Duplicate and Multiple entries of resource/vulnerability_id with in the same image

[saurabh21316]

@chen-keinan Finally I am running Trivy Operator in GKE and able to scan Private GCR. I just encounter another Issue where I see Duplicate and Multiple entries of resource/vulnerability_id with in the same image. Any Idea? How should I differentiate these records?

• fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  installedVersion: 6.5.2
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
  resource: qs
  score: 7.5
  severity: HIGH
  target: ''
  title: '"qs" prototype poisoning causes the hang of the node process'
  vulnerabilityID: CVE-2022-24999
• fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  installedVersion: 6.5.2
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
  resource: qs
  score: 7.5
  severity: HIGH
  target: ''
  title: '"qs" prototype poisoning causes the hang of the node process'
  vulnerabilityID: CVE-2022-24999
• fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  installedVersion: 6.7.0
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
  resource: qs
  score: 7.5
  severity: HIGH
  target: ''
  title: '"qs" prototype poisoning causes the hang of the node process'
  vulnerabilityID: CVE-2022-24999
• fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  installedVersion: 6.9.6
  links: []
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
  resource: qs
  score: 7.5
  severity: HIGH
  target: ''
  title: '"qs" prototype poisoning causes the hang of the node process'
  vulnerabilityID: CVE-2022-24999

Thanks
Saurabh

[chen-keinan]

@saurabh21316 it strange , can you scan the image directly with trivy and let me know if you get same result

[saurabh21316]

when I run locally, I see the PkgPath is different in all 4 records and which is missing via trivy-operator. @chen-keinan so trivy-operator needs an update . Thought?

[
{
"VulnerabilityID": "CVE-2022-24999",
"PkgID": "qs@6.5.2",
"PkgName": "qs",
"PkgPath": "cube/node_modules/request/node_modules/qs/package.json",
"InstalledVersion": "6.5.2",
"FixedVersion": "6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3",
"Layer": {
"Digest": "sha256:a36f56c6d0d3fdcb053d0667ceacba928ab3b1e580cd4139a7d4eb03a33700fd",
"DiffID": "sha256:9912c376518b8ff8ab12ce71e8bdddd758652272c3c88c22bec402dc89ffad01"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": ""qs" prototype poisoning causes the hang of the node process",
"Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b\u0026a[proto]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).",
"Severity": "HIGH",
"CweIDs": [
"CWE-1321"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2023:0050",
"https://access.redhat.com/security/cve/CVE-2022-24999",
"https://bugzilla.redhat.com/2044591",
"https://bugzilla.redhat.com/2066009",
"https://bugzilla.redhat.com/2134609",
"https://bugzilla.redhat.com/2140911",
"https://bugzilla.redhat.com/2150323",
"https://errata.almalinux.org/8/ALSA-2023-0050.html",
"https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"https://github.com/expressjs/express/releases/tag/4.17.3",
"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",
"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",
"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",
"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",
"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",
"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",
"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",
"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",
"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",
"https://github.com/ljharb/qs/pull/428",
"https://github.com/n8tz/CVE-2022-24999",
"https://linux.oracle.com/cve/CVE-2022-24999.html",
"https://linux.oracle.com/errata/ELSA-2023-0050.html",
"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"https://www.cve.org/CVERecord?id=CVE-2022-24999"
],
"PublishedDate": "2022-11-26T22:15:00Z",
"LastModifiedDate": "2023-02-16T19:19:00Z"
},
{
"VulnerabilityID": "CVE-2022-24999",
"PkgID": "qs@6.5.2",
"PkgName": "qs",
"PkgPath": "usr/local/lib/node_modules/npm/node_modules/qs/package.json",
"InstalledVersion": "6.5.2",
"FixedVersion": "6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3",
"Layer": {
"Digest": "sha256:2c7ff7c34da697cd9b1435f2cd07b7898f20fa7690b685d1027574cffd860018",
"DiffID": "sha256:94512035b05bc8f69c7adce24060648e395faf8ca787ba65167217403efcff3e"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": ""qs" prototype poisoning causes the hang of the node process",
"Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b\u0026a[proto]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).",
"Severity": "HIGH",
"CweIDs": [
"CWE-1321"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2023:0050",
"https://access.redhat.com/security/cve/CVE-2022-24999",
"https://bugzilla.redhat.com/2044591",
"https://bugzilla.redhat.com/2066009",
"https://bugzilla.redhat.com/2134609",
"https://bugzilla.redhat.com/2140911",
"https://bugzilla.redhat.com/2150323",
"https://errata.almalinux.org/8/ALSA-2023-0050.html",
"https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"https://github.com/expressjs/express/releases/tag/4.17.3",
"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",
"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",
"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",
"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",
"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",
"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",
"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",
"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",
"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",
"https://github.com/ljharb/qs/pull/428",
"https://github.com/n8tz/CVE-2022-24999",
"https://linux.oracle.com/cve/CVE-2022-24999.html",
"https://linux.oracle.com/errata/ELSA-2023-0050.html",
"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"https://www.cve.org/CVERecord?id=CVE-2022-24999"
],
"PublishedDate": "2022-11-26T22:15:00Z",
"LastModifiedDate": "2023-02-16T19:19:00Z"
},
{
"VulnerabilityID": "CVE-2022-24999",
"PkgID": "qs@6.7.0",
"PkgName": "qs",
"PkgPath": "cube/node_modules/qs/package.json",
"InstalledVersion": "6.7.0",
"FixedVersion": "6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3",
"Layer": {
"Digest": "sha256:a36f56c6d0d3fdcb053d0667ceacba928ab3b1e580cd4139a7d4eb03a33700fd",
"DiffID": "sha256:9912c376518b8ff8ab12ce71e8bdddd758652272c3c88c22bec402dc89ffad01"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": ""qs" prototype poisoning causes the hang of the node process",
"Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b\u0026a[proto]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).",
"Severity": "HIGH",
"CweIDs": [
"CWE-1321"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2023:0050",
"https://access.redhat.com/security/cve/CVE-2022-24999",
"https://bugzilla.redhat.com/2044591",
"https://bugzilla.redhat.com/2066009",
"https://bugzilla.redhat.com/2134609",
"https://bugzilla.redhat.com/2140911",
"https://bugzilla.redhat.com/2150323",
"https://errata.almalinux.org/8/ALSA-2023-0050.html",
"https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"https://github.com/expressjs/express/releases/tag/4.17.3",
"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",
"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",
"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",
"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",
"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",
"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",
"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",
"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",
"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",
"https://github.com/ljharb/qs/pull/428",
"https://github.com/n8tz/CVE-2022-24999",
"https://linux.oracle.com/cve/CVE-2022-24999.html",
"https://linux.oracle.com/errata/ELSA-2023-0050.html",
"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"https://www.cve.org/CVERecord?id=CVE-2022-24999"
],
"PublishedDate": "2022-11-26T22:15:00Z",
"LastModifiedDate": "2023-02-16T19:19:00Z"
},
{
"VulnerabilityID": "CVE-2022-24999",
"PkgID": "qs@6.9.6",
"PkgName": "qs",
"PkgPath": "cube/node_modules/body-parser/node_modules/qs/package.json",
"InstalledVersion": "6.9.6",
"FixedVersion": "6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3",
"Layer": {
"Digest": "sha256:a36f56c6d0d3fdcb053d0667ceacba928ab3b1e580cd4139a7d4eb03a33700fd",
"DiffID": "sha256:9912c376518b8ff8ab12ce71e8bdddd758652272c3c88c22bec402dc89ffad01"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24999",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": ""qs" prototype poisoning causes the hang of the node process",
"Description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b\u0026a[proto]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).",
"Severity": "HIGH",
"CweIDs": [
"CWE-1321"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2023:0050",
"https://access.redhat.com/security/cve/CVE-2022-24999",
"https://bugzilla.redhat.com/2044591",
"https://bugzilla.redhat.com/2066009",
"https://bugzilla.redhat.com/2134609",
"https://bugzilla.redhat.com/2140911",
"https://bugzilla.redhat.com/2150323",
"https://errata.almalinux.org/8/ALSA-2023-0050.html",
"https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"https://github.com/expressjs/express/releases/tag/4.17.3",
"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",
"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",
"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",
"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",
"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",
"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",
"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",
"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",
"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",
"https://github.com/ljharb/qs/pull/428",
"https://github.com/n8tz/CVE-2022-24999",
"https://linux.oracle.com/cve/CVE-2022-24999.html",
"https://linux.oracle.com/errata/ELSA-2023-0050.html",
"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"https://www.cve.org/CVERecord?id=CVE-2022-24999"
],
"PublishedDate": "2022-11-26T22:15:00Z",
"LastModifiedDate": "2023-02-16T19:19:00Z"
}]

[chen-keinan]

@saurabh21316 by setting this helm flag trivy-operator can include additional fields to the report

[saurabh21316]

@chen-keinan I updated to
--> additionalVulnerabilityReportFields: PackagePath,PackageType

And I see PackageType got updated but PackagePath is still missing

• fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  installedVersion: 6.5.2
  links: []
  packageType: node-pkg
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
  resource: qs
  score: 7.5
  severity: HIGH
  target: ''
  title: '"qs" prototype poisoning causes the hang of the node process'
  vulnerabilityID: CVE-2022-24999
  • fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
    installedVersion: 6.5.2
    links: []
    packageType: node-pkg
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
    resource: qs
    score: 7.5
    severity: HIGH
    target: ''
    title: '"qs" prototype poisoning causes the hang of the node process'
    vulnerabilityID: CVE-2022-24999
  • fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
    installedVersion: 6.7.0
    links: []
    packageType: node-pkg
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
    resource: qs
    score: 7.5
    severity: HIGH
    target: ''
    title: '"qs" prototype poisoning causes the hang of the node process'
    vulnerabilityID: CVE-2022-24999
  • fixedVersion: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
    installedVersion: 6.9.6
    links: []
    packageType: node-pkg
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-24999
    resource: qs
    score: 7.5
    severity: HIGH
    target: ''
    title: '"qs" prototype poisoning causes the hang of the node process'
    vulnerabilityID: CVE-2022-24999

[saurabh21316]

just fyi, configmap looks like after deploying via helm:

kind: ConfigMap
apiVersion: v1
metadata:
name: trivy-operator-trivy-config
namespace: trivy-system
uid: d52b8cfd-535e-4830-89c8-7aef73b948b4
resourceVersion: '102319405'
creationTimestamp: '2023-06-14T20:56:39Z'
labels:
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/version: 0.14.1
helm.sh/chart: trivy-operator-0.14.1
helm.toolkit.fluxcd.io/name: trivy-operator
helm.toolkit.fluxcd.io/namespace: trivy-system
annotations:
meta.helm.sh/release-name: trivy-operator
meta.helm.sh/release-namespace: trivy-system
data:
trivy.additionalVulnerabilityReportFields: PackagePath,PackageType
trivy.command: image
trivy.dbRepository: ghcr.io/aquasecurity/trivy-db
trivy.dbRepositoryInsecure: 'false'
trivy.ignoreUnfixed: fasle
trivy.javaDbRepository: ghcr.io/aquasecurity/trivy-java-db
trivy.mode: Standalone
trivy.repository: ghcr.io/aquasecurity/trivy
trivy.resources.limits.cpu: 500m
trivy.resources.limits.memory: 2Gi
trivy.resources.requests.cpu: 500m
trivy.resources.requests.memory: 2Gi
trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.slow: 'true'
trivy.supportedConfigAuditKinds: >-
Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota
trivy.tag: 0.42.0
trivy.timeout: 5m0s
trivy.useBuiltinRegoPolicies: 'true'

[chen-keinan]

@saurabh21316 thanks for the feedback I'll check it out

[saurabh21316]

@chen-keinan Just checking if you get a chance to look into it. :)

[chen-keinan]

@chen-keinan Just checking if you get a chance to look into it. :)

not yet , I'll have a look today

[chen-keinan]

find the issue , created a PR

[saurabh21316]

I still don't see it in the report even though I recreated the helm. @chen-keinan Do I need to update the version?

[saurabh21316]

Does it look right? here and here

[chen-keinan]

@saurabh21316 its not yet released, only merged to upstream

[saurabh21316]

@chen-keinan Do we have any timeline? I have been working to get trivy operator working from last few weeks as you know and now we have it working but got blocked to generate report :(

I would highly appreciate if it can be done in next week if possible and how to track it about getting in production? If there is a way to get notification or so...

Thanks
Saurabh

[chen-keinan]

I Will cut rc next week

[saurabh21316]

Thanks!

[chen-keinan]

@saurabh21316 trivy-operator v0.15.0-rc is available

[saurabh21316]

@chen-keinan crashing with new version:

{"level":"error","ts":"2023-07-11T16:59:01Z","logger":"controller-runtime.source.EventHandler","msg":"if kind is a CRD, it should be installed before calling Start","kind":"SbomReport.aquasecurity.github.io","error":"no matches for kind "SbomReport" in version "aquasecurity.github.io/v1alpha1"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:63\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:62\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:63\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2023-07-11T16:59:01Z","logger":"controller-runtime.source.EventHandler","msg":"if kind is a CRD, it should be installed before calling Start","kind":"SbomReport.aquasecurity.github.io","error":"no matches for kind "SbomReport" in version "aquasecurity.github.io/v1alpha1"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:63\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:62\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/loop.go:63\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.27.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2023-07-11T17:00:55Z","msg":"Reconciler error","controller":"replicaset","controllerGroup":"apps","controllerKind":"ReplicaSet","ReplicaSet":{"name":"dev-consumer-sh-probe-ip-change-5585979c96","namespace":"abc-testing"},"namespace":"abc-testing","name":"dev-consumer-sh-probe-ip-change-5585979c96","reconcileID":"acfe78f4-7c21-4b9d-825e-ef576f54a0e5","error":"getting service account by name: abc-testing/envserver: client rate limiter Wait returned an error: context canceled","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-07-11T17:00:55Z","msg":"Reconciler error","controller":"replicaset","controllerGroup":"apps","controllerKind":"ReplicaSet","ReplicaSet":{"name":"cloudfi-radius-auth-cbd9df9fb","namespace":"abc-cloudfi"},"namespace":"abc-cloudfi","name":"cloudfi-radius-auth-cbd9df9fb","reconcileID":"a589a4af-90a4-40a6-8a76-c09bfbb078ae","error":"getting service account by name: abc-cloudfi/envserver: client rate limiter Wait returned an error: context canceled","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"}
{"level":"info","ts":"2023-07-11T17:00:55Z","msg":"All workers finished","controller":"replicaset","controllerGroup":"apps","controllerKind":"ReplicaSet"}
{"level":"info","ts":"2023-07-11T17:00:55Z","msg":"Stopping and waiting for caches"}
{"level":"info","ts":"2023-07-11T17:00:55Z","msg":"Stopping and waiting for webhooks"}
{"level":"info","ts":"2023-07-11T17:00:55Z","msg":"Wait completed, proceeding to shutdown the manager"}
unable to run trivy operator: starting controllers manager: failed to wait for job caches to sync: timed out waiting for cache to be synced for Kind *v1alpha1.SbomReport

[chen-keinan]

@saurabh21316 Thanks for the feedback.
strange this error for timeout failed to wait for job caches to sync: timed out waiting for cache to be synced for Kind

I'll take a look at it .in meanwhile can you disable sbom generation flag
can you try restart operator or confirm that the new sbom crd has been deployed ?

[saurabh21316]

I see the SBOM CRD and I have disabled sbom flag, got trivy operator working but still no PackagePath after redeploying helm and deleting vulnerability report. @chen-keinan

• fixedVersion: ''
  installedVersion: 2.33.1-0.1
  links: []
  packageType: debian
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-0563
  resource: fdisk
  score: 5.5
  severity: LOW
  target: ''
  title: >-
  partial disclosure of arbitrary files in chfn and chsh when compiled
  with libreadline
  vulnerabilityID: CVE-2022-0563
  • fixedVersion: ''
    installedVersion: 8.3.0-6
    links: []
    packageType: debian
    primaryLink: https://avd.aquasec.com/nvd/cve-2018-12886
    resource: gcc-8-base
    score: 8.1
    severity: HIGH
    target: ''
    title: >-
    gcc: spilling of stack protection address in cfgexpand.c and function.c
    leads to stack-overflow protection bypass
    vulnerabilityID: CVE-2018-12886

[saurabh21316]

@chen-keinan

[chen-keinan]

Which image you are using is it public?

Can you share the yaml resource?

[saurabh21316]

I am running it on private-image but let's say on public image:

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
name: daemonset-b4745555
namespace: abc-devops
uid: d3110338-2584-4045-9a57-e9dc57e55658
resourceVersion: '113625220'
generation: 1
creationTimestamp: '2023-07-10T19:49:00Z'
labels:
resource-spec-hash: 5478c59995
trivy-operator.container.name: prometheus-node-exporter
trivy-operator.resource.kind: DaemonSet
trivy-operator.resource.name: int-prometheus-2-node-exporter
trivy-operator.resource.namespace: abc-devops
annotations:
trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
ownerReferences:
- apiVersion: apps/v1
kind: DaemonSet
name: int-prometheus-2-node-exporter
uid: 86cc16ed-4b62-4665-9c50-0bcb4f4502cd
controller: true
blockOwnerDeletion: false
report:
artifact:
repository: prometheus/node-exporter
tag: v1.5.0
registry:
server: quay.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.42.0
summary:
criticalCount: 0
highCount: 1
lowCount: 0
mediumCount: 1
noneCount: 0
unknownCount: 0
updateTimestamp: '2023-07-10T19:49:00Z'
vulnerabilities:
- fixedVersion: 0.7.0
installedVersion: v0.2.0
links: []
packageType: gobinary
primaryLink: https://avd.aquasec.com/nvd/cve-2022-41723
resource: golang.org/x/net
score: 7.5
severity: HIGH
target: ''
title: avoid quadratic complexity in HPACK decoding
vulnerabilityID: CVE-2022-41723
- fixedVersion: 0.4.0
installedVersion: v0.2.0
links: []
packageType: gobinary
primaryLink: https://avd.aquasec.com/nvd/cve-2022-41717
resource: golang.org/x/net
score: 5.3
severity: MEDIUM
target: ''
title: excessive memory growth in a Go server accepting HTTP/2 requests
vulnerabilityID: CVE-2022-41717

[saurabh21316]

Here is the config --

kind: ConfigMap
apiVersion: v1
metadata:
name: trivy-operator-trivy-config
namespace: trivy-system
uid: f2cc0c22-bbe7-425b-a0cd-b268fca07339
resourceVersion: '114930341'
creationTimestamp: '2023-07-11T17:17:50Z'
labels:
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/version: 0.15.0-rc
helm.sh/chart: trivy-operator-0.15.0-rc
helm.toolkit.fluxcd.io/name: trivy-operator
helm.toolkit.fluxcd.io/namespace: trivy-system
annotations:
meta.helm.sh/release-name: trivy-operator
meta.helm.sh/release-namespace: trivy-system
data:
trivy.additionalVulnerabilityReportFields: PackagePath,PackageType
trivy.command: image
trivy.dbRepository: ghcr.io/aquasecurity/trivy-db
trivy.dbRepositoryInsecure: 'false'
trivy.ignoreUnfixed: fasle
trivy.javaDbRepository: ghcr.io/aquasecurity/trivy-java-db
trivy.mode: Standalone
trivy.repository: ghcr.io/aquasecurity/trivy
trivy.resources.limits.cpu: 500m
trivy.resources.limits.memory: 2Gi
trivy.resources.requests.cpu: 500m
trivy.resources.requests.memory: 2Gi
trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.slow: 'true'
trivy.supportedConfigAuditKinds: >-
Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota
trivy.tag: 0.42.0
trivy.timeout: 5m0s
trivy.useBuiltinRegoPolicies: 'true'

[chen-keinan]

@saurabh21316 just tested it with this helm command:

helm install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --set="trivy.ignoreUnfixed=true" \
  --set="trivy.additionalVulnerabilityReportFields=PackagePath" \
  --version 0.15.0-rc

and this resource yaml:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: demo-deprecated-cron-job
spec:
  schedule: "*/1 * * * *"
  concurrencyPolicy: Replace
  successfulJobsHistoryLimit: 10
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: demo-cron-job
            image: node:14-alpine
            imagePullPolicy: Always
            args:
            - -e
            - "console.log(new Date().toString());"
          restartPolicy: OnFailure

and got this report , see packagePath in report :

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2023-07-11T17:49:48Z"
  generation: 1
  labels:
    resource-spec-hash: 55b58d8898
    trivy-operator.container.name: demo-cron-job
    trivy-operator.resource.kind: CronJob
    trivy-operator.resource.name: demo-deprecated-cron-job
    trivy-operator.resource.namespace: default
  name: cronjob-demo-deprecated-cron-job-demo-cron-job
  namespace: default
  ownerReferences:
  - apiVersion: batch/v1
    blockOwnerDeletion: false
    controller: true
    kind: CronJob
    name: demo-deprecated-cron-job
    uid: 27df88e2-48c2-421b-8428-67517df3251e
  resourceVersion: "105150"
  uid: 79ceab38-c126-493b-96f8-9998b186d91e
report:
  artifact:
    repository: library/node
    tag: 14-alpine
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.42.0
  summary:
    criticalCount: 0
    highCount: 5
    lowCount: 0
    mediumCount: 5
    noneCount: 0
    unknownCount: 0
  updateTimestamp: "2023-07-11T17:49:48Z"
  vulnerabilities:
  - fixedVersion: 3.0.9-r0
    installedVersion: 3.0.8-r3
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
    resource: libcrypto3
    score: 7.5
    severity: HIGH
    target: ""
    title: Possible DoS translating ASN.1 object identifiers
    vulnerabilityID: CVE-2023-2650
  - fixedVersion: 3.0.8-r4
    installedVersion: 3.0.8-r3
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
    resource: libcrypto3
    score: 5.9
    severity: MEDIUM
    target: ""
    title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
    vulnerabilityID: CVE-2023-1255
  - fixedVersion: 3.0.9-r0
    installedVersion: 3.0.8-r3
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
    resource: libssl3
    score: 7.5
    severity: HIGH
    target: ""
    title: Possible DoS translating ASN.1 object identifiers
    vulnerabilityID: CVE-2023-2650
  - fixedVersion: 3.0.8-r4
    installedVersion: 3.0.8-r3
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
    resource: libssl3
    score: 5.9
    severity: MEDIUM
    target: ""
    title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
    vulnerabilityID: CVE-2023-1255
  - fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
    installedVersion: 3.0.0
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
    resource: ansi-regex
    score: 7.5
    severity: HIGH
    target: ""
    title: Regular expression denial of service (ReDoS) matching ANSI escape codes
    vulnerabilityID: CVE-2021-3807
  - fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
    installedVersion: 4.1.0
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
    resource: ansi-regex
    score: 7.5
    severity: HIGH
    target: ""
    title: Regular expression denial of service (ReDoS) matching ANSI escape codes
    vulnerabilityID: CVE-2021-3807
  - fixedVersion: 11.8.5, 12.1.0
    installedVersion: 6.7.1
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/got/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-33987
    resource: got
    score: 5.3
    severity: MEDIUM
    target: ""
    title: missing verification of requested URLs allows redirects to UNIX sockets
    vulnerabilityID: CVE-2022-33987
  - fixedVersion: 4.1.1
    installedVersion: 3.8.1
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/http-cache-semantics/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-25881
    resource: http-cache-semantics
    score: 7.5
    severity: HIGH
    target: ""
    title: Regular Expression Denial of Service (ReDoS) vulnerability
    vulnerabilityID: CVE-2022-25881
  - fixedVersion: 5.7.2, 6.3.1, 7.5.2
    installedVersion: 5.7.1
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/semver/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-25883
    resource: semver
    score: 7.5
    severity: MEDIUM
    target: ""
    title: Versions of the package semver before 7.5.2 are vulnerable to Regular  ...
    vulnerabilityID: CVE-2022-25883
  - fixedVersion: 4.1.3
    installedVersion: 2.5.0
    links: []
    packagePath: usr/local/lib/node_modules/npm/node_modules/tough-cookie/package.json
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-26136
    resource: tough-cookie
    score: 9.8
    severity: MEDIUM
    target: ""
    title: prototype pollution in cookie memstore
    vulnerabilityID: CVE-2023-26136

[saurabh21316]

weird, I don't see it.

[chen-keinan]

weird, I don't see it.
can you try the same example I put with exact command

[saurabh21316]

this is job of private image @chen-keinan

[chen-keinan]

this is job of private image @chen-keinan

No its public

[saurabh21316]

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  name: cronjob-demo-deprecated-cron-job-demo-cron-job
  namespace: colony-testing
  uid: 94ca462e-7a74-4068-9255-8bccd7eff857
  resourceVersion: '115084734'
  generation: 1
  creationTimestamp: '2023-07-11T19:45:48Z'
  labels:
    resource-spec-hash: 55b58d8898
    trivy-operator.container.name: demo-cron-job
    trivy-operator.resource.kind: CronJob
    trivy-operator.resource.name: demo-deprecated-cron-job
    trivy-operator.resource.namespace: colony-testing
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  ownerReferences:
    - apiVersion: batch/v1
      kind: CronJob
      name: demo-deprecated-cron-job
      uid: fecd51bb-2c66-4015-bb20-13a7c978519b
      controller: true
      blockOwnerDeletion: false
report:
  artifact:
    repository: library/node
    tag: 14-alpine
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.42.0
  summary:
    criticalCount: 0
    highCount: 5
    lowCount: 0
    mediumCount: 5
    noneCount: 0
    unknownCount: 0
  updateTimestamp: '2023-07-11T19:45:48Z'
  vulnerabilities:
    - fixedVersion: 3.0.9-r0
      installedVersion: 3.0.8-r3
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
      resource: libcrypto3
      score: 7.5
      severity: HIGH
      target: ''
      title: Possible DoS translating ASN.1 object identifiers
      vulnerabilityID: CVE-2023-2650
    - fixedVersion: 3.0.8-r4
      installedVersion: 3.0.8-r3
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
      resource: libcrypto3
      score: 5.9
      severity: MEDIUM
      target: ''
      title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
      vulnerabilityID: CVE-2023-1255
    - fixedVersion: 3.0.9-r0
      installedVersion: 3.0.8-r3
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2023-2650
      resource: libssl3
      score: 7.5
      severity: HIGH
      target: ''
      title: Possible DoS translating ASN.1 object identifiers
      vulnerabilityID: CVE-2023-2650
    - fixedVersion: 3.0.8-r4
      installedVersion: 3.0.8-r3
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2023-1255
      resource: libssl3
      score: 5.9
      severity: MEDIUM
      target: ''
      title: Input buffer over-read in AES-XTS implementation on 64 bit ARM
      vulnerabilityID: CVE-2023-1255
    - fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
      installedVersion: 3.0.0
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
      resource: ansi-regex
      score: 7.5
      severity: HIGH
      target: ''
      title: Regular expression denial of service (ReDoS) matching ANSI escape codes
      vulnerabilityID: CVE-2021-3807
    - fixedVersion: 3.0.1, 4.1.1, 5.0.1, 6.0.1
      installedVersion: 4.1.0
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2021-3807
      resource: ansi-regex
      score: 7.5
      severity: HIGH
      target: ''
      title: Regular expression denial of service (ReDoS) matching ANSI escape codes
      vulnerabilityID: CVE-2021-3807
    - fixedVersion: 11.8.5, 12.1.0
      installedVersion: 6.7.1
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2022-33987
      resource: got
      score: 5.3
      severity: MEDIUM
      target: ''
      title: missing verification of requested URLs allows redirects to UNIX sockets
      vulnerabilityID: CVE-2022-33987
    - fixedVersion: 4.1.1
      installedVersion: 3.8.1
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2022-25881
      resource: http-cache-semantics
      score: 7.5
      severity: HIGH
      target: ''
      title: Regular Expression Denial of Service (ReDoS) vulnerability
      vulnerabilityID: CVE-2022-25881
    - fixedVersion: 5.7.2, 6.3.1, 7.5.2
      installedVersion: 5.7.1
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2022-25883
      resource: semver
      score: 7.5
      severity: MEDIUM
      target: ''
      title: >-
        Versions of the package semver before 7.5.2 are vulnerable to Regular 
        ...
      vulnerabilityID: CVE-2022-25883
    - fixedVersion: 4.1.3
      installedVersion: 2.5.0
      links: []
      primaryLink: https://avd.aquasec.com/nvd/cve-2023-26136
      resource: tough-cookie
      score: 9.8
      severity: MEDIUM
      target: ''
      title: prototype pollution in cookie memstore
      vulnerabilityID: CVE-2023-26136

[saurabh21316]

@chen-keinan this is what I get when I run the above resource.yaml

[saurabh21316]

so something is not right when i deployed trivy-operator via helm and this is my configmap

data:
trivy.additionalVulnerabilityReportFields: PackagePath
trivy.command: image
trivy.dbRepository: ghcr.io/aquasecurity/trivy-db
trivy.dbRepositoryInsecure: 'false'
trivy.ignoreUnfixed: 'true'
trivy.javaDbRepository: ghcr.io/aquasecurity/trivy-java-db
trivy.mode: Standalone
trivy.repository: ghcr.io/aquasecurity/trivy
trivy.resources.limits.cpu: 500m
trivy.resources.limits.memory: 2Gi
trivy.resources.requests.cpu: 500m
trivy.resources.requests.memory: 2Gi
trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.slow: 'true'
trivy.supportedConfigAuditKinds: >-
Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota
trivy.tag: 0.42.0
trivy.timeout: 5m0s
trivy.useBuiltinRegoPolicies: 'true'

[chen-keinan]

@chen-keinan this is what I get when I run the above resource.yaml

What is the helm command you are running?

[saurabh21316]

i have deployed helm via flux in our cluster

[saurabh21316]

i can share the helm value.yaml if you like

[saurabh21316]

apiVersion: v1
kind: List
metadata: {}
items:

• apiVersion: v1
  kind: Namespace
  metadata:
  name: trivy-system
• apiVersion: helm.toolkit.fluxcd.io/v2beta1
  kind: HelmRelease
  metadata:
  name: trivy-operator
  namespace: trivy-system
  spec:
  releaseName: trivy-operator
  targetNamespace: trivy-system
  chart:
  spec:
  chart: trivy-operator
  version: 0.15.0-rc
  reconcileStrategy: Revision
  sourceRef:
  kind: HelmRepository
  name: trivy-operator
  namespace: flux-system
  interval: 5m0s
  values:
  managedBy: Helm
  targetNamespaces: ''
  excludeNamespaces: ''
  targetWorkloads: pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job
  nameOverride: ''
  fullnameOverride: ''
  operator:
  namespace: ''
  replicas: 1
  podLabels: {}
  leaderElectionId: trivyoperator-lock
  logDevMode: false
  scanJobTTL: ''
  scanJobTimeout: 5m
  scanJobsConcurrentLimit: 10
  scanNodeCollectorLimit: 1
  scanJobsRetryDelay: 30s
  vulnerabilityScannerEnabled: true
  sbomGenerationEnabled: false
  scannerReportTTL: 24h
  configAuditScannerEnabled: true
  rbacAssessmentScannerEnabled: true
  infraAssessmentScannerEnabled: true
  clusterComplianceEnabled: true
  batchDeleteLimit: 10
  vulnerabilityScannerScanOnlyCurrentRevisions: true
  configAuditScannerScanOnlyCurrentRevisions: true
  batchDeleteDelay: 10s
  accessGlobalSecretsAndServiceAccount: true
  builtInTrivyServer: false
  trivyServerHealthCheckCacheExpiration: 10h
  metricsFindingsEnabled: true
  metricsVulnIdEnabled: false
  exposedSecretScannerEnabled: true
  metricsExposedSecretInfo: false
  webhookBroadcastURL: ''
  webhookBroadcastTimeout: 30s
  webhookSendDeletedReports: false
  privateRegistryScanSecretsNames: {}
  mergeRbacFindingWithConfigAudit: false
  image:
  registry: ghcr.io
  repository: aquasecurity/trivy-operator
  tag: 0.15.0-rc
  pullPolicy: IfNotPresent
  pullSecrets: []
  service:
  metricsPort: 80
  serviceMonitor:
  enabled: false
  interval: ''
  labels: {}
  trivyOperator:
  vulnerabilityReportsPlugin: Trivy
  configAuditReportsPlugin: Trivy
  scanJobCompressLogs: true
  scanJobTolerations: []
  scanJobNodeSelector:
  node-type: trivy
  scanJobAutomountServiceAccountToken: true
  scanJobAnnotations: prometheus.io/scrape=false
  scanJobPodTemplateLabels: ''
  scanJobPodTemplatePodSecurityContext: {}
  scanJobPodTemplateContainerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
  drop:
  - ALL
  privileged: false
  readOnlyRootFilesystem: true
  scanJobPodPriorityClassName: ''
  reportResourceLabels: ''
  reportRecordFailedChecksOnly: true
  skipResourceByLabels: ''
  metricsResourceLabelsPrefix: k8s_label_
  additionalReportLabels: ''
  trivy:
  createConfig: true
  image:
  registry: ghcr.io
  repository: aquasecurity/trivy
  tag: 0.42.0
  mode: Standalone
  storageClassName: ''
  podLabels: null
  priorityClassName: ''
  additionalVulnerabilityReportFields: PackagePath
  nonSslRegistries: {}
  insecureRegistries: {}
  registry:
  mirror: {}
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
  slow: true
  ignoreUnfixed: true
  skipDirs: null
  offlineScan: false
  timeout: 5m0s
  resources:
  requests:
  cpu: 500m
  memory: 2Gi
  limits:
  cpu: 500m
  memory: 2Gi
  serverTokenHeader: Trivy-Token
  dbRegistry: ghcr.io
  dbRepository: aquasecurity/trivy-db
  javaDbRegistry: ghcr.io
  javaDbRepository: aquasecurity/trivy-java-db
  dbRepositoryInsecure: 'false'
  useBuiltinRegoPolicies: 'true'
  supportedConfigAuditKinds: Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota
  command: image
  serverUser: ''
  serverPassword: ''
  serverServiceName: trivy-service
  debug: false
  server:
  resources:
  requests:
  cpu: 200m
  memory: 1Gi
  limits:
  cpu: 200m
  memory: 1Gi
  podSecurityContext:
  runAsUser: 65534
  runAsNonRoot: true
  fsGroup: 65534
  securityContext:
  privileged: false
  readOnlyRootFilesystem: true
  compliance:
  failEntriesLimit: 10
  reportType: summary
  cron: 0 */6 * * *
  rbac:
  create: true
  serviceAccount:
  create: true
  annotations:
  iam.gke.io/gcp-service-account: xyz-scanner@abc.iam.gserviceaccount.com
  name: ''
  podAnnotations:
  prometheus.io/scrape: 'false'
  podSecurityContext: {}
  securityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
  drop:
  - ALL
  resources: {}
  nodeSelector:
  node-type: trivy
  tolerations: []
  affinity: {}
  priorityClassName: ''
  automountServiceAccountToken: true
  nodeCollector:
  registry: ghcr.io
  repository: aquasecurity/node-collector
  tag: 0.0.6
  excludeNodes: null
  volumeMounts:
  - name: var-lib-etcd
  mountPath: /var/lib/etcd
  readOnly: true
  - name: var-lib-kubelet
  mountPath: /var/lib/kubelet
  readOnly: true
  - name: var-lib-kube-scheduler
  mountPath: /var/lib/kube-scheduler
  readOnly: true
  - name: var-lib-kube-controller-manager
  mountPath: /var/lib/kube-controller-manager
  readOnly: true
  - name: etc-systemd
  mountPath: /etc/systemd
  readOnly: true
  - name: lib-systemd
  mountPath: /lib/systemd/
  readOnly: true
  - name: etc-kubernetes
  mountPath: /etc/kubernetes
  readOnly: true
  - name: etc-cni-netd
  mountPath: /etc/cni/net.d/
  readOnly: true
  volumes:
  - name: var-lib-etcd
  hostPath:
  path: /var/lib/etcd
  - name: var-lib-kubelet
  hostPath:
  path: /var/lib/kubelet
  - name: var-lib-kube-scheduler
  hostPath:
  path: /var/lib/kube-scheduler
  - name: var-lib-kube-controller-manager
  hostPath:
  path: /var/lib/kube-controller-manager
  - name: etc-systemd
  hostPath:
  path: /etc/systemd
  - name: lib-systemd
  hostPath:
  path: /lib/systemd
  - name: etc-kubernetes
  hostPath:
  path: /etc/kubernetes
  - name: etc-cni-netd
  hostPath:
  path: /etc/cni/net.d/

[saurabh21316]

here is the value.yaml @chen-keinan

[chen-keinan]

@saurabh21316 could you made a simple test on a local cluster (like kind) deployed with simple helm command and default values , I see you also customize , just want to exclude env. issues :

helm install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --set="trivy.ignoreUnfixed=true" \
  --set="trivy.additionalVulnerabilityReportFields=PackagePath" \
  --version 0.15.0-rc

[saurabh21316]

i will create new test cluster and run on it and let you know. Thanks!

[saurabh21316]

Hi @chen-keinan It's quite weird, I deployed it in two clusters using the below command. In 1st cluster, I can see packagePath but not in the 2nd cluster.

helm install trivy-operator aqua/trivy-operator
--namespace trivy-system
--set trivy.ignoreUnfixed=true
--set trivy.additionalVulnerabilityReportFields=PackagePath
--set trivyOperator.scanJobNodeSelector.node-type=trivy
--set nodeSelector.node-type=trivy
--version 0.15.0-rc

Thought?

[saurabh21316]

@chen-keinan

what are these errors?

I0714 18:07:31.507258 1 trace.go:219] Trace[1204268076]: "DeltaFIFO Pop Process" ID:kube-system/cluster-kubestore,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:07:30.053) (total time: 1453ms):
Trace[1204268076]: [1.453517653s] [1.453517653s] END
I0714 18:08:06.735985 1 trace.go:219] Trace[1353832586]: "DeltaFIFO Pop Process" ID:flux-system/notification-controller-leader-election,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:02.504) (total time: 4230ms):
Trace[1353832586]: [4.230934343s] [4.230934343s] END
I0714 18:08:12.391510 1 trace.go:219] Trace[1234262431]: "DeltaFIFO Pop Process" ID:kube-system/cluster-kubestore,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:11.015) (total time: 1375ms):
Trace[1234262431]: [1.375921542s] [1.375921542s] END
I0714 18:08:17.025570 1 trace.go:219] Trace[970816334]: "DeltaFIFO Pop Process" ID:elastic-system/elastic-operator-leader,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:14.204) (total time: 2821ms):
Trace[970816334]: [2.821363968s] [2.821363968s] END
I0714 18:08:20.792572 1 trace.go:219] Trace[2070014168]: "DeltaFIFO Pop Process" ID:colony-db/6cab913b.redis.opstreelabs.in,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:18.061) (total time: 2731ms):
Trace[2070014168]: [2.731363448s] [2.731363448s] END
I0714 18:08:38.795509 1 trace.go:219] Trace[70472413]: "DeltaFIFO Pop Process" ID:flux-system/source-controller-leader-election,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:30.883) (total time: 7911ms):
Trace[70472413]: [7.911729724s] [7.911729724s] END
I0714 18:08:40.428929 1 trace.go:219] Trace[969314006]: "DeltaFIFO Pop Process" ID:kube-system/clustermetrics,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:40.315) (total time: 113ms):
Trace[969314006]: [113.213171ms] [113.213171ms] END

[chen-keinan]

@chen-keinan

what are these errors?

I0714 18:07:31.507258 1 trace.go:219] Trace[1204268076]: "DeltaFIFO Pop Process" ID:kube-system/cluster-kubestore,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:07:30.053) (total time: 1453ms): Trace[1204268076]: [1.453517653s] [1.453517653s] END I0714 18:08:06.735985 1 trace.go:219] Trace[1353832586]: "DeltaFIFO Pop Process" ID:flux-system/notification-controller-leader-election,Depth:11,Reason:slow event handlers blocking the queue (14-Jul-2023 18:08:02.504) (total time: 4230ms): Trace[1353832586]: [4.230934343s] [4.230934343s] END I0714 18:08:12.391510 1 trace.go:219] Trace[1234262431]: "DeltaFIFO Pop Process"

is this trivy-operator log ?

[saurabh21316]

yes @chen-keinan

[saurabh21316]

it's strange and there is something not right with the helm as I don't see PackagePath in my production cluster.

helm install trivy-operator aqua/trivy-operator --namespace trivy-system --set trivy.ignoreUnfixed=true --set trivy.additionalVulnerabilityReportFields=PackagePath --set trivyOperator.scanJobNodeSelector.node-type=trivy --set nodeSelector.node-type=trivy --set operator.sbomGenerationEnabled=false --version 0.15.0

[saurabh21316]

Got it fixed finally, was gke node issue... thanks @chen-keinan all good.

[chen-keinan]

Got it fixed finally, was gke node issue... thanks @chen-keinan all good.

thanks for the update!