ksv106 "container should drop all" false positive #4366

huornlmj · 2022-12-02T13:18:53Z

huornlmj
Dec 2, 2022

Checklist

I've read the documentation regarding wrong detection.
I've confirmed that a security advisory in data sources was correct.
- Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

$ trivy config FILE.yaml on a K8s deployment file throws the following error despite a capabilities drop all directive being present.

LOW: container should drop all
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 FILE.yaml:20-41
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  20 ┌       - name: REDACTEDext
  21 │         command:
  22 │         - "/extender"
  23 │         - "--cert=/REDACTED/cert/tls.crt"
  24 │         - "--key=/REDACTED/cert/tls.key"
  25 │         - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
  26 │         - "--v=4"
  27 │         image: REDACTED
  28 └         imagePullPolicy: IfNotPresent
  ..
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

FILE.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: REDACTED
  namespace: default 
  labels:
    app: REDACTED
spec:
  replicas: 1
  selector:
    matchLabels:
      app: REDACTED
  template:
    metadata:
      labels:
        app: REDACTED
    spec:
      serviceAccountName: REDACTED-service-account
      containers:
      - name: REDACTEDext
        command:
        - "/extender"
        - "--cert=/REDACTED/cert/tls.crt"
        - "--key=/REDACTED/cert/tls.key"
        - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
        - "--v=4"
        image: REDACTED
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            drop:
              - all
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
...

JSON Output of run with `-debug`:

$ trivy config deploy/FILE.yaml --debug
2022-12-02T13:12:50.504Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-02T13:12:50.505Z        DEBUG   cache dir:  /home/user/.cache/trivy
2022-12-02T13:12:50.505Z        INFO    Misconfiguration scanning is enabled
2022-12-02T13:12:51.458Z        DEBUG   OS is not detected.
2022-12-02T13:12:51.458Z        INFO    Detected config files: 1
2022-12-02T13:12:51.458Z        DEBUG   Scanned config file: FILE.yaml

Output of `trivy -v`:

$ trivy -v
Version: 0.34.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-12-02 12:08:11.606948816 +0000 UTC
  NextUpdate: 2022-12-02 18:08:11.606948416 +0000 UTC
  DownloadedAt: 2022-12-02 12:36:13.855492637 +0000 UTC

Additional details (base image name, container registry info...):

emilkje · 2023-01-04T13:57:27Z

emilkje
Jan 4, 2023

This seems to be related to case sensitivity. I got rid of the false positive with

securityContext:
  capabilities:
    drop:
       - ALL

0 replies

knqyf263 · 2023-01-09T15:50:05Z

knqyf263
Jan 9, 2023
Maintainer

@giorod3 Would you take a look?

0 replies

simar7 · 2023-06-09T23:09:23Z

simar7
Jun 9, 2023
Maintainer

Opening and tracking this as a bug: #4604 as it seems to be case sensitive, all vs ALL

0 replies

joebowbeer · 2024-04-10T00:51:06Z

joebowbeer
Apr 10, 2024

@simar7 see kubernetes/pod-security-admission#11 (comment)

In addition to not matching the spec, which is a problem in and of itself, the most likely problem that might arise in practice is that trivy will NOT catch this in CI/CD but a compliant admission controller WILL reject it when it is applied to the cluster.

2 replies

simar7 Apr 10, 2024
Maintainer

Hi can you please open a new discussion in the Trivy repo so we can track it collectively?

cc @chen-keinan @itaysk

joebowbeer Apr 10, 2024

Done: #6474

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ksv106 "container should drop all" false positive #4366

{{title}}

Replies: 4 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

ksv106 "container should drop all" false positive #4366

huornlmj Dec 2, 2022

Checklist

Description

JSON Output of run with -debug:

Output of trivy -v:

Additional details (base image name, container registry info...):

Replies: 4 comments · 2 replies

emilkje Jan 4, 2023

knqyf263 Jan 9, 2023 Maintainer

simar7 Jun 9, 2023 Maintainer

joebowbeer Apr 10, 2024

simar7 Apr 10, 2024 Maintainer

joebowbeer Apr 10, 2024

huornlmj
Dec 2, 2022

JSON Output of run with `-debug`:

Output of `trivy -v`:

Replies: 4 comments 2 replies

emilkje
Jan 4, 2023

knqyf263
Jan 9, 2023
Maintainer

simar7
Jun 9, 2023
Maintainer

joebowbeer
Apr 10, 2024

simar7 Apr 10, 2024
Maintainer