Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add context to target finding on k8s table view #6099

Merged

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented Feb 11, 2024

Description

add context to Target (namespace/kind/name) finding on k8s table view

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).

example:

Before


k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

After

namespace: kube-system, controlplanecomponents: k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

node: kind-control-plane (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25741 │ HIGH     │ fixed  │ 1.21.1            │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ kubernetes: Bypass of seccomp profile enforcement │
│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘

node: kind-control-plane (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                            Title                             │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816      │ HIGH     │ fixed  │ 1.5.2             │ 1.5.9                 │ containerd: Unprivileged pod may bind mount any privileged   │
│                                  │                     │          │        │                   │                       │ regular file on disk...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-43816                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23648      │          │        │                   │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes               │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23648                   │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-32760      │ MEDIUM   │        │                   │ 1.4.8, 1.5.4          │ pulling and extracting crafted container image may result in │
│                                  │                     │          │        │                   │                       │ Unix file permission...                                      │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-32760                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2021-41103      │          │        │                   │ 1.4.11, 1.5.7         │ insufficiently restricted permissions on container root and  │
│                                  │                     │          │        │                   │                       │ plugin directories                                           │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-41103                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-23471      │          │        │                   │ 1.5.16, 1.6.12        │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-23471                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2022-31030      │          │        │                   │ 1.5.13, 1.6.6         │ containerd is an open source container runtime. A bug was    │
│                                  │                     │          │        │                   │                       │ found in...                                                  │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-31030                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │        │                   │ 1.5.18, 1.6.18        │ containerd: OCI image importer memory exhaustion             │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25153                   │
│                                  ├─────────────────────┤          │        │                   │                       ├──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │        │                   │                       │ containerd: Supplementary groups are not set up properly     │
│                                  │                     │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-25173                   │
│                                  ├─────────────────────┤          │        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-7ww5-4wqc-m92c │          │        │                   │ 1.6.26, 1.7.11        │ containerd allows RAPL to be accessible to a container       │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
│                                  ├─────────────────────┼──────────┤        │                   ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ GHSA-5j5w-g665-5m35 │ LOW      │        │                   │ 1.4.12, 1.5.8         │ Ambiguous OCI manifest parsing                               │
│                                  │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-5j5w-g665-5m35            │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

@chen-keinan chen-keinan marked this pull request as ready for review February 11, 2024 09:46
@chen-keinan chen-keinan changed the title fix: add context to Target finding on k8s table view fix: add context to target finding on k8s table view Feb 11, 2024
@chen-keinan chen-keinan marked this pull request as draft February 12, 2024 13:03
@chen-keinan chen-keinan marked this pull request as ready for review February 12, 2024 14:05
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan chen-keinan force-pushed the fix/k8s-report-all-resource-path branch from 91fc9c9 to 2d879ee Compare February 21, 2024 09:19
Signed-off-by: chenk <hen.keinan@gmail.com>
@knqyf263 knqyf263 removed the request for review from josedonizetti February 21, 2024 11:26
@knqyf263 knqyf263 added this pull request to the merge queue Feb 26, 2024
Merged via the queue into aquasecurity:main with commit 1b7e474 Feb 26, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add context to target finding on k8s table view
2 participants