feat: add k8s vulns

Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Jul 27, 2023 · 14f5fe7 · 14f5fe7
1 parent 143ad80
commit 14f5fe7
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/pkg/vulnsrc/k8svulndb/k8svulndb.go b/pkg/vulnsrc/k8svulndb/k8svulndb.go
@@ -3,6 +3,8 @@ package k8svulndb
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
+	"time"
 
 	"io"
 	"log"
@@ -109,11 +111,26 @@ func (vs VulnSrc) commit(tx *bolt.Tx, item K8sCVE) error {
 	if err != nil {
 		return xerrors.Errorf("failed to save k8s-vulndb advisory: %w", err)
 	}
-
+	severity, err := types.NewSeverity(strings.ToUpper(item.Severity))
+	if err != nil {
+		severity = types.SeverityLow
+	}
 	vuln := types.VulnerabilityDetail{
+		ID:          item.ID,
+		Severity:    severity,
+		CvssVector:  item.Cvss,
 		Description: item.Description,
 		References:  item.Urls,
 		CvssScoreV3: item.Score,
+		Title:       item.Summary,
+	}
+	if len(item.CreatedAt) != 0 {
+		publishedDate, err := time.Parse("2023-06-13T14:42:06Z", item.CreatedAt)
+		if err != nil {
+			publishedDate = time.Now()
+		}
+		vuln.PublishedDate = &publishedDate
+		vuln.LastModifiedDate = &publishedDate
 	}
 	if err = vs.dbc.PutVulnerabilityDetail(tx, item.ID, source.ID, vuln); err != nil {
 		return xerrors.Errorf("failed to put vulnerability detail (%s): %w", item.ID, err)

diff --git a/pkg/vulnsrc/k8svulndb/k8svulndb_test.go b/pkg/vulnsrc/k8svulndb/k8svulndb_test.go
@@ -1,6 +1,7 @@
 package k8svulndb_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
@@ -11,6 +12,10 @@ import (
 )
 
 func TestVulnSrc_Update(t *testing.T) {
+	severity, err := types.NewSeverity(strings.ToUpper("Medium"))
+	if err != nil {
+		severity = types.SeverityLow
+	}
 	tests := []struct {
 		name    string
 		dir     string
@@ -44,7 +49,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/kubernetes/kubernetes/issues/118640",
 							"https://www.cve.org/cverecord?id=CVE-2023-2727, CVE-2023-2728",
 						},
+						ID:          "CVE-2023-2727",
 						CvssScoreV3: 6.5,
+						CvssVector:  "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
+						Severity:    severity,
+						Title:       "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin",
 					},
 				},
 			},

diff --git a/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json b/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json
@@ -1,6 +1,5 @@
 {
   "id": "CVE-2023-2727",
-  "created_at": "2023-06-13T14:42:06Z",
   "summary": "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin",
   "component": "k8s.io/kube-apiserver",
   "description": "CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission pluginCVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NA security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.Am I vulnerable?Clusters are impacted by this vulnerability if all of the following are true:",