Skip to content

fix(k8s): correct compare artifact versions #8682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 4, 2025
Merged

fix(k8s): correct compare artifact versions #8682

merged 1 commit into from
Apr 4, 2025

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Apr 4, 2025
edited
Loading

Description

This PR fixes incorrect parsing of image tags and digests for control-plane artifacts.

$ kind delete cluster && kind create cluster --image kindest/node:v1.27.1
$ kubectl wait --for=condition=Ready --all nodes
$ trivy k8s --report summary --scanners vuln --skip-images

Before:

Summary Report for kind-kind

Workload Assessment
┌───────────┬───────────────────────────┬───────────────────┐
│ Namespace │         Resource          │  Vulnerabilities  │
│           │                           ├───┬───┬───┬───┬───┤
│           │                           │ C │ H │ M │ L │ U │
├───────────┼───────────────────────────┼───┼───┼───┼───┼───┤
│           │ Cluster/k8s.io/kubernetes │   │   │ 1 │   │   │
└───────────┴───────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬─────────────────────────┬───────────────────┐
│ Namespace │        Resource         │  Vulnerabilities  │
│           │                         ├───┬───┬───┬───┬───┤
│           │                         │ C │ H │ M │ L │ U │
├───────────┼─────────────────────────┼───┼───┼───┼───┼───┤
│           │ Node/kind-control-plane │   │ 4 │ 4 │ 1 │   │
└───────────┴─────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

After:

Summary Report for kind-kind

Workload Assessment
┌───────────┬───────────────────────────┬───────────────────┐
│ Namespace │         Resource          │  Vulnerabilities  │
│           │                           ├───┬───┬───┬───┬───┤
│           │                           │ C │ H │ M │ L │ U │
├───────────┼───────────────────────────┼───┼───┼───┼───┼───┤
│           │ Cluster/k8s.io/kubernetes │   │   │ 1 │   │   │
└───────────┴───────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌─────────────┬─────────────────────────────────────────┬───────────────────┐
│  Namespace  │                Resource                 │  Vulnerabilities  │
│             │                                         ├───┬───┬───┬───┬───┤
│             │                                         │ C │ H │ M │ L │ U │
├─────────────┼─────────────────────────────────────────┼───┼───┼───┼───┼───┤
│ kube-system │ ControlPlaneComponents/k8s.io/apiserver │   │   │ 2 │ 2 │   │
│             │ Node/kind-control-plane                 │   │ 4 │ 4 │ 1 │   │
└─────────────┴─────────────────────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

KBOM

$ minikube start
$  trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'

before:

2025-04-04T16:15:21+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-04-04T16:15:22+06:00       INFO    Scanning K8s... K8s="minikube"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-minikube"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

after:

2025-04-04T16:15:09+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-04-04T16:15:09+06:00       INFO    Scanning K8s... K8s="minikube"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@v3.5.15-0",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "version": "v3.5.15-0",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@v3.5.15-0",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-minikube"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@afdesk afdesk requested a review from simar7 April 4, 2025 09:58
@afdesk afdesk marked this pull request as ready for review April 4, 2025 10:09
@afdesk afdesk requested a review from knqyf263 as a code owner April 4, 2025 10:09
@simar7 simar7 added this pull request to the merge queue Apr 4, 2025
Merged via the queue into aquasecurity:main with commit cc47711 Apr 4, 2025
23 checks passed
@aqua-bot aqua-bot mentioned this pull request Apr 4, 2025
Merged
@afdesk
Copy link
Contributor Author

afdesk commented Apr 8, 2025

@aqua-bot backport release/v0.61

github-actions bot pushed a commit that referenced this pull request Apr 8, 2025
@afdesk @actions-user
fix(k8s): correct compare artifact versions (#8682)
059b9b6
@aqua-bot aqua-bot mentioned this pull request Apr 8, 2025
Closed
@aqua-bot
Copy link
Contributor

aqua-bot commented Apr 8, 2025

Backport PR created: #8697

@afdesk
Copy link
Contributor Author

afdesk commented Apr 8, 2025

@aqua-bot backport release/v0.61

github-actions bot pushed a commit that referenced this pull request Apr 8, 2025
@afdesk @actions-user
fix(k8s): correct compare artifact versions (#8682)
d3d85b7
@aqua-bot aqua-bot mentioned this pull request Apr 8, 2025
Merged
@aqua-bot
Copy link
Contributor

aqua-bot commented Apr 8, 2025

Backport PR created: #8699

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(k8s): versions are missing in KBOM
3 participants
@afdesk @aqua-bot @simar7