Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): YAML and JSON inputs of same file yield different output formats from Trivy #6485

Closed
2 tasks done
simar7 opened this issue Apr 12, 2024 Discussed in #6289 · 0 comments · Fixed by #6490
Closed
2 tasks done

bug(misconf): YAML and JSON inputs of same file yield different output formats from Trivy #6485

simar7 opened this issue Apr 12, 2024 Discussed in #6289 · 0 comments · Fixed by #6490
Assignees
@simar7
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.51.0

Comments

@simar7
Copy link
Member

simar7 commented Apr 12, 2024

Discussed in #6289

Originally posted by huornlmj March 8, 2024

Description

If I supply a K8s manifest in YAML format for misconfiguration scanning, Trivy will return findings which include line excerpts from the scanned manifest. For example:

31 ┌       - name: kube-rbac-proxy
32 │         securityContext:
33 │           allowPrivilegeEscalation: false
34 │           capabilities:
35 │             drop:
36 │               - "ALL"
37 │         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
38 │         args:
39 └         - "--secure-listen-address=0.0.0.0:8443"
..

However if I convert the exact same K8s manifest from YAML to JSON and scan the JSON version with Trivy, Trivy finds the same issues but yields a report that omits the line excerpts.

Desired Behavior

Give the user the option to either include or omit line excerpts. The difference in how Trivy operates depending on YAML or JSON input helped show me that I actually prefer the results when they come from JSON, as I think the line excerpts are unnecessary clutter and I would actually like to control whether I see the excerpts or not.

Actual Behavior

Described above

Reproduction Steps

Described above.

Target

Kubernetes

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

Described above

Operating System

Linux

Version

$ trivy --version
Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-08 06:09:54.29888255 +0000 UTC
  NextUpdate: 2024-03-08 12:09:54.29888228 +0000 UTC
  DownloadedAt: 2024-03-08 10:37:58.762840774 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-29 00:52:37.313156528 +0000 UTC
  NextUpdate: 2023-10-02 00:52:37.313156128 +0000 UTC
  DownloadedAt: 2023-09-29 15:01:46.188254631 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-07 12:01:13.501150513 +0000 UTC

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Apr 12, 2024
@simar7 simar7 self-assigned this Apr 12, 2024
@simar7 simar7 mentioned this issue Apr 13, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.51.0 milestone Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.51.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): Parse JSON k8s manifests properly aquasecurity/trivy
1 participant
@simar7