docs: k8s vulnerability scanning

Signed-off-by: chenk <[email protected]>
chen-keinan · Nov 5, 2023 · eddeba1 · eddeba1
1 parent fdb3a15
commit eddeba1
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 33 deletions.
diff --git a/docs/docs/target/kubernetes.md b/docs/docs/target/kubernetes.md
@@ -15,12 +15,14 @@ When scanning a Kubernetes cluster, Trivy differentiates between the following:
 When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
 
 Container image is scanned for:
+
 - Vulnerabilities
 - Misconfigurations
 - Exposed secrets
 
 Kubernetes resource definition is scanned for:
-- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+
+- Vulnerabilities (Open Source Libraries, Control Plane and Node Components)
 - Misconfigurations
 - Exposed secrets
 
@@ -73,6 +75,33 @@ You can exclude specific nodes from the scan using the `--exclude-nodes` flag, w
 trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
 ```
 
+## Control Plane and Node Components Vulnerability Scanning
+
+Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
+
+
+```
+trivy k8s cluster --scanners vuln  --report all
+
+NodeComponents/kind-control-plane (kubernetes)
+
+Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+
+┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────┐
+│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                       Title                       │
+├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────┤
+│ k8s.io/kubelet │ CVE-2023-2431  │ LOW      │ fixed  │ 1.21.1            │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ Bypass of seccomp profile enforcement             │
+│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431         │
+│                ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
+│                │ CVE-2021-25741 │ HIGH     │        │                   │ 1.19.16, 1.20.11, 1.21.5, 1.22.1 │ Symlink exchange can allow host filesystem access │
+│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25741        │
+│                ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────┤
+│                │ CVE-2021-25749 │          │        │                   │ 1.22.14, 1.23.11, 1.24.5         │ runAsNonRoot logic bypass for Windows containers  │
+│                │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2021-25749        │
+└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
+```
+
+
 ### Components types
 
 You can control what kinds of components are discovered using the `--components` flag:
@@ -329,7 +358,8 @@ trivy sbom mykbom.cdx.json
 <details>
 <summary>Result</summary>
 
-```
+```sh
+
 2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
  2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
  2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.

diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md
@@ -1,4 +1,5 @@
 # SBOM scanning
+
 Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
 
 - CycloneDX
@@ -11,25 +12,26 @@ To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
 The input format is automatically detected.
 
 ```bash
-$ trivy sbom /path/to/sbom_file
+trivy sbom /path/to/sbom_file
 ```
 
 !!! note
-    Passing SBOMs generated by tool other than Trivy may result in inaccurate detection 
+    Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
     because Trivy relies on custom properties in SBOM for accurate scanning.
 
 ## CycloneDX
+
 Trivy supports CycloneDX as an input.
 
 !!! note
     CycloneDX XML is not supported at the moment.
 
-
 ```bash
-$ trivy sbom /path/to/cyclonedx.json
+trivy sbom /path/to/cyclonedx.json
 ```
 
 ## SPDX
+
 Trivy supports the SPDX SBOM as an input.
 
 The following SPDX formats are supported:
@@ -38,8 +40,8 @@ The following SPDX formats are supported:
 - JSON (`--format spdx-json`)
 
 ```bash
-$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
-$ trivy sbom spdx.json
+trivy image --format spdx-json --output spdx.json alpine:3.16.0
+trivy sbom spdx.json
 ```
 
 <details>
@@ -113,28 +115,28 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 
 To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
 
-```shell
- $ trivy k8s --format cyclonedx cluster -o kbom.json
- $ trivy sbom kbom.json
- 2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
- 2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
- 2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
- 2023-09-28T22:52:25.717+0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
- 2023-09-28T22:52:25.717+0300    INFO    Detected OS: debian gnu/linux
- 2023-09-28T22:52:25.717+0300    WARN    unsupported os : debian gnu/linux
- 2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
- 2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
- 2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...
- Kubernetes (kubernetes)
- Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
- ┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
- │    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version          │                      Title                       │
- ├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
- │ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5        │ runAsNonRoot logic bypass for Windows containers │
- │                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-25749       │
- │                ├────────────────┼──────────┤        │                   ├─────────────────────────────────┼──────────────────────────────────────────────────┤
- │                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
- │                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-2431        │
- └────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘
- ```
- 
+```sh
+
+$ trivy k8s --format cyclonedx cluster -o kbom.json
+$ trivy sbom kbom.json
+2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
+2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
+2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
+2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...
+
+Kubernetes (kubernetes)
+
+Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+
+┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────┬──────────────────────────────────────────────────┐
+│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version         │                 Title                            │
+├────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────┼──────────────────────────────────────────────────┤
+│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5       │ runAsNonRoot logic bypass for Windows containers │
+│                │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2021-25749       │
+│                ├────────────────┼──────────┤        │                   ├────────────────────────────────┼──────────────────────────────────────────────────┤
+│                │ CVE-2023-2431  │ LOW      │        │                   │1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
+│                │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2023-2431        │
+└────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴──────────────────────────────────────────────────┘
+
+```