feat(k8s): add support for vulnerability detection (#5268)

Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: chenk <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: chenk <[email protected]>

Author: 3 people

docs/docs/scanner/vulnerability.md

@@ -5,6 +5,7 @@ The following packages are supported.
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
+- [Kubernetes components (control plane, node and addons)](#kubernetes-components-control-plane-node-and-addons)
 
 Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
 
@@ -106,9 +107,9 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components.
 
 ### Data Sources
 
-| Vendor        | Source                                                       |
-| ------------- | ------------------------------------------------------------ |
-| Kubernetes    | [Kubernetes Official CVE feed][^1]                           |
+| Vendor        | Source                                      |
+| ------------- |---------------------------------------------|
+| Kubernetes    | [Kubernetes Official CVE feed][k8s-cve][^1] |
 
 [^1]: Some manual triage and correction has been made.
 
@@ -195,4 +196,4 @@ Currently, specifying a username and password is not supported.
 
 [nvd]: https://nvd.nist.gov/vuln
 
-[Kubernetes Official CVE feed]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
+[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

go.mod

@@ -23,9 +23,9 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
+	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.5.7
+	github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d
 	github.com/aws/aws-sdk-go v1.45.19
 	github.com/aws/aws-sdk-go-v2 v1.21.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.38

go.sum

@@ -343,12 +343,12 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
-github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
+github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
+github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
-github.com/aquasecurity/trivy-kubernetes v0.5.7 h1:+tIrSnIkvweL+cuK0SSiYxF8EvKT3Xk1iuE9EWduV+c=
-github.com/aquasecurity/trivy-kubernetes v0.5.7/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
+github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d h1:5urHj0NMGflp/M9Ll5QlKfo0Kf6nJ01RED1HRgl0CeE=
+github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=

integration/sbom_test.go

@@ -58,6 +58,15 @@ func TestSBOM(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
 		},
+		{
+			name: "minikube KBOM",
+			args: args{
+				input:        "testdata/fixtures/sbom/minikube-kbom.json",
+				format:       "json",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/minikube-kbom.json.golden",
+		},
 		{
 			name: "centos7 in in-toto attestation",
 			args: args{

integration/testdata/fixtures/db/data-source.yaml

@@ -144,3 +144,8 @@
         ID:   "cbl-mariner"
         Name: "CBL-Mariner Vulnerability Data"
         URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
+    - key: k8s::Official Kubernetes CVE Feed
+      value:
+        ID:   "k8s"
+        Name: "Official Kubernetes CVE Feed"
+        URL:  "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"

integration/testdata/fixtures/db/k8s.yaml

@@ -0,0 +1,16 @@
+- bucket: "k8s::Official Kubernetes CVE Feed"
+  pairs:
+    - bucket: k8s.io/kubelet
+      pairs:
+        - key: CVE-2023-2431
+          value:
+            PatchedVersions:
+              - 1.24.14
+              - 1.25.9
+              - 1.26.4
+              - 1.27.1
+            VulnerableVersions:
+              - "< 1.24.14"
+              - ">= 1.25.0, < 1.25.9"
+              - ">= 1.26.0, < 1.26.4"
+              - ">= 1.27.0, < 1.27.1"

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1037,6 +1037,20 @@
         ghsa: 3.0
         nvd: 3.0
         redhat: 3.0
+  - key: CVE-2023-2431
+    value:
+      Title: "Bypass of seccomp profile enforcement "
+      Description: "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement..."
+      Severity: LOW
+      VendorSeverity:
+        k8s: 1
+      CVSS:
+        k8s:
+          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
+          V3Score: 3.4
+      References:
+        - https://github.com/kubernetes/kubernetes/issues/118690
+        - https://www.cve.org/cverecord?id=CVE-2023-2431
   - key: CVE-2021-3712
     value:
       CVSS: