Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(k8s): versions are missing in KBOM #8358

Open
afdesk opened this issue Feb 5, 2025 · 0 comments
Open

bug(k8s): versions are missing in KBOM #8358

afdesk opened this issue Feb 5, 2025 · 0 comments
Assignees
@afdesk
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@afdesk
Copy link
Contributor

afdesk commented Feb 5, 2025

Description

Trivy is not accurately identifying the image versions of certain control plane pods in Kubernetes.

For instance, in a Minikube environment, k8s.gcr.io/etcd:3.5.3-0 image contains the following imageID:

imageID: docker-pullable://k8s.gcr.io/etcd@sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5

such imageID is detected as sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5, and will be skipped as non sha256 digests:
https://github.com/aquasecurity/trivy-kubernetes/blob/812ea842831c9f92184993d3810c9d28695e4de1/pkg/k8s/k8s.go#L581-L585

Reproduction steps

There is no version for

$ minikube start
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:41:35+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:41:35+06:00       INFO    Scanning K8s... K8s="minikube"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-minikube"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

but it works for kind:

$ kind create cluster
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:43:01+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:43:01+06:00       INFO    Scanning K8s... K8s="kind-kind"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "version": "v3.5.15-0",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-kind-control-plane"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

Discussed in #8348
@afdesk afdesk added the kind/bug Categorizes issue or PR as related to a bug. label Feb 5, 2025
@afdesk afdesk self-assigned this Feb 5, 2025
@afdesk afdesk added the target/kubernetes Issues relating to kubernetes cluster scanning label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afdesk afdesk

Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@afdesk