trivy-operator
trivy-operator copied to clipboard
aquasecurity
Separator for vulnerabilities in the report
In the vulnerability report there's no separator for found vulnerabilities. By adding a comment sign or whatever between each vuln, would make the report a bit easier to read. Currently:
Vulnerabilities:
Fixed Version: 1.1
Installed Version: 1.0
Links:
Primary Link: https://avd.aquasec.com/nvd/cve-1-1
Resource: asdf
Score: 1
Severity: LOW
Target:
Title: asdf
Vulnerability ID: CVE-1-1
Fixed Version: 1.1
# all vulnerabilities are listed
I am proposing something like this:
Vulnerabilities:
Fixed Version: 1.1
Installed Version: 1.0
Links:
Primary Link: https://avd.aquasec.com/nvd/cve-1-1
Resource: asdf
Score: 1
Severity: LOW
Target:
Title: asdf
Vulnerability ID: CVE-1-1
Fixed Version: 1.1
#
Fixed Version: 2.0
Perhaps there's even a better solution. Tell me what you think!
@akerge Thanks for the suggestion. But comments are ignored when we apply the resource to k8s. It seems you using describe to see the report, have you tried to use kubectl get? In my option it looks a little nicer, easier to understand the separation. Eg:
$ kubectl get vuln replicaset-orion-66b86c7bff-orion-frontend -o yaml
...
vulnerabilities:
- fixedVersion: 1.3.1-1+deb11u1
installedVersion: 1.3.1-1
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-46828
resource: libtirpc-common
score: 7.5
severity: HIGH
target: ""
title: 'libtirpc: DoS vulnerability with lots of connections'
vulnerabilityID: CVE-2021-46828
- fixedVersion: 1.3.1-1+deb11u1
installedVersion: 1.3.1-1
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-46828
resource: libtirpc3
score: 7.5
severity: HIGH
target: ""
title: 'libtirpc: DoS vulnerability with lots of connections'
vulnerabilityID: CVE-2021-46828
Also, have you considered using k8slens? The report looks real nice on it if you install the trivy-operator extension. https://github.com/aquasecurity/trivy-operator-lens-extension
Thanks, it is nicer with get vuln <crd> -o yaml!
The separator itself is trivial. The findings with kubectl describe clusterrbacassessmentreports.aquasecurity.github.io do have empty lines between them. Something similar would be nice :)
--- 8x ---
Report:
Checks:
Category: Kubernetes Security Check
Check ID: KSV053
Description: Check whether role permits getting shell on pods
Messages:
Severity: HIGH
Success:
Title: Do not allow getting shell on pods
Category: Kubernetes Security Check
Check ID: KSV044
Description: Check whether role permits wildcard verb on wildcard resource
Messages:
Severity: CRITICAL
Success:
--- 8x ---
Regarding Lens, I've tried it recently and it wanted to register account to use it and that was too much.
@akerge The messages separation are accidental because this field is empty on the report. If there was one it would look like:
Severity: HIGH
Success: true
Title: Do not allow privilege escalation from node proxy
Category: Kubernetes Security Check
Check ID: KSV048
Description: Check whether role permits update/create of a malicious pod
Messages:
Role permits create/update of a malicious pod
Severity: HIGH
Success: false
Title: Do not allow update/create of a malicious pod
Category: Kubernetes Security Check
Check ID: KSV045
Description: Check whether role permits wildcard verb on specific resources
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}