aquasecurity
Unexpected JSON output when `--report summary` is set in `trivy k8s` for multi-container workloads
Discussed in https://github.com/aquasecurity/trivy/discussions/5886
Originally posted by matheusfm January 5, 2024
Description
The command trivy k8s returns an unexpected JSON for multi-container workloads when --report summary is provided.
Desired Behavior
The expected output is separate items for each image, just as it is returned when the --report summary flag is not provided.
Actual Behavior
Currently, results from different images are returned together when --report summary flag is provided and the second image's metadata are not returned.
Reproduction Steps
1. kind create cluster
2. # apply a sample multi-container workload
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: app
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
name: app
labels:
app: app
spec:
containers:
- name: c1
image: nginx
imagePullPolicy: IfNotPresent
- name: c2
image: alpine
imagePullPolicy: IfNotPresent
command: [ "watch" ]
args: [ "ls" ]
restartPolicy: Always
EOF
3. trivy k8s --scanners vuln -f json -o /tmp/app-results.json deploy app
4. trivy k8s --scanners vuln -f json -o /tmp/app-summary-results.json --report summary deploy app
5. trivy k8s --all-namespaces --scanners=vuln -f json -o /tmp/cluster-results.json cluster
6. trivy k8s --all-namespaces --scanners=vuln -f json -o /tmp/summary-results.json --report summary cluster
Target
Kubernetes
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Debug Output
2024-01-05T18:08:10.900-0300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-05T18:08:10.902-0300 DEBUG Ignore statuses {"statuses": null}
2024-01-05T18:08:10.950-0300 DEBUG cache dir: /home/matheusfm/.cache/trivy
2024-01-05T18:08:10.950-0300 DEBUG DB update was skipped because the local DB is the latest
2024-01-05T18:08:10.950-0300 DEBUG DB Schema: 2, UpdatedAt: 2024-01-05 18:12:41.971420099 +0000 UTC, NextUpdate: 2024-01-06 00:12:41.971419839 +0000 UTC, DownloadedAt: 2024-01-05 20:00:22.211571763 +0000 UTC
1 / 1 [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s
Operating System
linux ubuntu
Version
Version: 0.48.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-01-05 18:12:41.971420099 +0000 UTC
NextUpdate: 2024-01-06 00:12:41.971419839 +0000 UTC
DownloadedAt: 2024-01-05 20:00:22.211571763 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-01-04 00:49:07.45555807 +0000 UTC
NextUpdate: 2024-01-07 00:49:07.45555793 +0000 UTC
DownloadedAt: 2024-01-04 18:21:12.669585263 +0000 UTC
Checklist
- [X] Run
trivy image --reset - [X] Read the troubleshooting
@chen-keinan I've opened a PR to propose a potential fix. Appreciate your feedback on whether this approach works 🙂
@chen-keinan I'm curious about the RepoTags field in Metadata being an array. Could you share in what scenario there might be multiple RepoTags?
{
"ClusterName": "",
"Findings": [
{
"Namespace": "default",
"Kind": "Pod",
"Name": "nginx-fluentd-pod",
"Metadata": {
"OS": {
"Family": "debian",
"Name": "12.6"
},
"RepoTags": [
"nginx:latest"
],
"DiffIDs": []
},
"Results": [
{
"Target": "nginx:latest (debian 12.6)",
"Class": "os-pkgs",
"Type": "debian",
"Packages": [],
"Vulnerabilities": []
},
{
"Target": "fluent/fluentd:v1.17-armhf-debian (debian 12.6)",
"Class": "os-pkgs",
"Type": "debian",
"Packages": [],
"Vulnerabilities": []
},
{
"Target": "Ruby",
"Class": "lang-pkgs",
"Type": "gemspec",
"Packages": [],
"Vulnerabilities": []
}
]
}
]
}