Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(k8s): versions are missing in KBOM #8358

Open
afdesk opened this issue Feb 5, 2025 · 2 comments
Open

bug(k8s): versions are missing in KBOM #8358

afdesk opened this issue Feb 5, 2025 · 2 comments
Assignees
@afdesk
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.62.0

Comments

@afdesk
Copy link
Contributor

afdesk commented Feb 5, 2025

Description

Trivy is not accurately identifying the image versions of certain control plane pods in Kubernetes.

For instance, in a Minikube environment, k8s.gcr.io/etcd:3.5.3-0 image contains the following imageID:

imageID: docker-pullable://k8s.gcr.io/etcd@sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5

such imageID is detected as sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5, and will be skipped as non sha256 digests:
https://github.com/aquasecurity/trivy-kubernetes/blob/812ea842831c9f92184993d3810c9d28695e4de1/pkg/k8s/k8s.go#L581-L585

Reproduction steps

There is no version for

$ minikube start
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:41:35+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:41:35+06:00       INFO    Scanning K8s... K8s="minikube"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-minikube"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

but it works for kind:

$ kind create cluster
$ trivy k8s --format cyclonedx --disable-node-collector | jq '.components[] | select(.name == "go.etcd.io/etcd/v3")'
2025-02-05T16:43:01+06:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-05T16:43:01+06:00       INFO    Scanning K8s... K8s="kind-kind"
{
  "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
  "type": "application",
  "name": "go.etcd.io/etcd/v3",
  "version": "v3.5.15-0",
  "purl": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
  "properties": [
    {
      "name": "aquasecurity:trivy:resource:Name",
      "value": "etcd-kind-control-plane"
    },
    {
      "name": "aquasecurity:trivy:resource:Type",
      "value": "controlPlane"
    }
  ]
}

Discussed in #8348
@afdesk afdesk added the kind/bug Categorizes issue or PR as related to a bug. label Feb 5, 2025
@afdesk afdesk self-assigned this Feb 5, 2025
@afdesk afdesk added the target/kubernetes Issues relating to kubernetes cluster scanning label Feb 5, 2025
@afdesk afdesk added this to the v0.61.0 milestone Mar 4, 2025
@dsever
Copy link

dsever commented Mar 15, 2025

@afdesk any plans on this?

@afdesk
Copy link
Contributor Author

afdesk commented Mar 17, 2025

@afdesk any plans on this?

@dsever it should be fixed in the next release.

@afdesk afdesk mentioned this issue Mar 26, 2025
Open
@simar7 simar7 modified the milestones: v0.61.0, v0.62.0 Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afdesk afdesk

Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.62.0
Development

No branches or pull requests
3 participants
@simar7 @dsever @afdesk