Skip to content

fix(k8s): add missed option PkgRelationships #8442

New issue

Have a question about this project? No Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

No Sign up for GitHub

By clicking “No Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? No Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 24, 2025
Merged

fix(k8s): add missed option PkgRelationships #8442

merged 1 commit into from
Feb 24, 2025

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Feb 24, 2025
edited
Loading

Description

This PR adds a skipped option PkgRelationships.

Reproduction steps

$ kind create cluster --image "kindest/node:v1.25.0"
$ trivy  k8s --scanners vuln --skip-images --report all

before

2025-02-24T16:05:17+06:00       INFO    Node scanning is enabled
2025-02-24T16:05:17+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-02-24T16:05:17+06:00       INFO    Scanning K8s... K8s="kind-kind"

after

2025-02-24T16:05:22+06:00       INFO    Node scanning is enabled
2025-02-24T16:05:22+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-02-24T16:05:22+06:00       INFO    Scanning K8s... K8s="kind-kind"

namespace: , node: kind-control-plane (kubernetes)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ v1.25.0           │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │
│                ├───────────────┤          │        │                   ├──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-5528 │          │        │                   │ 1.28.4, 1.27.8, 1.26.11, 1.25.16         │ kubernetes: Insufficient input sanitization in in-tree       │
│                │               │          │        │                   │                                          │ storage plugin leads to privilege escalation...              │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-5528                    │
│                ├───────────────┼──────────┤        │                   ├──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-2431 │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2         │ kubernetes: Bypass of seccomp profile enforcement            │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-2431                    │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

namespace: , node: kind-control-plane (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2022-23471      │ MEDIUM   │ fixed  │ v1.6.7            │ 1.5.16, 1.6.12 │ containerd is an open source container runtime. A bug was │
│                                  │                     │          │        │                   │                │ found in...                                               │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2022-23471                │
│                                  ├─────────────────────┤          │        │                   ├────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18 │ containerd: OCI image importer memory exhaustion          │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-25153                │
│                                  ├─────────────────────┤          │        │                   │                ├───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                │ containerd: Supplementary groups are not set up properly  │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-25173                │
│                                  ├─────────────────────┤          │        │                   ├────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11 │ containerd allows RAPL to be accessible to a container    │
│                                  │                     │          │        │                   │                │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c         │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@afdesk afdesk self-assigned this Feb 24, 2025
@afdesk afdesk mentioned this pull request Feb 24, 2025
Open
@afdesk afdesk marked this pull request as ready for review February 24, 2025 13:06
@afdesk afdesk requested a review from simar7 as a code owner February 24, 2025 13:06
@simar7 simar7 added this pull request to the merge queue Feb 24, 2025
Merged via the queue into aquasecurity:main with commit f987e41 Feb 24, 2025
14 checks passed
@aqua-bot aqua-bot mentioned this pull request Feb 24, 2025
Merged
RingoDev pushed a commit to RingoDev/trivy that referenced this pull request Feb 26, 2025
@afdesk @RingoDev
fix(k8s): add missed option PkgRelationships (aquasecurity#8442)
4955dd0
dstrelbytskyi pushed a commit to datarobot/trivy that referenced this pull request Mar 5, 2025
@afdesk @dstrelbytskyi
fix(k8s): add missed option PkgRelationships (aquasecurity#8442)
6b6e756
dstrelbytskyi pushed a commit to datarobot/trivy that referenced this pull request Mar 10, 2025
@afdesk @dstrelbytskyi
fix(k8s): add missed option PkgRelationships (aquasecurity#8442)
c045b3c
No Sign up for free to join this conversation on GitHub. Already have an account? No Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees

@afdesk afdesk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(k8s): flag --pkg-relationships missed Kubernetes scanner
2 participants
@afdesk @simar7