feat(k8s): add support for vulnerability detection

docs/docs/scanner/vulnerability.md

@@ -5,6 +5,7 @@ The following packages are supported.
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
+- [Kubernetes components](#kubernetes-components)
 
 ## OS Packages
 Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
@@ -98,6 +99,12 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
+## Kubernetes components
+See [here](../target/kubernetes.md#vulnerability) for more information on usage.
+
+### Data Sources
+Trivy uses k8s vulnerability advisory published by [official k8s security team][k8s-db]:
+
 ## Database
 Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
 Trivy uses two types of databases for vulnerability detection:
@@ -180,3 +187,5 @@ Currently, specifying a username and password is not supported.
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
 [nvd]: https://nvd.nist.gov/vuln
+
+[k8s-db]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json

docs/docs/target/kubernetes.md

@@ -6,9 +6,9 @@
 ## CLI
 The Trivy K8s CLI allows you to scan your Kubernetes cluster for 
 
-- Vulnerabilities
-- Misconfigurations
-- Secrets
+- [Vulnerabilities](#vulnerability)
+- [Misconfigurations](#misconfigurations)
+- [Secrets](#secrets)
 
 You can either run the CLI locally or integrate it into your CI/CD pipeline.
 The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
@@ -344,6 +344,55 @@ Trivy has a native [Kubernetes Operator][operator] which continuously scans your
 [crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
 [trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest
 
+## Scanners
+### Vulnerability
+#### OS packages
+[OS packages](../scanner/vulnerability.md#os-packages) scanning is enabled by default.
+
+#### Language-specific packages
+[Language-specific packages](../scanner/vulnerability.md#language-specific-packages) scanning is enabled by default.
+
+#### Kubernetes components
+Currently only discovery from `KBOM` files is supported for [Kubernetes components](../scanner/vulnerability.md#kubernetes-components).
+
+This means you need to get a report of your cluster in [KBOM format](#kbom).
+After that, scan this file:
+```shell
+$ trivy k8s --format cyclonedx cluster -o kbom.json
+$ trivy sbom kbom.json
+2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
+2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
+2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
+2023-09-28T22:52:25.717+0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
+2023-09-28T22:52:25.717+0300    INFO    Detected OS: debian gnu/linux
+2023-09-28T22:52:25.717+0300    WARN    unsupported os : debian gnu/linux
+2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
+2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
+2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...
+
+Kubernetes (kubernetes)
+
+Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
+│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version          │                      Title                       │
+├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
+│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5        │ runAsNonRoot logic bypass for Windows containers │
+│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-25749       │
+│                ├────────────────┼──────────┤        │                   ├─────────────────────────────────┼──────────────────────────────────────────────────┤
+│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
+│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-2431        │
+└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘
+```
+
+### Misconfigurations
+It is enabled by default.
+See [here](../scanner/misconfiguration/index.md) for the detail.
+
+### Secrets
+It is enabled by default.
+See [here](../scanner/secret.md) for the detail.
+
 ## SBOM
 
 Trivy supports the generation of Kubernetes Bill of Materials (KBOM) for kubernetes cluster control plane components, node components and addons.

go.mod

@@ -23,9 +23,9 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
+	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.5.7
+	github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d
 	github.com/aws/aws-sdk-go v1.45.19
 	github.com/aws/aws-sdk-go-v2 v1.21.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.38
@@ -95,12 +95,12 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
 	go.etcd.io/bbolt v1.3.7
-	go.uber.org/zap v1.25.0
+	go.uber.org/zap v1.26.0
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/mod v0.12.0
 	golang.org/x/sync v0.3.0
 	golang.org/x/term v0.12.0
-	golang.org/x/text v0.12.0
+	golang.org/x/text v0.13.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -343,12 +343,12 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
-github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
+github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
+github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
-github.com/aquasecurity/trivy-kubernetes v0.5.7 h1:+tIrSnIkvweL+cuK0SSiYxF8EvKT3Xk1iuE9EWduV+c=
-github.com/aquasecurity/trivy-kubernetes v0.5.7/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
+github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d h1:5urHj0NMGflp/M9Ll5QlKfo0Kf6nJ01RED1HRgl0CeE=
+github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -509,7 +509,6 @@ github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J
 github.com/aws/smithy-go v1.14.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
 github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -1785,8 +1784,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
-go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -2135,8 +2134,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

integration/sbom_test.go

@@ -58,6 +58,15 @@ func TestSBOM(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
 		},
+		{
+			name: "minikube KBOM",
+			args: args{
+				input:        "testdata/fixtures/sbom/minikube-kbom.json",
+				format:       "json",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/minikube-kbom.json.golden",
+		},
 		{
 			name: "centos7 in in-toto attestation",
 			args: args{

integration/testdata/fixtures/db/data-source.yaml

@@ -144,3 +144,8 @@
         ID:   "cbl-mariner"
         Name: "CBL-Mariner Vulnerability Data"
         URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
+    - key: k8s::Official Kubernetes CVE Feed
+      value:
+        ID:   "k8s"
+        Name: "Official Kubernetes CVE Feed"
+        URL:  "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"

integration/testdata/fixtures/db/k8s.yaml

@@ -0,0 +1,16 @@
+- bucket: "k8s::Official Kubernetes CVE Feed"
+  pairs:
+    - bucket: k8s.io/kubelet
+      pairs:
+        - key: CVE-2023-2431
+          value:
+            PatchedVersions:
+              - 1.24.14
+              - 1.25.9
+              - 1.26.4
+              - 1.27.1
+            VulnerableVersions:
+              - "< 1.24.14"
+              - ">= 1.25.0, < 1.25.9"
+              - ">= 1.26.0, < 1.26.4"
+              - ">= 1.27.0, < 1.27.1"

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1037,6 +1037,20 @@
         ghsa: 3.0
         nvd: 3.0
         redhat: 3.0
+  - key: CVE-2023-2431
+    value:
+      Title: "Bypass of seccomp profile enforcement "
+      Description: "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement..."
+      Severity: LOW
+      VendorSeverity:
+        k8s: 1
+      CVSS:
+        k8s:
+          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
+          V3Score: 3.4
+      References:
+        - https://github.com/kubernetes/kubernetes/issues/118690
+        - https://www.cve.org/cverecord?id=CVE-2023-2431
   - key: CVE-2021-3712
     value:
       CVSS: