Skip to content

VulnerabilityReport

An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of vulnerabilities grouped by severity. For a multi-container workload trivy-operator creates multiple instances of VulnerabilityReports in the workload's namespace with the owner reference set to that workload. Each report follows the naming convention <workload kind>-<workload name>-<container-name>.

The following listing shows a sample VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6 in the default namespace that has the nginx container without any additional options.

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  name: replicaset-nginx-6d4cf56db6-nginx
  namespace: default
  labels:
    trivy-operator.container.name: nginx
    trivy-operator.resource.kind: ReplicaSet
    trivy-operator.resource.name: nginx-6d4cf56db6
    trivy-operator.resource.namespace: default
    resource-spec-hash: 7cb64cb677
  uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: nginx-6d4cf56db6
      uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
  artifact:
    repository: library/nginx
    tag: '1.16'
  os:
    family: debian
    name:   '10.3'
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.57.1
  summary:
    criticalCount: 2
    highCount: 0
    lowCount: 0
    mediumCount: 0
    unknownCount: 0
  vulnerabilities:
    - fixedVersion: 0.9.1-2+deb10u1
      installedVersion: 0.9.1-2
      links: []
      primaryLink: 'https://avd.aquasec.com/nvd/cve-2019-20367'
      resource: libbsd0
      score: 9.1
      severity: CRITICAL
      target: library/nginx:1.21.6
      title: ''
      vulnerabilityID: CVE-2019-20367
    - fixedVersion: ''
      installedVersion: 0.6.1-2
      links: []
      primaryLink: 'https://avd.aquasec.com/nvd/cve-2018-25009'
      resource: libwebp6
      score: 9.1
      severity: CRITICAL
      target: library/nginx:1.16
      title: 'libwebp: out-of-bounds read in WebPMuxCreateInternal'
      vulnerabilityID: CVE-2018-25009

Note

For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).

Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with trivy-operator. You can find the list of available integrations here.

It's possible to get more information from report, like Description, Links, CVSS and Target. The following listing shows a sample of extended VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6 in the default namespace that has the nginx container with additional options. Please refer to the "Vulnerability Scanner Configuration" how to make it. Use with caution, because Links can generate lots of information and report can exceed the etcd request payload limit. By default, the payload of each Kubernetes object stored etcd is subject to 1.5 MiB.

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  name: replicaset-nginx-6d4cf56db6-nginx
  namespace: default
  labels:
    trivy-operator.container.name: nginx
    trivy-operator.resource.kind: ReplicaSet
    trivy-operator.resource.name: nginx-6d4cf56db6
    trivy-operator.resource.namespace: default
    resource-spec-hash: 7cb64cb677
  uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: nginx-6d4cf56db6
      uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
  artifact:
    repository: library/nginx
    tag: '1.16'
  os:
    family: debian
    name:   '10.3'
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.35.0
  summary:
    criticalCount: 2
    highCount: 0
    lowCount: 0
    mediumCount: 0
    unknownCount: 0
  vulnerabilities:
   - cvss:
      nvd:
        V2Score: 4.6
        V2Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
        V3Score: 5.7
        V3Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
      redhat:
        V3Score: 5.7
        V3Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
    description: 'APT had several integer overflows and underflows while parsing .deb
      packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc,
      apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt
      1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior
      to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0
      versions prior to 2.1.10ubuntu0.1;'
    fixedVersion: 1.8.2.2
    installedVersion: 1.8.2
    links:
    - https://access.redhat.com/security/cve/CVE-2020-27350
    - https://bugs.launchpad.net/bugs/1899193
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27350
    - https://security.netapp.com/advisory/ntap-20210108-0005/
    - https://ubuntu.com/security/notices/USN-4667-1
    - https://ubuntu.com/security/notices/USN-4667-2
    - https://usn.ubuntu.com/usn/usn-4667-1
    - https://www.debian.org/security/2020/dsa-480
    primaryLink: https://avd.aquasec.com/nvd/cve-2020-27350
    resource: apt
    severity: MEDIUM
    target: nginx:1.16 (debian 10.3)
    title: 'apt: integer overflows and underflows while parsing .deb packages'
    vulnerabilityID: CVE-2020-27350
  - cvss:
      nvd:
        V2Score: 4.3
        V2Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
        V3Score: 5.5
        V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
    description: Missing input validation in the ar/tar implementations of APT before
      version 2.1.2 could result in denial of service when processing specially crafted
      deb files.
    fixedVersion: 1.8.2.1
    installedVersion: 1.8.2
    links:
    - https://bugs.launchpad.net/bugs/1878177",
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
    - https://github.com/Debian/apt/issues/111
    - https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
    - https://lists.debian.org/debian-security-announce/2020/msg00089.html
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
    - https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
    - https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
    - https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
    - https://ubuntu.com/security/notices/USN-4359-1
    - https://ubuntu.com/security/notices/USN-4359-2
    - https://usn.ubuntu.com/4359-1/
    - https://usn.ubuntu.com/4359-2/
    primaryLink: https://avd.aquasec.com/nvd/cve-2020-3810
    resource: apt
    severity: MEDIUM
    target: nginx:1.16 (debian 10.3)
    title: Missing input validation in the ar/tar implementations of APT before v
      ...
    vulnerabilityID: CVE-2020-3810