k8s vulnerability scanning not working (control plane & node components)

[pogepoge9]

Description

I tried scanning the Kubernetes control plane and node components for vulnerabilities, but none were detected.

From my debugging, it seems to be due to the scanOptions variable in the scanK8sVulns function not setting the default value for PkgRelationships.
So it seems that all Packages are set to [] in the filterPkgByRelationship function, which matches this if statement and skips the scanning process.

I was able to successfully scan for vulnerabilities after initializing scanOptions by adding the following PkgRelationships values, like so:

	scanOptions := types.ScanOptions{
		Scanners:         s.opts.Scanners,
		PkgTypes:         s.opts.PkgTypes,
		PkgRelationships: s.opts.PackageOptions.PkgRelationships, /// add
	}

Is this the intended behavior (by design), or is it a bug?

My test environment details are below:

• Kubernetes distribution: kind v1.25
• Trivy version: 0.59.1

Desired Behavior

❯ ./trivy k8s --scanners vuln --skip-images --report all
2025-02-20T01:57:29+09:00	INFO	Node scanning is enabled
2025-02-20T01:57:29+09:00	INFO	If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-02-20T01:57:29+09:00	INFO	Scanning K8s...	K8s="kind-kind"

namespace: , node: kind-control-plane (kubernetes)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ v1.25.0           │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │
│                ├───────────────┤          │        │                   ├──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-5528 │          │        │                   │ 1.28.4, 1.27.8, 1.26.11, 1.25.16         │ kubernetes: Insufficient input sanitization in in-tree       │
│                │               │          │        │                   │                                          │ storage plugin leads to privilege escalation...              │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-5528                    │
│                ├───────────────┼──────────┤        │                   ├──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-2431 │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2         │ kubernetes: Bypass of seccomp profile enforcement            │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-2431                    │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

namespace: , node: kind-control-plane (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2022-23471      │ MEDIUM   │ fixed  │ v1.6.7            │ 1.5.16, 1.6.12 │ containerd is an open source container runtime. A bug was │
│                                  │                     │          │        │                   │                │ found in...                                               │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2022-23471                │
│                                  ├─────────────────────┤          │        │                   ├────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18 │ containerd: OCI image importer memory exhaustion          │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-25153                │
│                                  ├─────────────────────┤          │        │                   │                ├───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                │ containerd: Supplementary groups are not set up properly  │
│                                  │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-25173                │
│                                  ├─────────────────────┤          │        │                   ├────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11 │ containerd allows RAPL to be accessible to a container    │
│                                  │                     │          │        │                   │                │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c         │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Actual Behavior

❯ trivy k8s --scanners vuln --skip-images --report all
2025-02-20T00:53:46+09:00	INFO	Node scanning is enabled
2025-02-20T00:53:46+09:00	INFO	If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-02-20T00:53:46+09:00	INFO	Scanning K8s...	K8s="kind-kind"

Reproduction Steps

1.trivy k8s --scanners vuln --skip-images --report all
2.
3.
...

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

❯ trivy k8s --scanners vuln --skip-images --report all --debug
2025-02-20T02:00:06+09:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-20T02:00:06+09:00	DEBUG	Cache dir	dir="/Users/yutafujii/Library/Caches/trivy"
2025-02-20T02:00:06+09:00	DEBUG	Cache dir	dir="/Users/yutafujii/Library/Caches/trivy"
2025-02-20T02:00:06+09:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-20T02:00:06+09:00	DEBUG	Ignore statuses	statuses=[]
2025-02-20T02:00:08+09:00	INFO	Node scanning is enabled
2025-02-20T02:00:08+09:00	INFO	If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-02-20T02:00:08+09:00	DEBUG	DB update was skipped because the local DB is the latest
2025-02-20T02:00:08+09:00	DEBUG	DB info	schema=2 updated_at=2025-02-19T12:18:27.677573356Z next_update=2025-02-20T12:18:27.677573095Z downloaded_at=2025-02-19T14:47:19.680786Z
2025-02-20T02:00:08+09:00	INFO	Scanning K8s...	K8s="kind-kind"

Operating System

macOS Sonoma 14.5

Version

❯ trivy version
Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-19 12:18:27.677573356 +0000 UTC
  NextUpdate: 2025-02-20 12:18:27.677573095 +0000 UTC
  DownloadedAt: 2025-02-19 14:47:19.680786 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-02-14 02:24:51.921228254 +0000 UTC
  NextUpdate: 2025-02-17 02:24:51.921228094 +0000 UTC
  DownloadedAt: 2025-02-16 08:30:26.85243 +0000 UTC
Check Bundle:
  Digest: sha256:8c65dc8da180c175514774007559f6e468b6adc414fc0cb8409c9d14a558d957
  DownloadedAt: 2025-02-16 08:53:03.875221 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[afdesk]

@pogepoge9 thanks for the report! i'll take a look at this issue