VulnerabilityReport
An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given
Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of
vulnerabilities grouped by severity. For a multi-container workload trivy-operator creates multiple instances
of VulnerabilityReports in the workload's namespace with the owner reference set to that workload.
Each report follows the naming convention <workload kind>-<workload name>-<container-name>
.
The following listing shows a sample VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6
in the
default
namespace that has the nginx
container without any additional options.
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
name: replicaset-nginx-6d4cf56db6-nginx
namespace: default
labels:
trivy-operator.container.name: nginx
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: nginx-6d4cf56db6
trivy-operator.resource.namespace: default
resource-spec-hash: 7cb64cb677
uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-6d4cf56db6
uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
artifact:
repository: library/nginx
tag: '1.16'
os:
family: debian
name: '10.3'
registry:
server: index.docker.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.57.1
summary:
criticalCount: 2
highCount: 0
lowCount: 0
mediumCount: 0
unknownCount: 0
vulnerabilities:
- fixedVersion: 0.9.1-2+deb10u1
installedVersion: 0.9.1-2
links: []
primaryLink: 'https://avd.aquasec.com/nvd/cve-2019-20367'
resource: libbsd0
score: 9.1
severity: CRITICAL
target: library/nginx:1.21.6
title: ''
vulnerabilityID: CVE-2019-20367
- fixedVersion: ''
installedVersion: 0.6.1-2
links: []
primaryLink: 'https://avd.aquasec.com/nvd/cve-2018-25009'
resource: libwebp6
score: 9.1
severity: CRITICAL
target: library/nginx:1.16
title: 'libwebp: out-of-bounds read in WebPMuxCreateInternal'
vulnerabilityID: CVE-2018-25009
Note
For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).
Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with trivy-operator. You can find the list of available integrations here.
It's possible to get more information from report, like Description, Links, CVSS and Target. The following listing shows a sample of extended VulnerabilityReport associated with the ReplicaSet named nginx-6d4cf56db6
in the
default
namespace that has the nginx
container with additional options. Please refer to the "Vulnerability Scanner Configuration" how to make it.
Use with caution, because Links can generate lots of information and report can exceed the etcd request payload limit. By default, the payload of each Kubernetes object stored etcd is subject to 1.5 MiB.
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
name: replicaset-nginx-6d4cf56db6-nginx
namespace: default
labels:
trivy-operator.container.name: nginx
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: nginx-6d4cf56db6
trivy-operator.resource.namespace: default
resource-spec-hash: 7cb64cb677
uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-6d4cf56db6
uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
artifact:
repository: library/nginx
tag: '1.16'
os:
family: debian
name: '10.3'
registry:
server: index.docker.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.35.0
summary:
criticalCount: 2
highCount: 0
lowCount: 0
mediumCount: 0
unknownCount: 0
vulnerabilities:
- cvss:
nvd:
V2Score: 4.6
V2Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
V3Score: 5.7
V3Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
redhat:
V3Score: 5.7
V3Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
description: 'APT had several integer overflows and underflows while parsing .deb
packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc,
apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt
1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior
to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0
versions prior to 2.1.10ubuntu0.1;'
fixedVersion: 1.8.2.2
installedVersion: 1.8.2
links:
- https://access.redhat.com/security/cve/CVE-2020-27350
- https://bugs.launchpad.net/bugs/1899193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27350
- https://security.netapp.com/advisory/ntap-20210108-0005/
- https://ubuntu.com/security/notices/USN-4667-1
- https://ubuntu.com/security/notices/USN-4667-2
- https://usn.ubuntu.com/usn/usn-4667-1
- https://www.debian.org/security/2020/dsa-480
primaryLink: https://avd.aquasec.com/nvd/cve-2020-27350
resource: apt
severity: MEDIUM
target: nginx:1.16 (debian 10.3)
title: 'apt: integer overflows and underflows while parsing .deb packages'
vulnerabilityID: CVE-2020-27350
- cvss:
nvd:
V2Score: 4.3
V2Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
V3Score: 5.5
V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
description: Missing input validation in the ar/tar implementations of APT before
version 2.1.2 could result in denial of service when processing specially crafted
deb files.
fixedVersion: 1.8.2.1
installedVersion: 1.8.2
links:
- https://bugs.launchpad.net/bugs/1878177",
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
- https://github.com/Debian/apt/issues/111
- https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
- https://lists.debian.org/debian-security-announce/2020/msg00089.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
- https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
- https://ubuntu.com/security/notices/USN-4359-1
- https://ubuntu.com/security/notices/USN-4359-2
- https://usn.ubuntu.com/4359-1/
- https://usn.ubuntu.com/4359-2/
primaryLink: https://avd.aquasec.com/nvd/cve-2020-3810
resource: apt
severity: MEDIUM
target: nginx:1.16 (debian 10.3)
title: Missing input validation in the ar/tar implementations of APT before v
...
vulnerabilityID: CVE-2020-3810