Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add context to target finding on k8s table view #6098

Closed
chen-keinan opened this issue Feb 11, 2024 · 0 comments · Fixed by #6099
Closed

Add context to target finding on k8s table view #6098

chen-keinan opened this issue Feb 11, 2024 · 0 comments · Fixed by #6099
Labels
bug priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.50.0

Comments

@chen-keinan
Copy link
Contributor

chen-keinan commented Feb 11, 2024
edited
Loading

it is required to add context to Target finding on k8s table view.
context = namespace/kind/name

example:

Before


k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

After

kube-system/controlplanecomponents/k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

/nodecomponents/kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

/nodecomponents/kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘
@chen-keinan chen-keinan added bug priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Feb 11, 2024
@chen-keinan chen-keinan mentioned this issue Feb 11, 2024
Merged
4 tasks
@chen-keinan chen-keinan added this to the v0.50.0 milestone Feb 11, 2024
@chen-keinan chen-keinan changed the title Add context to yarget finding on k8s table view Add context to target finding on k8s table view Feb 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
v0.50.0
Development

Successfully merging a pull request may close this issue.

fix: add context to target finding on k8s table view chen-keinan/trivy
1 participant
@chen-keinan