detecting Ubuntu vulnerabilities...
2023-11-09T08:00:12.377+0100    INFO    Number of language-specific files: 3
2023-11-09T08:00:12.377+0100    INFO    Detecting gobinary vulnerabilities...
2023-11-09T08:00:12.379+0100    INFO    Detecting kubernetes vulnerabilities...

kbom.json (ubuntu 22.04.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Kubernetes (kubernetes)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬───────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                           Title                           │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ 1.27.5-rc1+k3s1   │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ Insufficient input sanitization on Windows nodes leads to │
│                │               │          │        │                   │                                          │ privilege escalation                                      │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                 │
│                ├───────────────┤          │        │                   │                                          ├───────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ Insufficient input sanitization on Windows nodes leads to │
│                │               │          │        │                   │                                          │ privilege escalation                                      │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                 │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴───────────────────────────────────────────────────────────┘

But not scanner:

└─ ✗  trivy k8s cluster --scanners vuln --report summary -d
2023-11-09T08:04:54.305+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-09T08:04:54.306+0100    DEBUG   Ignore statuses {"statuses": null}
2023-11-09T08:05:07.027+0100    FATAL   get k8s artifacts error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:39
  - .spec.template.spec.initContainers accessor error: <nil> is of the type <nil>, expected []interface{}

Desired Behavior

Have a report

Actual Behavior

Trivy have an error (See logs)

Reproduction Steps

1.
2.
3.
...

Target

Kubernetes

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

See logs

Operating System

Ubuntu

Version

$ trivy version
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-09 06:10:37.995807911 +0000 UTC
  NextUpdate: 2023-11-09 12:10:37.99580693 +0000 UTC
  DownloadedAt: 2023-11-09 06:47:27.95129 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-03-22 00:58:27.964412713 +0000 UTC
  NextUpdate: 2023-03-25 00:58:27.964412013 +0000 UTC
  DownloadedAt: 2023-03-22 07:24:57.510968 +0000 UTC

### Checklist

- [ ] Run `trivy image --reset`
- [ ] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)</div>

[chen-keinan]

@nlamirault @mingqing could you please test it with trivy v0.48.0 I think this issue was fixed with it.

[pbtrudel]

Hi,
I have the same issue and using trivy v0.48.1.

trivy version
Version: 0.48.1

trivy k8s cluster --scanners vuln --report summary -d
2023-12-21T15:50:33.098-0500 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-21T15:50:33.099-0500 DEBUG Ignore statuses {"statuses": null}
2023-12-21T15:50:40.742-0500 FATAL get k8s artifacts error:
github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
/home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:43

• .spec.template.spec.initContainers accessor error: is of the type , expected []interface{}

[mingqing]

@nlamirault @mingqing could you please test it with trivy v0.48.0 I think this issue was fixed with it.

Yes, the issue still exists in trivy 0.48.1. You can use this example YAML to validate: #5547 (reply in thread).

[nlamirault]

@chen-keinan same errors using Trivy 0.48.3

[chen-keinan]

@nlamirault creating a fix now aquasecurity/trivy-kubernetes#275 will be included with trivy next release