Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(k8s): add support for vulnerability detection #5268

Merged
merged 33 commits into from
Oct 14, 2023
Merged

feat(k8s): add support for vulnerability detection #5268

merged 33 commits into from
Oct 14, 2023

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Sep 28, 2023
edited

Description

Add support for vulnerability detection.

Example

$ trivy k8s --format cyclonedx cluster -o kbom.json
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300    INFO    Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300    WARN    unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...

Kubernetes (kubernetes)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version          │                      Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5        │ runAsNonRoot logic bypass for Windows containers │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-25749       │
│                ├────────────────┼──────────┤        │                   ├─────────────────────────────────┼──────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-2431        │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘

TODO

  • Generate PURLs for k8s components
  • Unmarshal KBOM
  • Detect vulnerabilities
  • Fix the OS format (debian gnu/linux)
  • Write tests
  • Write docs

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
chore(deps): bump trivy-kubernetes
a92a5c4 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
chore(deps): replace trivy-db
3bf3125 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 self-assigned this Sep 28, 2023
knqyf263
knqyf263 commented Sep 28, 2023
View reviewed changes
go.mod Outdated
@@ -403,3 +403,5 @@ require (
// oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
// cf. https://github.com/oras-project/oras-go/pull/527
replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af

replace github.com/aquasecurity/trivy-db => github.com/chen-keinan/trivy-db v0.0.0-20230927090622-d1e5b3f57a57
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: refer to aquasecurity/trivy-db

@knqyf263
fix(purl): skip empty qualifiers
2f0646f 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor(purl): add Class()
8d6275c 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat(k8s) add support for vulnerability detection
5e309e6 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
test(k8s): fix PURL for kubelet
7bbd0d0 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@DmitriyLewen DmitriyLewen mentioned this pull request Sep 29, 2023
Closed
8 tasks
DmitriyLewen
DmitriyLewen reviewed Sep 29, 2023
View reviewed changes
pkg/fanal/analyzer/sbom/testdata/kbom.json Outdated
{
"bom-ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"type": "operating-system",
"name": "ubuntu",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created this KBOM file using Trivy.
Why don't we include OS packages like in table format?

➜  trivy -d k8s cluster --report all
...
registry.k8s.io/kube-proxy:v1.27.4 (debian 11.6)
================================================
Total: 36 (UNKNOWN: 0, LOW: 22, MEDIUM: 12, HIGH: 2, CRITICAL: 0)

chen-keinan
chen-keinan reviewed Oct 3, 2023
View reviewed changes
pkg/k8s/scanner/scanner.go Outdated
@@ -254,6 +256,7 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Comp
Type: cdx.ComponentTypeApplication,
Properties: toProperties(comp.Properties, k8sCoreComponentNamespace),
Components: imageComponents,
PackageURL: generatePURL(comp.Name, comp.Version),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might need to have special handling for pre-release versions (I mean skip these versions) example:
v1.25.4-hotfix.20221216 or or 1.24.10-gke.2300

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might need to have special handling for pre-release versions (I mean skip these versions) example:

Could you elaborate on why we need to skip pre-release versions? If trivy k8s finds the version in the cluster, it means the pre-release version is used in production, doesn't it?

pkg/k8s/scanner/scanner.go Outdated
@@ -386,7 +390,7 @@ func nodeComponent(nf bom.NodeInfo) *core.Component {
},
},
PackageURL: &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(golang, "", kubelet, kubeletVersion, packageurl.Qualifiers{}, ""),
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, "k8s.io", "kubelet", kubeletVersion, packageurl.Qualifiers{}, ""),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

chen-keinan and others added 13 commits October 4, 2023 10:53
@chen-keinan
feat: support other k8s vendor purl
0765482 
Signed-off-by: chenk <hen.keinan@gmail.com>
@knqyf263
Merge branch 'main' into k8s_purl
96a64a4
@knqyf263
Merge branch 'main' into k8s_purl
0ef7fba
@knqyf263
Merge branch 'main' into k8s_purl
d6bd096
@chen-keinan
test: multi k8s provider purl
9defd4a 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
test: multi k8s provider purl
a640837 
Signed-off-by: chenk <hen.keinan@gmail.com>
@knqyf263
chore: refer upstream
af27321 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: add a spec for the k8s type
5c9d2d0 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
fix: revert a regression
a0d815d 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: use strings.Cut
a960978 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
fix: skip cloud k8s distributions
0ef60ec 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
test: fix PURLs
46347bb 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
chore: downgrade to go 1.20
9c35374 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
test(integration): fix k8s PURLs
07365c6 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 marked this pull request as ready for review October 5, 2023 20:26
chen-keinan
chen-keinan reviewed Oct 6, 2023
View reviewed changes
docs/docs/target/kubernetes.md Outdated Show resolved Hide resolved
docs/docs/scanner/vulnerability.md Outdated Show resolved Hide resolved
pkg/purl/purl.go Outdated
Comment on lines 148 to 152
if p.Namespace == "" {
return ftypes.K8sComponent
}
// Cloud k8s distributions, such as EKS, are not supported yet.
return TypeUnknown
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please explain this part ? don't we want to add support for cloud providers in code and just add advisory data later (so we do not need to change code) ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unsure how we wanted to match cloud distributions for vulnerabilities. I've added the current idea. Please let me know if you have any feedback.
24f2a8b

@itaysk itaysk mentioned this pull request Oct 11, 2023
Merged
6 tasks
DmitriyLewen
DmitriyLewen reviewed Oct 13, 2023
View reviewed changes
pkg/purl/purl.go Outdated
case NamespaceOCP:
return ftypes.OCP
case "":
return ftypes.Kubernetes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ftypes.Kubernetes is ConfigType. Or am i missing something?

Suggested change
return ftypes.Kubernetes
return ftypes.K8sUpstream

Copy link
Collaborator Author

@knqyf263 knqyf263 Oct 13, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right.

pkg/k8s/scanner/scanner.go Outdated
@@ -208,6 +208,17 @@ const (
func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Component, error) {
var coreComponents []*core.Component
var cInfo *core.Component

// Find the fist node name to identify AKS cluster
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Find the fist node name to identify AKS cluster
// Find the first node name to identify AKS cluster

DmitriyLewen
DmitriyLewen approved these changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

chen-keinan
chen-keinan reviewed Oct 13, 2023
View reviewed changes
pkg/k8s/scanner/scanner.go
namespace = purl.NamespaceOCP
}
return &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, namespace, name, ver, nil, ""),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: note sure if for now , it will be better to use option pattern to avoid passing nil and empty strings

pkg/purl/purl.go
Comment on lines +160 to +163
case "":
return ftypes.K8sUpstream
}
return TypeUnknown
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
case "":
return ftypes.K8sUpstream
}
return TypeUnknown
case "":
return ftypes.K8sUpstream
default:
return TypeUnknown
}

@knqyf263 knqyf263 added this pull request to the merge queue Oct 14, 2023
Merged via the queue into aquasecurity:main with commit cbbd1ce Oct 14, 2023
18 checks passed
@knqyf263 knqyf263 deleted the k8s_purl branch October 14, 2023 13:04
@chen-keinan chen-keinan mentioned this pull request Nov 7, 2023
Closed
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chen-keinan chen-keinan chen-keinan left review comments

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kbom component matching with k8s vulndb
3 participants
@knqyf263 @chen-keinan @DmitriyLewen