New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Duplicate and Multiple entries of resource/vulnerability_id with in the same image #1334
Comments
@saurabh21316 it strange , can you scan the image directly with trivy and let me know if you get same result |
when I run locally, I see the PkgPath is different in all 4 records and which is missing via trivy-operator. @chen-keinan so trivy-operator needs an update . Thought? [ |
@saurabh21316 by setting this helm flag trivy-operator can include additional fields to the report |
@chen-keinan I updated to And I see PackageType got updated but PackagePath is still missing
|
just fyi, configmap looks like after deploying via helm: kind: ConfigMap |
@saurabh21316 thanks for the feedback I'll check it out |
@chen-keinan Just checking if you get a chance to look into it. :) |
not yet , I'll have a look today |
find the issue , created a PR |
I still don't see it in the report even though I recreated the helm. @chen-keinan Do I need to update the version? |
@saurabh21316 its not yet released, only merged to upstream |
@chen-keinan Do we have any timeline? I have been working to get trivy operator working from last few weeks as you know and now we have it working but got blocked to generate report :( I would highly appreciate if it can be done in next week if possible and how to track it about getting in production? If there is a way to get notification or so... Thanks |
I Will cut rc next week |
Thanks! |
@saurabh21316 |
@chen-keinan crashing with new version: {"level":"error","ts":"2023-07-11T16:59:01Z","logger":"controller-runtime.source.EventHandler","msg":"if kind is a CRD, it should be installed before calling Start","kind":"SbomReport.aquasecurity.github.io","error":"no matches for kind "SbomReport" in version "aquasecurity.github.io/v1alpha1"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:63\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:62\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:63\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:56"} |
@saurabh21316 Thanks for the feedback. I'll take a look at it .in meanwhile can you disable sbom generation flag |
I see the SBOM CRD and I have disabled sbom flag, got trivy operator working but still no PackagePath after redeploying helm and deleting vulnerability report. @chen-keinan
|
Which image you are using is it public? Can you share the yaml resource? |
I am running it on private-image but let's say on public image: apiVersion: aquasecurity.github.io/v1alpha1 |
Here is the config -- kind: ConfigMap |
@saurabh21316 just tested it with this helm command:
and this resource yaml:
and got this report , see apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
annotations:
trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
creationTimestamp: "2023-07-11T17:49:48Z"
generation: 1
labels:
resource-spec-hash: 55b58d8898
trivy-operator.container.name: demo-cron-job
trivy-operator.resource.kind: CronJob
trivy-operator.resource.name: demo-deprecated-cron-job
trivy-operator.resource.namespace: default
name: cronjob-demo-deprecated-cron-job-demo-cron-job
namespace: default
ownerReferences:
- apiVersion: batch/v1
blockOwnerDeletion: false
controller: true
kind: CronJob
name: demo-deprecated-cron-job
uid: 27df88e2-48c2-421b-8428-67517df3251e
resourceVersion: "105150"
uid: 79ceab38-c126-493b-96f8-9998b186d91e
report:
artifact:
repository: library/node
tag: 14-alpine
registry:
server: index.docker.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.42.0
summary:
criticalCount: 0
highCount: 5
lowCount: 0
mediumCount: 5
noneCount: 0
unknownCount: 0
updateTimestamp: "2023-07-11T17:49:48Z"
vulnerabilities:
- fixedVersion: 3.0.9-r0
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
resource: libcrypto3
score: 7.5
severity: HIGH
target: ""
title: Possible DoS translating ASN.1 object identifiers
vulnerabilityID: CVE-2023-2650
- fixedVersion: 3.0.8-r4
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
resource: libcrypto3
score: 5.9
severity: MEDIUM
target: ""
title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
vulnerabilityID: CVE-2023-1255
- fixedVersion: 3.0.9-r0
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
resource: libssl3
score: 7.5
severity: HIGH
target: ""
title: Possible DoS translating ASN.1 object identifiers
vulnerabilityID: CVE-2023-2650
- fixedVersion: 3.0.8-r4
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
resource: libssl3
score: 5.9
severity: MEDIUM
target: ""
title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
vulnerabilityID: CVE-2023-1255
- fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
installedVersion: 3.0.0
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
resource: ansi-regex
score: 7.5
severity: HIGH
target: ""
title: Regular expression denial of service (ReDoS) matching ANSI escape codes
vulnerabilityID: CVE-2021-3807
- fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
installedVersion: 4.1.0
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
resource: ansi-regex
score: 7.5
severity: HIGH
target: ""
title: Regular expression denial of service (ReDoS) matching ANSI escape codes
vulnerabilityID: CVE-2021-3807
- fixedVersion: 11.8.5, 12.1.0
installedVersion: 6.7.1
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/got/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2022-33987
resource: got
score: 5.3
severity: MEDIUM
target: ""
title: missing verification of requested URLs allows redirects to UNIX sockets
vulnerabilityID: CVE-2022-33987
- fixedVersion: 4.1.1
installedVersion: 3.8.1
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/http-cache-semantics/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2022-25881
resource: http-cache-semantics
score: 7.5
severity: HIGH
target: ""
title: Regular Expression Denial of Service (ReDoS) vulnerability
vulnerabilityID: CVE-2022-25881
- fixedVersion: 5.7.2, 6.3.1, 7.5.2
installedVersion: 5.7.1
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/semver/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2022-25883
resource: semver
score: 7.5
severity: MEDIUM
target: ""
title: Versions of the package semver before 7.5.2 are vulnerable to Regular ...
vulnerabilityID: CVE-2022-25883
- fixedVersion: 4.1.3
installedVersion: 2.5.0
links: []
packagePath: usr/local/lib/node_modules/npm/node_modules/tough-cookie/package.json
primaryLink: https://avd.aquasec.com/nvd/cve-2023-26136
resource: tough-cookie
score: 9.8
severity: MEDIUM
target: ""
title: prototype pollution in cookie memstore
vulnerabilityID: CVE-2023-26136
|
weird, I don't see it. |
|
this is job of private image @chen-keinan |
No its public |
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
name: cronjob-demo-deprecated-cron-job-demo-cron-job
namespace: colony-testing
uid: 94ca462e-7a74-4068-9255-8bccd7eff857
resourceVersion: '115084734'
generation: 1
creationTimestamp: '2023-07-11T19:45:48Z'
labels:
resource-spec-hash: 55b58d8898
trivy-operator.container.name: demo-cron-job
trivy-operator.resource.kind: CronJob
trivy-operator.resource.name: demo-deprecated-cron-job
trivy-operator.resource.namespace: colony-testing
annotations:
trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
ownerReferences:
- apiVersion: batch/v1
kind: CronJob
name: demo-deprecated-cron-job
uid: fecd51bb-2c66-4015-bb20-13a7c978519b
controller: true
blockOwnerDeletion: false
report:
artifact:
repository: library/node
tag: 14-alpine
registry:
server: index.docker.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.42.0
summary:
criticalCount: 0
highCount: 5
lowCount: 0
mediumCount: 5
noneCount: 0
unknownCount: 0
updateTimestamp: '2023-07-11T19:45:48Z'
vulnerabilities:
- fixedVersion: 3.0.9-r0
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
resource: libcrypto3
score: 7.5
severity: HIGH
target: ''
title: Possible DoS translating ASN.1 object identifiers
vulnerabilityID: CVE-2023-2650
- fixedVersion: 3.0.8-r4
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
resource: libcrypto3
score: 5.9
severity: MEDIUM
target: ''
title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
vulnerabilityID: CVE-2023-1255
- fixedVersion: 3.0.9-r0
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
resource: libssl3
score: 7.5
severity: HIGH
target: ''
title: Possible DoS translating ASN.1 object identifiers
vulnerabilityID: CVE-2023-2650
- fixedVersion: 3.0.8-r4
installedVersion: 3.0.8-r3
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
resource: libssl3
score: 5.9
severity: MEDIUM
target: ''
title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
vulnerabilityID: CVE-2023-1255
- fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
installedVersion: 3.0.0
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
resource: ansi-regex
score: 7.5
severity: HIGH
target: ''
title: Regular expression denial of service (ReDoS) matching ANSI escape codes
vulnerabilityID: CVE-2021-3807
- fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
installedVersion: 4.1.0
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
resource: ansi-regex
score: 7.5
severity: HIGH
target: ''
title: Regular expression denial of service (ReDoS) matching ANSI escape codes
vulnerabilityID: CVE-2021-3807
- fixedVersion: 11.8.5, 12.1.0
installedVersion: 6.7.1
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-33987
resource: got
score: 5.3
severity: MEDIUM
target: ''
title: missing verification of requested URLs allows redirects to UNIX sockets
vulnerabilityID: CVE-2022-33987
- fixedVersion: 4.1.1
installedVersion: 3.8.1
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-25881
resource: http-cache-semantics
score: 7.5
severity: HIGH
target: ''
title: Regular Expression Denial of Service (ReDoS) vulnerability
vulnerabilityID: CVE-2022-25881
- fixedVersion: 5.7.2, 6.3.1, 7.5.2
installedVersion: 5.7.1
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-25883
resource: semver
score: 7.5
severity: MEDIUM
target: ''
title: >-
Versions of the package semver before 7.5.2 are vulnerable to Regular
...
vulnerabilityID: CVE-2022-25883
- fixedVersion: 4.1.3
installedVersion: 2.5.0
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-26136
resource: tough-cookie
score: 9.8
severity: MEDIUM
target: ''
title: prototype pollution in cookie memstore
vulnerabilityID: CVE-2023-26136 |
@chen-keinan this is what I get when I run the above resource.yaml |
so something is not right when i deployed trivy-operator via helm and this is my configmap data: |
What is the helm command you are running? |
i have deployed helm via flux in our cluster |
i can share the helm value.yaml if you like |
apiVersion: v1
|
here is the value.yaml @chen-keinan |
@saurabh21316 could you made a simple test on a local cluster (like kind) deployed with simple helm command and default values , I see you also customize , just want to exclude env. issues :
|
i will create new test cluster and run on it and let you know. Thanks! |
Hi @chen-keinan It's quite weird, I deployed it in two clusters using the below command. In 1st cluster, I can see packagePath but not in the 2nd cluster. helm install trivy-operator aqua/trivy-operator Thought? |
what are these errors? I0714 18:07:31.507258 1 trace.go:219] Trace[1204268076]: "DeltaFIFO Pop Process" ID:kube-system/cluster-kubestore,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:07:30.053) (total time: 1453ms): |
is this |
yes @chen-keinan |
it's strange and there is something not right with the helm as I don't see PackagePath in my production cluster. helm install trivy-operator aqua/trivy-operator --namespace trivy-system --set trivy.ignoreUnfixed=true --set trivy.additionalVulnerabilityReportFields=PackagePath --set trivyOperator.scanJobNodeSelector.node-type=trivy --set nodeSelector.node-type=trivy --set operator.sbomGenerationEnabled=false --version 0.15.0 |
Got it fixed finally, was gke node issue... thanks @chen-keinan all good. |
thanks for the update! |
@chen-keinan Finally I am running Trivy Operator in GKE and able to scan Private GCR. I just encounter another Issue where I see Duplicate and Multiple entries of resource/vulnerability_id with in the same image. Any Idea? How should I differentiate these records?
installedVersion: 6.5.2
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
resource: qs
score: 7.5
severity: HIGH
target: ''
title: '"qs" prototype poisoning causes the hang of the node process'
vulnerabilityID: CVE-2022-24999
installedVersion: 6.5.2
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
resource: qs
score: 7.5
severity: HIGH
target: ''
title: '"qs" prototype poisoning causes the hang of the node process'
vulnerabilityID: CVE-2022-24999
installedVersion: 6.7.0
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
resource: qs
score: 7.5
severity: HIGH
target: ''
title: '"qs" prototype poisoning causes the hang of the node process'
vulnerabilityID: CVE-2022-24999
installedVersion: 6.9.6
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
resource: qs
score: 7.5
severity: HIGH
target: ''
title: '"qs" prototype poisoning causes the hang of the node process'
vulnerabilityID: CVE-2022-24999
Thanks
Saurabh
The text was updated successfully, but these errors were encountered: