Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add context to target finding on k8s table view #6099

Merged
merged 3 commits into from
Feb 26, 2024
Merged

fix: add context to target finding on k8s table view #6099

merged 3 commits into from
Feb 26, 2024
+15 −1

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented Feb 11, 2024
edited
Loading

Description

add context to Target (namespace/kind/name) finding on k8s table view

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).

example:

Before


k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

After

namespace: kube-system, controlplanecomponents: k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

node: kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

node: kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

@chen-keinan chen-keinan marked this pull request as ready for review February 11, 2024 09:46
@chen-keinan chen-keinan changed the title fix: add context to Target finding on k8s table view fix: add context to target finding on k8s table view Feb 11, 2024
@chen-keinan chen-keinan marked this pull request as draft February 12, 2024 13:03
@chen-keinan chen-keinan marked this pull request as ready for review February 12, 2024 14:05
@chen-keinan
fix: add context to Target finding on k8s table view
5140cb3 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
fix: add context to target finding on k8s table view
2d879ee 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan chen-keinan force-pushed the fix/k8s-report-all-resource-path branch from 91fc9c9 to 2d879ee Compare February 21, 2024 09:19
@chen-keinan
fix/k8s-report-all-resource-path
8b996cd 
Signed-off-by: chenk <hen.keinan@gmail.com>
@knqyf263 knqyf263 removed the request for review from josedonizetti February 21, 2024 11:26
@knqyf263 knqyf263 added this pull request to the merge queue Feb 26, 2024
Merged via the queue into aquasecurity:main with commit 1b7e474 Feb 26, 2024
12 checks passed
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add context to target finding on k8s table view
2 participants
@chen-keinan @knqyf263