Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): Bump trivy-checks #8310

Merged
merged 4 commits into from
Jan 30, 2025
Merged

chore(deps): Bump trivy-checks #8310

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
70c25a5
chore(deps): Bump trivy-checks
simar7 Jan 30, 2025
48944f7
Merge branch 'main' into upd-trivy-checks
simar7 Jan 30, 2025
e9a5d20
test: update golden files
nikpivkin Jan 30, 2025
ee201a0
update to v1.6.1
simar7 Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/aquasecurity/trivy

go 1.23.4

replace github.com/aquasecurity/trivy-checks => github.com/nikpivkin/trivy-checks v0.0.0-20250130043316-24ca79cdef2f

require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -803,8 +803,6 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.6.0 h1:cH3DsgJwYPpKXK3Jpa6gZ84KffWTMEN1vSJ0jdDLh+E=
github.com/aquasecurity/trivy-checks v1.6.0/go.mod h1:xjHg4ivIIIFD7FFNpGrqxi1pRgAW1EXeG4VlkGiymjI=
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E=
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
Expand Down Expand Up @@ -1628,6 +1626,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
github.com/nikpivkin/trivy-checks v0.0.0-20250130043316-24ca79cdef2f h1:EscHS7MuTC91RpD8kmevrujgUug2yV+5q2hiwFVCxAs=
github.com/nikpivkin/trivy-checks v0.0.0-20250130043316-24ca79cdef2f/go.mod h1:xjHg4ivIIIFD7FFNpGrqxi1pRgAW1EXeG4VlkGiymjI=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
Expand Down
73 changes: 71 additions & 2 deletions integration/testdata/helm.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Failures": 14
"Failures": 15
},
"Misconfigurations": [
{
Expand Down Expand Up @@ -805,8 +805,51 @@
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": null
"Lines": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The returned object containing the location has been fixed for some checks.

{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
Expand Down Expand Up @@ -905,6 +948,32 @@
"Lines": null
}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check was not entirely correct because it triggered only when securityContext was explicitly specified and empty. However, if securityContext was missing entirely, the rule did not trigger.. Fixed in aquasecurity/trivy-checks#315

"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "container nginx-deployment in default namespace is using the default security context",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
Expand Down
110 changes: 106 additions & 4 deletions integration/testdata/helm_testchart.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 89,
"Successes": 90,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new check has been added aquasecurity/trivy-checks#327. Same for other similar changes.

"Failures": 4
},
"Misconfigurations": [
Expand Down Expand Up @@ -302,8 +302,110 @@
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": null
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
},
Expand Down Expand Up @@ -341,7 +443,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 60,
"Successes": 61,
"Failures": 0
}
},
Expand All @@ -350,7 +452,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 59,
"Successes": 60,
"Failures": 0
}
}
Expand Down
110 changes: 106 additions & 4 deletions integration/testdata/helm_testchart.overridden.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 87,
"Successes": 88,
"Failures": 6
},
"Misconfigurations": [
Expand Down Expand Up @@ -430,8 +430,110 @@
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": null
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
},
Expand Down Expand Up @@ -568,7 +670,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 60,
"Successes": 61,
"Failures": 0
}
},
Expand All @@ -577,7 +679,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 59,
"Successes": 60,
"Failures": 0
}
}
Expand Down