chore: Run trivy scan on git repository and update version #2169
Conversation
JAORMX
changed the title
Codecov Report
@@ Coverage Diff @@
## master #2169 +/- ##
==========================================
- Coverage 54.50% 54.30% -0.20%
==========================================
Files 111 111
Lines 9529 9529
==========================================
- Hits 5194 5175 -19
- Misses 3940 3954 +14
- Partials 395 400 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
.github/workflows/workflow.yaml
Outdated
|
|
||
| - name: Run trivy on git repository | ||
| run: | | ||
| trivy fs --format table --security-checks vuln,config,secret . |
There was a problem hiding this comment.
It looks like this shows a whole bunch of errors for tests, kustomize files, etc. can we exclude those? we'll probably want to run with --exit-code=1 and --ignore-unfixed too (if it applies)
There was a problem hiding this comment.
Thanks for the PR @JAORMX!
Are there other files we want to exclude? e.g. vendor?
There was a problem hiding this comment.
@ritazh it seems that this is already ignoring the vendor directory to some extent. So I don't think setting up extensive ignore rules is needed.
However, in general, it seems this actually caught some issues.
There was a problem hiding this comment.
@JAORMX yarn issues are due to static docs website, they are known but not fixable at this time and obviously don't affect Gatekeeper. is there a setting to ignore those?
There was a problem hiding this comment.
Thanks for looking into this @JAORMX!
@ritazh it seems that this is already ignoring the vendor directory to some extent. So I don't think setting up extensive ignore rules is needed.
Which setting ignores the vendor directory?
However, in general, it seems this actually caught some issues.
Can you give an example of this?
There was a problem hiding this comment.
@ritazh there is no specific setting ignoring the vendor directory; however, this is not an issue as the vulnerability graph would either way take into account the dependencies' vulnerabilities even if there was no vendor directory. I think it's relevant that we still include it as we're only scanning for library vulnerabilities.
The build is failing and you can view the issues from the logs. Here's what's being reported:
go.mod (gomod)
==============
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 1)
┌──────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-[19](https://github.com/open-policy-agent/gatekeeper/runs/7395657753?check_suite_focus=true#step:4:20)96 │ CRITICAL │ 2.15.0+incompatible │ v3.8.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-[20](https://github.com/open-policy-agent/gatekeeper/runs/7395657753?check_suite_focus=true#step:4:21)[22](https://github.com/open-policy-agent/gatekeeper/runs/7395657753?check_suite_focus=true#step:4:23)-1996 │
├──────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/prometheus │ CVE-2019-3826 │ MEDIUM │ 0.35.0 │ v2.7.1 │ prometheus: Stored DOM cross-site scripting (XSS) attack via │
│ │ │ │ │ │ crafted URL │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-38[26](https://github.com/open-policy-agent/gatekeeper/runs/7395657753?check_suite_focus=true#step:4:27) │
└──────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
website/yarn.lock (yarn)
========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ got │ CVE-2022-[33](https://github.com/open-policy-agent/gatekeeper/runs/7395657753?check_suite_focus=true#step:4:34)987 │ MEDIUM │ 9.6.0 │ 11.8.5, 12.1.0 │ got: missing verification of requested URLs allows redirects │
│ │ │ │ │ │ to UNIX sockets │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-33987 │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ trim │ CVE-2020-7753 │ HIGH │ 0.0.1 │ 0.0.3 │ Regular Expression Denial of Service in trim │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7753 │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
62bb540
to
f636582
Compare
|
Thank you for the updates @JAORMX! One thought for the maintainers: do we want to run |
|
@ritazh the concern I have with only doing scans before releases is that it's very easy to forget to check and just have failing scans. I've seen a lot more success by scanning each PR. |
Thanks @JAORMX! From your experience, how do most maintainers treat the failed vulnerabilities job for PRs? Merge PRs with a failed job or have the PRs blocked until the vulnerability is addressed in a separate PR? |
It depends on the vulnerability. Since we're ignoring unfixed CVEs, normally it's not too difficult to fix the issue. You'd normally just update a dependency and that's it. So the disruption is not as visible. e.g. patches wouldn't be blocked for too long. But yeah, CI would normally be green. There is also the possibility to ignore vulnerabilities via a |
|
@JAORMX can you add yarn ones to ignore list? they are not fixable and do not affect Gatekeeper facebook/docusaurus#6394 (comment) |
|
As discussed in the community call today, let's remove the exit-code so that the failure is not PR blocking for now. Then as a follow up PR we can leverage something like https://github.com/marketplace/actions/create-or-update-comment to add the vulnerability report as a comment similar to the codecov report to provide signals to the maintainers while reduce burden on the PR owner/contributor. |
This uses trivy's filesystem scan [1] to scan the Gatekeeper repository for package vulnerabilities. While doing this, I also updates the trivy version that's being used in the CI job. [1] https://aquasecurity.github.io/trivy/v0.29.2/docs/vulnerability/scanning/filesystem/ Signed-off-by: Juan Antonio Osorio <[email protected]>
|
FYI - I looked at the reported vulnerabilities
Gatekeeper has this because of indirect reference to Kubernetes libraries. Kubernetes does not use the impacted feature. Alert will be resolved when libraries are bumped to 1.25. kubernetes/kubernetes#110518
This one is a false positive. The version we use (v0.35.0) is significantly newer than v2.7.1. It corresponds to Prometheus v2.35.0 due to Go versioning. |
|
How do we want to track these going forward? Do we want to create an issue for each and close them when it's addressed? |
|
@ritazh I'm in the gatekeeper slack channel in case you want to bring this up with the rest of the community. |
What this PR does / why we need it:
This uses trivy's filesystem scan [1] to scan the Gatekeeper repository
for package vulnerabilities, hardcoded secrets and config file issues
(e.g. k8se manifests or other IaC manifests).
While doing this, I also updates the trivy version that's being used in
the CI job.
[1] https://aquasecurity.github.io/trivy/v0.29.2/docs/vulnerability/scanning/filesystem/