Skip to content

bug(k8s): versions are missing in KBOM #8358

New issue
New issue
Closed
#8682
Closed
bug(k8s): versions are missing in KBOM#8358
#8682
Assignees
afdesk
Labels
kind/bugCategorizes issue or PR as related to a bug.target/kubernetesIssues relating to kubernetes cluster scanning
Milestone
v0.62.0
@afdesk

Description

@afdesk
afdesk
opened on Feb 5, 2025

Description

Trivy is not accurately identifying the image versions of certain control plane pods in Kubernetes.

For instance, in a Minikube environment, k8s.gcr.io/etcd:3.5.3-0 image contains the following imageID:

imageID: docker-pullable://k8s.gcr.io/etcd@sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5

such imageID is detected as sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5, and will be skipped as non sha256 digests:
https://github.com/aquasecurity/trivy-kubernetes/blob/812ea842831c9f92184993d3810c9d28695e4de1/pkg/k8s/k8s.go#L581-L585

Reproduction steps

There is no version for

$ minikube start
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:41:35+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:41:35+06:00       INFO    Scanning K8s... K8s="minikube"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-minikube"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

but it works for kind:

$ kind create cluster
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:43:01+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:43:01+06:00       INFO    Scanning K8s... K8s="kind-kind"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@v3.5.15-0",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "version": "v3.5.15-0",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@v3.5.15-0",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-kind-control-plane"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

Discussed in #8348

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.target/kubernetesIssues relating to kubernetes cluster scanning

Type

No type

Projects

Trivy Roadmap

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions