diff --git a/pkg/vulnsrc/k8svulndb/k8svulndb.go b/pkg/vulnsrc/k8svulndb/k8svulndb.go index 0a4f80f0..2cfc884c 100644 --- a/pkg/vulnsrc/k8svulndb/k8svulndb.go +++ b/pkg/vulnsrc/k8svulndb/k8svulndb.go @@ -3,6 +3,8 @@ package k8svulndb import ( "encoding/json" "fmt" + "strings" + "time" "io" "log" @@ -109,11 +111,26 @@ func (vs VulnSrc) commit(tx *bolt.Tx, item K8sCVE) error { if err != nil { return xerrors.Errorf("failed to save k8s-vulndb advisory: %w", err) } - + severity, err := types.NewSeverity(strings.ToUpper(item.Severity)) + if err != nil { + severity = types.SeverityLow + } vuln := types.VulnerabilityDetail{ + ID: item.ID, + Severity: severity, + CvssVector: item.Cvss, Description: item.Description, References: item.Urls, CvssScoreV3: item.Score, + Title: item.Summary, + } + if len(item.CreatedAt) != 0 { + publishedDate, err := time.Parse("2023-06-13T14:42:06Z", item.CreatedAt) + if err != nil { + publishedDate = time.Now() + } + vuln.PublishedDate = &publishedDate + vuln.LastModifiedDate = &publishedDate } if err = vs.dbc.PutVulnerabilityDetail(tx, item.ID, source.ID, vuln); err != nil { return xerrors.Errorf("failed to put vulnerability detail (%s): %w", item.ID, err) diff --git a/pkg/vulnsrc/k8svulndb/k8svulndb_test.go b/pkg/vulnsrc/k8svulndb/k8svulndb_test.go index b5208d7c..38ef5c17 100644 --- a/pkg/vulnsrc/k8svulndb/k8svulndb_test.go +++ b/pkg/vulnsrc/k8svulndb/k8svulndb_test.go @@ -1,6 +1,7 @@ package k8svulndb_test import ( + "strings" "testing" "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" @@ -11,6 +12,10 @@ import ( ) func TestVulnSrc_Update(t *testing.T) { + severity, err := types.NewSeverity(strings.ToUpper("Medium")) + if err != nil { + severity = types.SeverityLow + } tests := []struct { name string dir string @@ -44,7 +49,11 @@ func TestVulnSrc_Update(t *testing.T) { "https://github.com/kubernetes/kubernetes/issues/118640", "https://www.cve.org/cverecord?id=CVE-2023-2727, CVE-2023-2728", }, + ID: "CVE-2023-2727", CvssScoreV3: 6.5, + CvssVector: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", + Severity: severity, + Title: "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin", }, }, }, diff --git a/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json b/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json index ed96c421..cced0ded 100644 --- a/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json +++ b/pkg/vulnsrc/k8svulndb/testdata/happy/vuln-list-k8s/k8s/cves/CVE-2023-2727.json @@ -1,6 +1,5 @@ { "id": "CVE-2023-2727", - "created_at": "2023-06-13T14:42:06Z", "summary": "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin", "component": "k8s.io/kube-apiserver", "description": "CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission pluginCVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NA security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.Am I vulnerable?Clusters are impacted by this vulnerability if all of the following are true:",