Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(k8s): inconsistent results for scan with and without images #7790

Closed
afdesk opened this issue Oct 24, 2024 · 0 comments · Fixed by #7797
Closed

bug(k8s): inconsistent results for scan with and without images #7790

afdesk opened this issue Oct 24, 2024 · 0 comments · Fixed by #7797
Assignees
@afdesk
Labels
bug target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.57.0

Comments

@afdesk
Copy link
Contributor

afdesk commented Oct 24, 2024
edited
Loading

Description

Misconfiguration and Image scans in kubernetes were splitted in #7690, and it brought a nasty bug.

Early the both scans worked in the same function, and misconfigs and vulns from images handled as the same item.
now there are two separated processes. Trivy gets misconfigurations and then appends image vulns.

if Trivy can't receive images (ex there are no permissions), there will be added an empty result and existed misconfig report will be skipped in the report.

Note: some kind of this bug was before #7690, but It didn't matter for most cases, because image vulns were adding before misconfigurations.

Reason

it affects only on summary report.
If a resource has no vulns or secret findings and has misconfigs, index item will be overridden by the latest result:

trivy/pkg/k8s/report/report.go

Lines 90 to 96 in c0d79fa

for _, m := range r.Resources {
if vulnerabilitiesOrSecretResource(m) {
vulnerabilities = append(vulnerabilities, m)
} else {
index[m.fullname()] = m
}
}

Reproduction

I can reproduce this bug in my demo managment k8s cluster.

Scan with --skip-images:

Infra Assessment
┌─────────────┬──────────────────────────────────────────────┬───────────────────┬──────────────────────┬───────────────────┐
│  Namespace  │                   Resource                   │  Vulnerabilities  │  Misconfigurations   │      Secrets      │
│             │                                              ├───┬───┬───┬───┬───┼───┬────┬────┬────┬───┼───┬───┬───┬───┬───┤
│             │                                              │ C │ H │ M │ L │ U │ C │ H  │ M  │ L  │ U │ C │ H │ M │ L │ U │
├─────────────┼──────────────────────────────────────────────┼───┼───┼───┼───┼───┼───┼────┼────┼────┼───┼───┼───┼───┼───┼───┤
│ kube-system │ Service/kube-dns                             │   │   │   │   │   │   │    │ 1  │    │   │   │   │   │   │   │
│ kube-system │ DaemonSet/cilium                             │   │   │   │   │   │   │ 19 │ 28 │ 57 │   │   │   │   │   │   │
│ kube-system │ DaemonSet/kube-proxy                         │   │   │   │   │   │   │ 3  │ 5  │ 9  │   │   │   │   │   │   │
│ kube-system │ Service/hubble-peer                          │   │   │   │   │   │   │    │ 1  │    │   │   │   │   │   │   │
│ kube-system │ Deployment/cilium-operator                   │   │   │   │   │   │   │ 2  │ 4  │ 9  │   │   │   │   │   │   │
│ kube-system │ ConfigMap/cilium-config                      │   │   │   │   │   │   │    │ 1  │    │   │   │   │   │   │   │
│ kube-system │ ConfigMap/extension-apiserver-authentication │   │   │   │   │   │   │    │ 1  │    │   │   │   │   │   │   │
│ kube-system │ Deployment/coredns                           │   │   │   │   │   │   │ 1  │ 4  │ 4  │   │   │   │   │   │   │
└─────────────┴──────────────────────────────────────────────┴───┴───┴───┴───┴───┴───┴────┴────┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Scan with unreachable images (without --skip-images):

Infra Assessment
┌─────────────┬──────────────────────────────────────────────┬───────────────────┬───────────────────┬───────────────────┐
│  Namespace  │                   Resource                   │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│             │                                              ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│             │                                              │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
├─────────────┼──────────────────────────────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤
│ kube-system │ ConfigMap/cilium-config                      │   │   │   │   │   │   │   │ 1 │   │   │   │   │   │   │   │
│ kube-system │ Service/hubble-peer                          │   │   │   │   │   │   │   │ 1 │   │   │   │   │   │   │   │
│ kube-system │ ConfigMap/extension-apiserver-authentication │   │   │   │   │   │   │   │ 1 │   │   │   │   │   │   │   │
│ kube-system │ Service/kube-dns                             │   │   │   │   │   │   │   │ 1 │   │   │   │   │   │   │   │
└─────────────┴──────────────────────────────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
@afdesk afdesk self-assigned this Oct 24, 2024
@afdesk afdesk added target/kubernetes Issues relating to kubernetes cluster scanning bug labels Oct 24, 2024
@afdesk afdesk mentioned this issue Oct 25, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.57.0 milestone Oct 29, 2024
@afdesk afdesk mentioned this issue Oct 29, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afdesk afdesk

Labels
bug target/kubernetes Issues relating to kubernetes cluster scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.57.0
Development

Successfully merging a pull request may close this issue.

fix(k8s): skip resources without misconfigs afdesk/trivy
3 participants
@simar7 @afdesk and others