gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

chore(deps): Bump trivy-checks (#8934)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
simar7
2025-05-29 06:37:47 -06:00
committed by GitHub
parent 22f040f947
commit 78e3304bbe
6 changed files with 392 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@@ -23,7 +23,7 @@ require (
github.com/aquasecurity/table v1.10.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.10.0
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.9.0

4
go.sum
View File

@@ -800,8 +800,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.10.0 h1:Q0FWsYy/uwvr/icRSOzNu55yDZ1ME8hZlpglNs62ZfE=
github.com/aquasecurity/trivy-checks v1.10.0/go.mod h1:/b633SOFNp8RjkxSq+FOg4SgxjklUp+BIQEyTWCnN1k=
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4 h1:Njp9YEU+4vqmtcb21lWfivrbiLsdYreohmWQX3+KHiU=
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e h1:+B/in1DQDGwQbKhW5pWL8XxBgnZKxXhUznylJ2NCyvs=
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e/go.mod h1:4zd4qZcjhNAHASz5I0O7qapv5h5gSJzSEaZXv/IPOGc=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=

129
integration/testdata/helm.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Failures": 20
"Successes": 79,
"Failures": 21
},
"Misconfigurations": [
{
@@ -1321,8 +1321,131 @@
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": null
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment nginx-deployment in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 18,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 18,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}

131
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -22,7 +22,7 @@
"Type": "helm",
"MisconfSummary": {
"Successes": 90,
"Failures": 8
"Failures": 9
},
"Misconfigurations": [
{
@@ -923,6 +923,135 @@
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment testchart in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 24,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 24,
"Content": " serviceAccountName: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mserviceAccountName\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 25,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 26,
"Content": " {}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " {}",
"FirstCause": false,
"LastCause": false
},
{
"Number": 27,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": true
},
{
"Number": 33,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
}
]
},

131
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -22,7 +22,7 @@
"Type": "helm",
"MisconfSummary": {
"Successes": 88,
"Failures": 10
"Failures": 11
},
"Misconfigurations": [
{
@@ -1152,6 +1152,135 @@
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment testchart in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 24,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 24,
"Content": " serviceAccountName: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mserviceAccountName\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 25,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 26,
"Content": " {}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " {}",
"FirstCause": false,
"LastCause": false
},
{
"Number": 27,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": true
},
{
"Number": 33,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
}
]
},

19
pkg/iac/scanners/helm/test/scanner_test.go
View File

@@ -35,12 +35,8 @@ func TestScanner_ScanFS(t *testing.T) {
"AVD-KSV-0011", "AVD-KSV-0012", "AVD-KSV-0014",
"AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018",
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
"AVD-KSV-0104", "AVD-KSV-0106",
"AVD-KSV-0032",
"AVD-KSV-0104", "AVD-KSV-0106", "AVD-KSV-0125",
"AVD-KSV-0004",
"AVD-KSV-0035",
"AVD-KSV-0033",
"AVD-KSV-0034",
}),
},
{
@@ -53,11 +49,8 @@ func TestScanner_ScanFS(t *testing.T) {
"AVD-KSV-0015", "AVD-KSV-0016",
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
"AVD-KSV-0104", "AVD-KSV-0106",
"AVD-KSV-0117", "AVD-KSV-0110",
"AVD-KSV-0032",
"AVD-KSV-0117", "AVD-KSV-0110", "AVD-KSV-0118",
"AVD-KSV-0004",
"AVD-KSV-0035",
"AVD-KSV-0033",
})(t, results)
ignored := results.GetIgnored()
@@ -77,9 +70,7 @@ func TestScanner_ScanFS(t *testing.T) {
"AVD-KSV-0118", "AVD-KSV-0012", "AVD-KSV-0106",
"AVD-KSV-0016", "AVD-KSV-0001", "AVD-KSV-0011",
"AVD-KSV-0015", "AVD-KSV-0021", "AVD-KSV-0110", "AVD-KSV-0020",
"AVD-KSV-0032",
"AVD-KSV-0004",
"AVD-KSV-0035",
}),
},
{
@@ -114,11 +105,7 @@ deny[res] {
"AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018",
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
"AVD-KSV-0104", "AVD-KSV-0106", "AVD-USR-ID001",
"AVD-KSV-0032",
"AVD-KSV-0004",
"AVD-KSV-0035",
"AVD-KSV-0033",
"AVD-KSV-0034",
"AVD-KSV-0004", "AVD-KSV-0125",
}),
},
{