v0.47.0 #5520
aqua-bot
announced in
Announcements
v0.47.0
#5520
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
🚀 What's new? 🚀
⎈ Kubernetes Control Plane and Node components vulnerability scanning 💀
Trivy now supports the Kubernetes
control plane
andnode components
(apiserver, controller-manager, kubelet, kube-proxy and etc) vulnerability scanning.trivy k8s cluster --scanners vuln --report all 220 / 220 [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 77 p/s ControlPlaneComponents/k8s.io/apiserver (kubernetes) Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0) ┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤ │ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM │ fixed │ 1.21.1 │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3162 │ │ ├───────────────┤ │ │ ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤ │ │ CVE-2023-2727 │ │ │ │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook │ │ │ │ │ │ │ │ admission plugin │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2727 │ │ ├───────────────┤ │ │ │ ├───────────────────────────────────────────────────────────┤ │ │ CVE-2023-2728 │ │ │ │ │ Bypassing enforce mountable secrets policy imposed by the │ │ │ │ │ │ │ │ ServiceAccount admission plugin... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2728 │ └──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘
🃏 Adding
--ignore-policy
support for Misconfiguration scanning 🖍️Misconfiguration scanning now correctly supports passing in an ignore-file via
--ignore-policy
flag. Furthermore, passing in anignore-policy
will now render the ignored results asExceptions
if they were found to be misconfigured.Below is an example invocation:
🌳 Dependency graph support for pubspec.yaml (Dart) 🕸️
Trivy has introduced graph support for
pubspec.yaml
(Dart), enhancing its existing capabilities to identify the origin of the vulnerable packages. This feature allows users to view the reversed dependency origin tree for their Dart projects, providing a clearer understanding of the dependencies and their associated vulnerabilities.Trivy looks into the cache dir to build the dependency relationship. Please make sure the cache directory contains all the dependencies required by your application. To download missing dependencies, use
dart pub get
command.👷♂️ Notable Fixes 🛠️
--tf-exclude-downloaded-modules
flag #5416sbom
mode. #5430Beta Was this translation helpful? Give feedback.
All reactions