Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: ksv106 "container should drop all" false positive #4604

Closed
2 tasks done
simar7 opened this issue Jun 9, 2023 Discussed in #4366 · 2 comments · Fixed by aquasecurity/defsec#1340
Closed
2 tasks done

bug: ksv106 "container should drop all" false positive #4604

simar7 opened this issue Jun 9, 2023 Discussed in #4366 · 2 comments · Fixed by aquasecurity/defsec#1340
Assignees
@simar7
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/misconfiguration Issues relating to misconfiguration scanning

Comments

@simar7
Copy link
Member

simar7 commented Jun 9, 2023

Discussed in #4366

Originally posted by huornlmj December 2, 2022

Checklist

  • I've read the documentation regarding wrong detection.
  • I've confirmed that a security advisory in data sources was correct.
    • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

$ trivy config FILE.yaml on a K8s deployment file throws the following error despite a capabilities drop all directive being present.

LOW: container should drop all
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 FILE.yaml:20-41
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  20 ┌       - name: REDACTEDext
  21 │         command:
  22 │         - "/extender"
  23 │         - "--cert=/REDACTED/cert/tls.crt"
  24 │         - "--key=/REDACTED/cert/tls.key"
  25 │         - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
  26 │         - "--v=4"
  27 │         image: REDACTED
  28 └         imagePullPolicy: IfNotPresent
  ..
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

FILE.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: REDACTED
  namespace: default 
  labels:
    app: REDACTED
spec:
  replicas: 1
  selector:
    matchLabels:
      app: REDACTED
  template:
    metadata:
      labels:
        app: REDACTED
    spec:
      serviceAccountName: REDACTED-service-account
      containers:
      - name: REDACTEDext
        command:
        - "/extender"
        - "--cert=/REDACTED/cert/tls.crt"
        - "--key=/REDACTED/cert/tls.key"
        - "--cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
        - "--v=4"
        image: REDACTED
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            drop:
              - all
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
...

JSON Output of run with -debug:

$ trivy config deploy/FILE.yaml --debug
2022-12-02T13:12:50.504Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-02T13:12:50.505Z        DEBUG   cache dir:  /home/user/.cache/trivy
2022-12-02T13:12:50.505Z        INFO    Misconfiguration scanning is enabled
2022-12-02T13:12:51.458Z        DEBUG   OS is not detected.
2022-12-02T13:12:51.458Z        INFO    Detected config files: 1
2022-12-02T13:12:51.458Z        DEBUG   Scanned config file: FILE.yaml

Output of trivy -v:

$ trivy -v
Version: 0.34.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-12-02 12:08:11.606948816 +0000 UTC
  NextUpdate: 2022-12-02 18:08:11.606948416 +0000 UTC
  DownloadedAt: 2022-12-02 12:36:13.855492637 +0000 UTC

Additional details (base image name, container registry info...):
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/misconfiguration Issues relating to misconfiguration scanning labels Jun 9, 2023
@simar7 simar7 self-assigned this Jun 14, 2023
@simar7 simar7 mentioned this issue Jun 14, 2023
Merged
@simar7
Copy link
Member Author

simar7 commented Jun 14, 2023
edited
Loading

Fix should be available in the next defsec/trivy release.

@joebowbeer
Copy link

@simar7 I think this change should be rejected. See my latest comments in the discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(k8s): Ignore case when evaluating KSV106 aquasecurity/defsec
2 participants
@joebowbeer @simar7