Skip to content

Commit

Permalink
Merge pull request #569 from kubescape/cpe
Browse files Browse the repository at this point in the history 
add option to useDefaultMatchers in kubevuln
  • Loading branch information
@matthyx
matthyx authored Jan 16, 2025
2 parents 191c136 + 33d769f commit f085cc3
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 25 deletions.
1 change: 1 addition & 0 deletions charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ data:
"keepLocal": {{ not $components.serviceDiscovery.enabled }},
"scanTimeout": "{{ .Values.kubevuln.config.scanTimeout }}",
"vexGeneration": {{ eq .Values.capabilities.vexGeneration "enable" }},
"useDefaultMatchers": {{ .Values.kubevuln.config.useDefaultMatchers }},
"continuousPostureScan": {{ $configurations.continuousScan }},
{{- if not (empty .Values.kubevuln.config.grypeDbListingURL) }}
"listingURL": "{{ .Values.kubevuln.config.grypeDbListingURL }}",
Expand Down
50 changes: 27 additions & 23 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ all capabilities:
"keepLocal": false,
"scanTimeout": "5m",
"vexGeneration": true,
"useDefaultMatchers": true,
"continuousPostureScan": false,
"listingURL": "http://grype-offline-db:80/listing.json",
"relevantImageVulnerabilitiesConfiguration": "enable"
Expand Down Expand Up @@ -1084,7 +1085,7 @@ all capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22
checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/host-scanner-configmap: 27bc2a07421efcf5f68970eb30bd83f4f3b8ce2a2718644d7ee0a5c9d264dc5b
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
Expand Down Expand Up @@ -1852,7 +1853,7 @@ all capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22
checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
labels:
Expand Down Expand Up @@ -1903,7 +1904,7 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/kubevuln:v0.3.53
image: quay.io/kubescape/kubevuln:v0.3.54
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
Expand Down Expand Up @@ -2366,7 +2367,7 @@ all capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22
checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: a466fa221874bba84fb7d2397ad6f171549ae53c041c035c45da114214158585
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
Expand Down Expand Up @@ -3065,7 +3066,7 @@ all capabilities:
metadata:
annotations:
checksum/capabilities-config: 1fa4fbbf3d357c08d09770f44e3b82e81fb855589e3f3aca69e97f05d6e20f4a
checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22
checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17
checksum/operator-config: c5e8d0f30f026bfd6059b9ae0a4232211488f34a55d1257c386631e5e8d0935f
Expand Down Expand Up @@ -5397,7 +5398,7 @@ all capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22
checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
checksum/synchronizer-configmap: ce6e6cd13005cb016ce932c4b8343330c199b0d85bfed657684cb413093e6493
Expand Down Expand Up @@ -5796,6 +5797,7 @@ default capabilities:
"keepLocal": false,
"scanTimeout": "5m",
"vexGeneration": false,
"useDefaultMatchers": false,
"continuousPostureScan": false,
"listingURL": "http://grype-offline-db:80/listing.json",
"relevantImageVulnerabilitiesConfiguration": "enable"
Expand Down Expand Up @@ -6461,7 +6463,7 @@ default capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418
checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
Expand Down Expand Up @@ -7172,7 +7174,7 @@ default capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418
checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
labels:
Expand Down Expand Up @@ -7219,7 +7221,7 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.53
image: quay.io/kubescape/kubevuln:v0.3.54
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
Expand Down Expand Up @@ -7607,7 +7609,7 @@ default capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418
checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: b63c41145cab22dc8940dbaee9ed1c00273c9fd71c3a865274186244437de025
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
Expand Down Expand Up @@ -8145,7 +8147,7 @@ default capabilities:
metadata:
annotations:
checksum/capabilities-config: d05ca000eb2ee6279d1edbff8383652425595eb097b9e8a262f04f22ded60d15
checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418
checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17
checksum/operator-config: aa962c01a38229173991c14bea0bedd36ee3f095853d271664eac753f5155a70
Expand Down Expand Up @@ -10020,7 +10022,7 @@ default capabilities:
template:
metadata:
annotations:
checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418
checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
checksum/synchronizer-configmap: eee4d8c0c03abb7b2ec348a9ade592421e69c31d66052e5fcdc0e202271b34d3
Expand Down Expand Up @@ -10372,6 +10374,7 @@ disable otel:
"keepLocal": false,
"scanTimeout": "5m",
"vexGeneration": false,
"useDefaultMatchers": false,
"continuousPostureScan": false,
"relevantImageVulnerabilitiesConfiguration": "enable"
}
Expand Down Expand Up @@ -10857,7 +10860,7 @@ disable otel:
template:
metadata:
annotations:
checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199
checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645
labels:
Expand Down Expand Up @@ -11404,7 +11407,7 @@ disable otel:
template:
metadata:
annotations:
checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199
checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
labels:
app: kubevuln
Expand Down Expand Up @@ -11450,7 +11453,7 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.53
image: quay.io/kubescape/kubevuln:v0.3.54
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
Expand Down Expand Up @@ -11772,7 +11775,7 @@ disable otel:
template:
metadata:
annotations:
checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199
checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: b63c41145cab22dc8940dbaee9ed1c00273c9fd71c3a865274186244437de025
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
Expand Down Expand Up @@ -12192,7 +12195,7 @@ disable otel:
metadata:
annotations:
checksum/capabilities-config: 46f28cfeabce548d6bce6f72f157d046401b2e56872e92b39ba65a7acbd4b6ba
checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199
checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17
checksum/operator-config: aa962c01a38229173991c14bea0bedd36ee3f095853d271664eac753f5155a70
Expand Down Expand Up @@ -13878,7 +13881,7 @@ disable otel:
template:
metadata:
annotations:
checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199
checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/synchronizer-configmap: eee4d8c0c03abb7b2ec348a9ade592421e69c31d66052e5fcdc0e202271b34d3
labels:
Expand Down Expand Up @@ -14149,6 +14152,7 @@ minimal capabilities:
"keepLocal": true,
"scanTimeout": "5m",
"vexGeneration": false,
"useDefaultMatchers": false,
"continuousPostureScan": false,
"relevantImageVulnerabilitiesConfiguration": "enable"
}
Expand Down Expand Up @@ -14530,7 +14534,7 @@ minimal capabilities:
template:
metadata:
annotations:
checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3
checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645
labels:
Expand Down Expand Up @@ -14977,7 +14981,7 @@ minimal capabilities:
template:
metadata:
annotations:
checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3
checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
labels:
app: kubevuln
Expand Down Expand Up @@ -15023,7 +15027,7 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.53
image: quay.io/kubescape/kubevuln:v0.3.54
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
Expand Down Expand Up @@ -15341,7 +15345,7 @@ minimal capabilities:
template:
metadata:
annotations:
checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3
checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
checksum/node-agent-config: b658595793549f32aed093f8d72f18be9ec60174d15fabc8429674c14a96b12a
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
Expand Down Expand Up @@ -15758,7 +15762,7 @@ minimal capabilities:
metadata:
annotations:
checksum/capabilities-config: 3bd17bfa7829be49dd8e6d04b110ff841e513cf3e34b49199a1cb414347992e2
checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3
checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17
checksum/operator-config: b718f34adae5893e4846bb4cce1e40b300355a2e4b3b3fb996cb39e567319f6f
Expand Down
3 changes: 2 additions & 1 deletion charts/kubescape-operator/tests/snapshot_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ tests:
grypeOfflineDB.image.tag: "latest"
kubescape.serviceMonitor.enabled: true
kubescapeScheduler.scanSchedule: "1 2 3 4 5"
kubevuln.config.useDefaultMatchers: true
kubevulnScheduler.scanSchedule: "1 2 3 4 5"
nodeAgent.config.skipKernelVersionCheck: true
storage.forceVirtualCrds: true
Expand Down Expand Up @@ -201,4 +202,4 @@ tests:
imagePullSecret:
server: quay.io
username: foo
password: xxxxxxx
password: xxxxxxx
3 changes: 2 additions & 1 deletion charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ kubevuln:
image:
# -- source code: https://github.com/kubescape/kubevuln
repository: quay.io/kubescape/kubevuln
tag: v0.3.53
tag: v0.3.54
pullPolicy: IfNotPresent

replicaCount: 1
Expand Down Expand Up @@ -355,6 +355,7 @@ kubevuln:
maxSBOMSize: 20971520
scanTimeout: 5m # set timeout for scanning an image
grypeDbListingURL: "" # set the URL for the grype db listing, if empty the default URL will be used
useDefaultMatchers: false # set to true to use the default matchers

env:
- name: CA_MAX_VULN_SCAN_ROUTINES # TODO update the kubevuln
Expand Down

0 comments on commit f085cc3

Please sign in to comment.