Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(misconf): Incorrect location of findings in k8s JSON scan #8072

Open
1 of 2 tasks
nikpivkin opened this issue Dec 9, 2024 Discussed in #7750 · 0 comments · May be fixed by #8073
Open
1 of 2 tasks

bug(misconf): Incorrect location of findings in k8s JSON scan #8072

nikpivkin opened this issue Dec 9, 2024 Discussed in #7750 · 0 comments · May be fixed by #8073
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7750

Originally posted by nikpivkin October 16, 2024

Description

The scan result contains incorrect misconfiguration locations. The reason is that json is converted to yaml before scanning, so the locations correspond to yaml.

Desired Behavior

correct location

Actual Behavior

incorrect location

Reproduction Steps

❯ cat test.json
{
    "apiVersion": "v1",
    "kind": "Pod",
    "metadata": {
      "name": "hello-cpu-limit"
    },
    "spec": {
      "containers": [
        {
          "command": [
            "sh",
            "-c",
            "echo 'Hello' && sleep 1h"
          ],
          "image": "busybox",
          "name": "hello"
        }
      ]
    }
  }%

❯ trivy conf test.json
...
LOW: container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test.json:7-12
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   7 ┌     "spec": {
   8 │       "containers": [
   9 │         {
  10 │           "command": [
  11 │             "sh",
  12 └             "-c",
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
...

❯ cat test.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hello-cpu-limit
spec:
  containers:
  - command:
    - sh
    - "-c"
    - echo 'Hello' && sleep 1h
    image: busybox
    name: hello

❯ trivy conf test.yaml
...
LOW: container should drop all
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.

See https://avd.aquasec.com/misconfig/ksv106
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 test.yaml:7-12
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   7 ┌   - command:
   8 │     - sh
   9 │     - "-c"
  10 │     - echo 'Hello' && sleep 1h
  11 │     image: busybox
  12 └     name: hello
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

-

Operating System

macos

Version

Version: 0.56.1

Checklist

@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Dec 9, 2024
@nikpivkin nikpivkin self-assigned this Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant