Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: config outdated-api result filtered by k8s version #3578

Merged
merged 5 commits into from
Feb 22, 2023
Merged

feat: config outdated-api result filtered by k8s version #3578

merged 5 commits into from
Feb 22, 2023

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented Feb 8, 2023
edited by knqyf263

Signed-off-by: chenk hen.keinan@gmail.com

Description

Related issues

PRs

Checklist

Usage affected k8s version example:

trivy config ~/data/input.json --skip-policy-update  --k8s-version=1.22.0
2023-02-08T18:00:49.111+0200  INFO  Misconfiguration scanning is enabled
2023-02-08T18:00:49.111+0200  INFO  No downloadable policies were loaded as --skip-policy-update is enabled
2023-02-08T18:00:49.725+0200  INFO  Detected config files: 1

input.json (kubernetes)

Tests: 145 (SUCCESSES: 144, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: apiVersion 'batch/v1beta1' and kind ‘CronJob' should be replaced with the new API 'batch.v1.CronJob'
See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
apiVersion 'batch/v1beta1' and kind 'CronJob' has been deprecated on: 'v1.21' and planned for removal on:'v1.25'

See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 input.json:1-5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ {
   2 │     "apiVersion": "batch/v1beta1",
   3 │     "kind": "CronJob",
   4 │     "metadata": {
   5 └         "name": "pi"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Example of non affected k8s version:

trivy config ~/data/input.json --skip-policy-update  --k8s-version=1.20.0
2023-02-08T18:00:42.276+0200	INFO	Misconfiguration scanning is enabled
2023-02-08T18:00:42.276+0200	INFO	No downloadable policies were loaded as --skip-policy-update is enabled
2023-02-08T18:00:42.891+0200	INFO	Detected config files: 1
☁  trivy [k8sver] ⚡  ./main config ~/data/input.json --skip-policy-update  --k8s-version=1.21.0
2023-02-08T18:00:46.008+0200	INFO	Misconfiguration scanning is enabled
2023-02-08T18:00:46.008+0200	INFO	No downloadable policies were loaded as --skip-policy-update is enabled
2023-02-08T18:00:46.624+0200	INFO	Detected config files: 1

input.json (kubernetes)

Tests: 145 (SUCCESSES: 144, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

where: ~/data/input.json

{
    "apiVersion": "batch/v1beta1",
    "kind": "CronJob",
    "metadata": {
        "name": "pi"
    },
    "spec": {
        "template": {
            "spec": {
                "containers": [
                    {
                        "name": "pi",
                        "image": "perl:5.34.0",
                        "command": [
                            "perl",
                            "-Mbignum=bpi",
                            "-wle",
                            "print bpi(2000)"
                        ]
                    }
                ],
                "restartPolicy": "Never"
            }
        },
        "backoffLimit": 4
    }
}

@chen-keinan
Copy link
Contributor Author

chen-keinan commented Feb 8, 2023
edited

Depend on DefSec PR and DefSec Tag > v0.82.9

@knqyf263
Copy link
Collaborator

Depend on aquasecurity/defsec#1165 and DefSec Tag > v0.82.9

Is it ready now?

@itaysk
Copy link
Contributor

itaysk commented Feb 16, 2023

Great!
very small nit, this is a feat not a fix (commit message)

@chen-keinan
Copy link
Contributor Author

Great! very small nit, this is a feat not a fix (commit message)

fixed.

@chen-keinan
Copy link
Contributor Author

chen-keinan commented Feb 19, 2023
edited

Depend on aquasecurity/defsec#1165 and DefSec Tag > v0.82.9

Is it ready now?

@knqyf263 yes its ready , we just need to make sure a new defsec package is distributed before trivy v0.38.0. released (so trivy could download the updated policy), shouldn't hold this PR

knqyf263
knqyf263 reviewed Feb 19, 2023
View reviewed changes
pkg/flag/misconf_flags.go Outdated Show resolved Hide resolved
@chen-keinan
Copy link
Contributor Author

@knqyf263 comments has been addressed

@knqyf263 knqyf263 mentioned this pull request Feb 19, 2023
Merged
@knqyf263 knqyf263 changed the title fix: config outdated-api result filtered by k8s version feat: config outdated-api result filtered by k8s version Feb 20, 2023
@chen-keinan
chore: bump latest defsec (master)
58d8b2a 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
Copy link
Contributor Author

@knqyf263 pr is updated with latest defsec and tested it locally , looks good.

@knqyf263
Copy link
Collaborator

Nice! I've added one more commit.

@knqyf263 knqyf263 merged commit 92eaf63 into aquasecurity:main Feb 22, 2023
atombrella pushed a commit to atombrella/trivy that referenced this pull request Mar 25, 2023
@chen-keinan @knqyf263 @atombrella
feat: config outdated-api result filtered by k8s version (aquasecurit…
99cbd4c 
…y#3578)

Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@chen-keinan chen-keinan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

K8s depreciation evaluation should take under consideration the k8s version
3 participants
@chen-keinan @knqyf263 @itaysk