trivy k8s option --scaners vuln not displaying report/scan for different components accurately

[AnaisUrlichs]

Description

When performing the following scan:

trivy k8s --scanners vuln --report summary --components workload cluster

It does not make a difference whether --components is workload or infra, the output of the report is always going to be the workload assessment but just for the infrastructure components:

Desired Behavior

I would expect there to be a difference in the vulnerability scans for the workloads and for the infrastructure. For instance, when I perform a K8s cluster scan but don't specify the vulnerability scanner, then there is a big difference between the infra scan and the workload scan.

Infra:

Workloard part:

Actual Behavior

As described before

Reproduction Steps

Trivy installed.
KinD Kubernetes cluster connected
trivy k8s --scanners vuln --report summary --components workload cluster

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

❯ trivy k8s --scanners vuln --report summary --components workload --debug cluster
2023-12-21T13:09:24.093Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-21T13:09:24.093Z	DEBUG	Ignore statuses	{"statuses": null}
2023-12-21T13:09:26.206Z	DEBUG	cache dir:  /Users/anaisurlichs/Library/Caches/trivy
2023-12-21T13:09:26.207Z	INFO	Need to update DB
2023-12-21T13:09:26.207Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-21T13:09:26.207Z	INFO	Downloading DB...
42.04 MiB / 42.04 MiB [-----------------------------------------------------------------------------------------------------------------------] 100.00% 13.45 MiB p/s 3.3s
2023-12-21T13:09:30.676Z	DEBUG	Updating database metadata...
2023-12-21T13:09:30.677Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-21 12:12:32.605102755 +0000 UTC, NextUpdate: 2023-12-21 18:12:32.605102384 +0000 UTC, DownloadedAt: 2023-12-21 13:09:30.676838 +0000 UTC
208 / 208 [----------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 122 p/s

Summary Report for kind-trivy-k8s

Operating System

macOS

Version

trivy --version
Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-21 06:11:54.97017452 +0000 UTC
  NextUpdate: 2023-12-21 12:11:54.970173949 +0000 UTC
  DownloadedAt: 2023-12-21 10:16:54.003294 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-20 00:42:33.024735082 +0000 UTC
  NextUpdate: 2023-11-23 00:42:33.024734962 +0000 UTC
  DownloadedAt: 2023-11-20 18:41:30.482544 +0000 UTC
Policy Bundle:
  Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
  DownloadedAt: 2023-12-21 10:16:55.068653 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

@chen-keinan Can you please take a look?

[chen-keinan]

@AnaisUrlichs its true the --compoannts=infra has more significant meaning for misconfig, the idea was to perform checks which are mainly focused on k8s core component (api-server, etcd, scheduler, Node and etc) in addition the checks has other many file config and permission checks.

maybe we can revisit conceprt of
workload = customer applications
infra = k8s core components

[itaysk]

@chen-keinan Your suggestion makes sense to me, actually this how I thought it worked until now.

on a side note, if --components is specific option to a certain use case it should be clearer. In the past I suggested target and scanner specific flags will have a naming convention with the target/scanner name as prefix. this specific case is actually both target and scanner specific i.e --k8s-misconfig-components. but in this case as you say we should just make the flag work in all cases instead of clarifying it's limitation.

also related: #5745

[knqyf263]

Now, --component is more like for the type of checks. For example, if I understand correctly, kube-apiserver is scanned regardless of the --component flag. Different checks are applied depending on --component.

We would go with Chen's suggestion for simplicity. --component=workload will not scan any core components.

[AnaisUrlichs]

Yes that all makes sense to me. Thank you for sharing the diagram.

However, @chen-keinan separately, there seems to be a bug if trivy k8s --scanners vuln --report summary --components workload cluster is providing the exact same result for --components workloads and --components infrastructure when the vulnerability scanner is set. It only shows a different output for infra and workloads if the --scanners vuln is not part of the command. wdyt?

[knqyf263]

As described above, --components affects only misconfiguration scanning now because the flag configures which misconfiguration checks are applied. The flag is actually like --k8s-misconfig-components. But ideally, it should also control vulnerability scanning, as Itay and you (and I) expected.

• Now: --components is dedicated to misconfiguration scanning
• Ideal: --components controls all security scanners (vulnerabilities, misconfiguration, etc.)

@chen-keinan This is my understanding. Please correct me if I'm wrong.

[chen-keinan]

@knqyf263 you are correct

[AnaisUrlichs]

ah sorry now I get it, thank you for clarifying