From 5162018df01180479e1ee12c500adf343b413e7a Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Fri, 12 Jan 2024 19:49:11 -0300 Subject: [PATCH] Bump dependencies and include more image details in VulnerabilityReport (#232) * fix typo * update Makefile * add .golangci.yml * extract annotation name to a const * rename parameter * update autogenerated files * update autogenerated files * update and test popeye category parser function * using fmt.Errorf instead of errors.New * extract vuln report name to a function * fix exportloopref * rename parameters * pre alloc slice * ignore .vscode * update k8s.io dependencies to v0.28.3 * add BinaryAssetsDirectory in suite_test.go * bump kube-rbac-proxy to v0.15.0 * update descriptions in plugin CRD * exclude lll linters from tests * exclude lll linter with go directive * update Makefile * bump marvin version to v0.2.1 * bump slok/kube-code-generator to v1.27.0 and regenerate client * bump trivy version to v0.48.2 and update parse functions * bump kubexns to v0.1.2 * requires digest in VulnerabilityReport * add publishedDate and lastModifiedDate fields in vulnerability report * chore: add cluster UID label in clusterissues and vulnerabilityreports --- .gitignore | 1 + .golangci.yml | 57 + Makefile | 29 +- api/zora/v1alpha1/clusterissue_types.go | 15 +- api/zora/v1alpha1/clusterscan_types.go | 8 +- .../v1alpha1/vulnerabilityreport_types.go | 41 +- api/zora/v1alpha1/zz_generated.deepcopy.go | 47 +- charts/zora/README.md | 8 +- .../crds/zora.undistro.io_clusterissues.yaml | 5 +- .../zora/crds/zora.undistro.io_clusters.yaml | 5 +- .../crds/zora.undistro.io_clusterscans.yaml | 5 +- .../crds/zora.undistro.io_customchecks.yaml | 5 +- .../zora/crds/zora.undistro.io_plugins.yaml | 21 +- ...zora.undistro.io_vulnerabilityreports.yaml | 29 +- charts/zora/templates/plugins/trivy.yaml | 1 - charts/zora/values.yaml | 8 +- cmd/main.go | 4 +- .../bases/zora.undistro.io_clusterissues.yaml | 3 +- .../crd/bases/zora.undistro.io_clusters.yaml | 3 +- .../bases/zora.undistro.io_clusterscans.yaml | 3 +- .../bases/zora.undistro.io_customchecks.yaml | 3 +- .../crd/bases/zora.undistro.io_plugins.yaml | 19 +- ...zora.undistro.io_vulnerabilityreports.yaml | 27 +- config/default/manager_auth_proxy_patch.yaml | 2 +- config/rbac/role.yaml | 1 - .../samples/zora_v1alpha1_plugin_marvin.yaml | 2 +- .../samples/zora_v1alpha1_plugin_trivy.yaml | 3 +- docs/plugins/index.md | 4 +- docs/plugins/marvin.md | 2 +- docs/plugins/trivy.md | 2 +- go.mod | 113 +- go.sum | 338 +++--- .../controller/zora/clusterscan_controller.go | 1 + internal/controller/zora/suite_test.go | 10 + pkg/clientset/versioned/doc.go | 4 - .../typed/zora/v1alpha1/fake/fake_cluster.go | 5 +- .../zora/v1alpha1/fake/fake_clusterissue.go | 5 +- .../zora/v1alpha1/fake/fake_clusterscan.go | 5 +- .../v1alpha1/fake/fake_vulnerabilityreport.go | 5 +- pkg/discovery/zz_generated.deepcopy.go | 1 - pkg/kubeconfig/config.go | 4 +- pkg/plugins/cronjob.go | 34 +- pkg/worker/config.go | 1 + pkg/worker/config_test.go | 13 +- pkg/worker/misconfig.go | 18 +- pkg/worker/misconfig_test.go | 106 +- pkg/worker/report/marvin/parse.go | 2 +- pkg/worker/report/marvin/urls.go | 1 + pkg/worker/report/popeye/parse.go | 2 +- pkg/worker/report/popeye/parse_types.go | 151 +-- pkg/worker/report/popeye/parse_types_test.go | 192 ++++ pkg/worker/report/trivy/parse.go | 83 +- pkg/worker/report/trivy/parse_test.go | 283 +++-- pkg/worker/report/trivy/testdata/report.json | 999 +++++++++++++++++- pkg/worker/vuln.go | 16 +- pkg/worker/vuln_test.go | 284 +++-- 56 files changed, 2250 insertions(+), 789 deletions(-) create mode 100644 .golangci.yml delete mode 100644 pkg/clientset/versioned/doc.go create mode 100644 pkg/worker/report/popeye/parse_types_test.go diff --git a/.gitignore b/.gitignore index 39c430fa..dbe7938e 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,7 @@ Dockerfile.cross # editor and IDE paraphernalia .idea +.vscode *.swp *.swo *~ diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..d7f44155 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,57 @@ +# Copyright 2024 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +run: + deadline: 5m + allow-parallel-runners: true + +issues: + # don't skip warning about doc comments + # don't exclude the default set of lint + exclude-use-default: false + # restore some of the defaults + # (fill in the rest as needed) + exclude-rules: + - path: "api/*" + linters: + - lll + - path: "internal/*" + linters: + - dupl + - lll + - path: "_test.go" + linters: + - lll +linters: + disable-all: true + enable: + - dupl + - errcheck + - exportloopref + - goconst + - gocyclo + - gofmt + - goimports + - gosimple + - govet + - ineffassign + - lll + - misspell + - nakedret + - prealloc + - staticcheck + - typecheck + - unconvert + - unparam + - unused diff --git a/Makefile b/Makefile index 92dbab36..25f1a969 100644 --- a/Makefile +++ b/Makefile @@ -61,7 +61,7 @@ generate-client: ## Generate client -e GROUPS_VERSION="zora:v1alpha1" \ -e GENERATION_TARGETS="client" \ -e BOILERPLATE_PATH="hack/boilerplate.go.txt" \ - quay.io/slok/kube-code-generator:v1.26.0 + ghcr.io/slok/kube-code-generator:v1.27.0 .PHONY: generate-helm-docs generate-helm-docs: helm-docs ## Generate documentation for helm chart. @@ -83,6 +83,14 @@ check-license: ## Check license headers. test: manifests generate fmt vet envtest ## Run tests. KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out +.PHONY: lint +lint: golangci-lint ## Run golangci-lint linter & yamllint + $(GOLANGCI_LINT) run + +.PHONY: lint-fix +lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes + $(GOLANGCI_LINT) run --fix + ##@ Build .PHONY: build @@ -192,14 +200,15 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest ADDLICENSE ?= $(LOCALBIN)/addlicense HELM_DOCS ?= $(LOCALBIN)/helm-docs KIND ?= $(LOCALBIN)/kind +GOLANGCI_LINT = $(LOCALBIN)/golangci-lint ## Tool Versions -KUSTOMIZE_VERSION ?= v5.0.0 -CONTROLLER_TOOLS_VERSION ?= v0.11.3 -HELM_DOCS_VERSION ?= v1.11.2 +KUSTOMIZE_VERSION ?= v5.2.1 +CONTROLLER_TOOLS_VERSION ?= v0.13.0 +HELM_DOCS_VERSION ?= v1.12.0 KIND_VERSION ?= v0.20.0 +GOLANGCI_LINT_VERSION ?= v1.54.2 -KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. $(KUSTOMIZE): $(LOCALBIN) @@ -207,7 +216,7 @@ $(KUSTOMIZE): $(LOCALBIN) echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ rm -rf $(LOCALBIN)/kustomize; \ fi - test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) --output install_kustomize.sh && bash install_kustomize.sh $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); rm install_kustomize.sh; } + test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) .PHONY: controller-gen controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. @@ -234,3 +243,11 @@ $(HELM_DOCS): $(LOCALBIN) kind: $(KIND) ## Download kind locally if necessary $(KIND): $(LOCALBIN) test -s $(LOCALBIN)/kind || GOBIN=$(LOCALBIN) go install sigs.k8s.io/kind@$(KIND_VERSION) + +.PHONY: golangci-lint +golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary +$(GOLANGCI_LINT): $(LOCALBIN) + @[ -f $(GOLANGCI_LINT) ] || { \ + set -e ;\ + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell dirname $(GOLANGCI_LINT)) $(GOLANGCI_LINT_VERSION) ;\ + } diff --git a/api/zora/v1alpha1/clusterissue_types.go b/api/zora/v1alpha1/clusterissue_types.go index 98c769b5..8bb01881 100644 --- a/api/zora/v1alpha1/clusterissue_types.go +++ b/api/zora/v1alpha1/clusterissue_types.go @@ -28,13 +28,14 @@ const ( SeverityMedium ClusterIssueSeverity = "Medium" SeverityHigh ClusterIssueSeverity = "High" - LabelScanID = "scanID" - LabelCluster = "cluster" - LabelSeverity = "severity" - LabelIssueID = "id" - LabelCategory = "category" - LabelPlugin = "plugin" - LabelCustom = "custom" + LabelScanID = "scanID" + LabelCluster = "cluster" + LabelClusterUID = "clusterUID" + LabelSeverity = "severity" + LabelIssueID = "id" + LabelCategory = "category" + LabelPlugin = "plugin" + LabelCustom = "custom" ) // ClusterIssueSpec defines the desired state of ClusterIssue diff --git a/api/zora/v1alpha1/clusterscan_types.go b/api/zora/v1alpha1/clusterscan_types.go index ba3ebf0c..f3b7fe99 100644 --- a/api/zora/v1alpha1/clusterscan_types.go +++ b/api/zora/v1alpha1/clusterscan_types.go @@ -120,11 +120,11 @@ func (in *ClusterScanStatus) GetPluginStatus(name string) *PluginScanStatus { // SyncStatus updates ClusterScan status and time fields based on PluginStatus func (in *ClusterScanStatus) SyncStatus() { var names, failed, active, complete []string - var sechedule, finishedTime, successful, next *metav1.Time + var schedule, finishedTime, successful, next *metav1.Time for name, plugin := range in.Plugins { names = append(names, name) - if sechedule == nil || sechedule.Before(plugin.LastScheduleTime) { - sechedule = plugin.LastScheduleTime + if schedule == nil || schedule.Before(plugin.LastScheduleTime) { + schedule = plugin.LastScheduleTime } if finishedTime == nil || finishedTime.Before(plugin.LastFinishedTime) { finishedTime = plugin.LastFinishedTime @@ -159,7 +159,7 @@ func (in *ClusterScanStatus) SyncStatus() { status = "Active" } - in.LastScheduleTime = sechedule + in.LastScheduleTime = schedule in.LastFinishedTime = finishedTime in.LastSuccessfulTime = successful in.NextScheduleTime = next diff --git a/api/zora/v1alpha1/vulnerabilityreport_types.go b/api/zora/v1alpha1/vulnerabilityreport_types.go index 177cf144..e1aa88a5 100644 --- a/api/zora/v1alpha1/vulnerabilityreport_types.go +++ b/api/zora/v1alpha1/vulnerabilityreport_types.go @@ -20,11 +20,13 @@ import ( // VulnerabilityReportSpec defines the desired state of VulnerabilityReport type VulnerabilityReportSpec struct { - Cluster string `json:"cluster"` - Image string `json:"image"` - Repository string `json:"repository,omitempty"` - Tag string `json:"tag,omitempty"` - Digest string `json:"digest,omitempty"` + Cluster string `json:"cluster"` + Image string `json:"image"` + Digest string `json:"digest"` + Tags []string `json:"tags,omitempty"` + Architecture string `json:"architecture,omitempty"` + OS string `json:"os,omitempty"` + Distro *Distro `json:"distro,omitempty"` TotalResources int `json:"totalResources"` Resources map[string][]string `json:"resources"` @@ -34,17 +36,24 @@ type VulnerabilityReportSpec struct { } type Vulnerability struct { - ID string `json:"id"` - Severity string `json:"severity"` - Title string `json:"title"` - Description string `json:"description,omitempty"` - Package string `json:"package"` - Version string `json:"version"` - FixVersion string `json:"fixVersion,omitempty"` - URL string `json:"url,omitempty"` - Status string `json:"status,omitempty"` - Type string `json:"type,omitempty"` - Score string `json:"score,omitempty"` + ID string `json:"id"` + Severity string `json:"severity"` + Title string `json:"title"` + Description string `json:"description,omitempty"` + Package string `json:"package"` + Version string `json:"version"` + FixVersion string `json:"fixVersion,omitempty"` + URL string `json:"url,omitempty"` + Status string `json:"status,omitempty"` + Type string `json:"type,omitempty"` + Score string `json:"score,omitempty"` + PublishedDate *metav1.Time `json:"publishedDate,omitempty"` + LastModifiedDate *metav1.Time `json:"lastModifiedDate,omitempty"` +} + +type Distro struct { + Name string `json:"name,omitempty"` + Version string `json:"version,omitempty"` } type VulnerabilitySummary struct { diff --git a/api/zora/v1alpha1/zz_generated.deepcopy.go b/api/zora/v1alpha1/zz_generated.deepcopy.go index f8ac7a43..45d06296 100644 --- a/api/zora/v1alpha1/zz_generated.deepcopy.go +++ b/api/zora/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Copyright 2023 Undistro Authors // @@ -125,7 +124,8 @@ func (in *ClusterIssueSpec) DeepCopyInto(out *ClusterIssueSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } @@ -300,7 +300,8 @@ func (in *ClusterScanStatus) DeepCopyInto(out *ClusterScanStatus) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(PluginScanStatus) (*in).DeepCopyInto(*out) } @@ -486,6 +487,21 @@ func (in *CustomCheckStatus) DeepCopy() *CustomCheckStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Distro) DeepCopyInto(out *Distro) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Distro. +func (in *Distro) DeepCopy() *Distro { + if in == nil { + return nil + } + out := new(Distro) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Match) DeepCopyInto(out *Match) { *out = *in @@ -728,6 +744,14 @@ func (in *Validation) DeepCopy() *Validation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Vulnerability) DeepCopyInto(out *Vulnerability) { *out = *in + if in.PublishedDate != nil { + in, out := &in.PublishedDate, &out.PublishedDate + *out = (*in).DeepCopy() + } + if in.LastModifiedDate != nil { + in, out := &in.LastModifiedDate, &out.LastModifiedDate + *out = (*in).DeepCopy() + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Vulnerability. @@ -802,6 +826,16 @@ func (in *VulnerabilityReportList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VulnerabilityReportSpec) DeepCopyInto(out *VulnerabilityReportSpec) { *out = *in + if in.Tags != nil { + in, out := &in.Tags, &out.Tags + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Distro != nil { + in, out := &in.Distro, &out.Distro + *out = new(Distro) + **out = **in + } if in.Resources != nil { in, out := &in.Resources, &out.Resources *out = make(map[string][]string, len(*in)) @@ -810,7 +844,8 @@ func (in *VulnerabilityReportSpec) DeepCopyInto(out *VulnerabilityReportSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]string, len(*in)) copy(*out, *in) } @@ -820,7 +855,9 @@ func (in *VulnerabilityReportSpec) DeepCopyInto(out *VulnerabilityReportSpec) { if in.Vulnerabilities != nil { in, out := &in.Vulnerabilities, &out.Vulnerabilities *out = make([]Vulnerability, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } out.Summary = in.Summary } diff --git a/charts/zora/README.md b/charts/zora/README.md index 6ec942cd..2c894471 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -82,7 +82,7 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.serviceMonitor.enabled | bool | `false` | Specifies whether a Prometheus `ServiceMonitor` should be enabled | | operator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `manager` container | | operator.rbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | `kube-rbac-proxy` image repository | -| operator.rbacProxy.image.tag | string | `"v0.14.1"` | `kube-rbac-proxy` image tag | +| operator.rbacProxy.image.tag | string | `"v0.15.0"` | `kube-rbac-proxy` image tag | | operator.rbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | operator.rbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container | | operator.rbacProxy.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `kube-rbac-proxy` container | @@ -105,18 +105,18 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | -| scan.plugins.marvin.image.tag | string | `"v0.2.0"` | marvin plugin image tag | +| scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored | | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | string | `"0.45.1"` | trivy plugin image tag | +| scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | | scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | -| kubexnsImage.tag | string | `"v0.1.1"` | kubexns image tag | +| kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/zora/crds/zora.undistro.io_clusterissues.yaml b/charts/zora/crds/zora.undistro.io_clusterissues.yaml index c6bf2bfe..802bf347 100644 --- a/charts/zora/crds/zora.undistro.io_clusterissues.yaml +++ b/charts/zora/crds/zora.undistro.io_clusterissues.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterissues.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_clusters.yaml b/charts/zora/crds/zora.undistro.io_clusters.yaml index e8fd268e..c7128f3a 100644 --- a/charts/zora/crds/zora.undistro.io_clusters.yaml +++ b/charts/zora/crds/zora.undistro.io_clusters.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusters.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_clusterscans.yaml b/charts/zora/crds/zora.undistro.io_clusterscans.yaml index 1412fa45..ad2923f1 100644 --- a/charts/zora/crds/zora.undistro.io_clusterscans.yaml +++ b/charts/zora/crds/zora.undistro.io_clusterscans.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterscans.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_customchecks.yaml b/charts/zora/crds/zora.undistro.io_customchecks.yaml index 1909dbc1..b24b0858 100644 --- a/charts/zora/crds/zora.undistro.io_customchecks.yaml +++ b/charts/zora/crds/zora.undistro.io_customchecks.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: customchecks.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_plugins.yaml b/charts/zora/crds/zora.undistro.io_plugins.yaml index d19f1ed3..61af8c2d 100644 --- a/charts/zora/crds/zora.undistro.io_plugins.yaml +++ b/charts/zora/crds/zora.undistro.io_plugins.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: plugins.zora.undistro.io spec: group: zora.undistro.io @@ -409,7 +408,8 @@ spec: in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". + location. Must be set if type is "Localhost". Must NOT be + set for any other type. type: string type: description: "type indicates which kind of seccomp profile @@ -440,14 +440,11 @@ spec: type: string hostProcess: description: HostProcess determines if a container should - be run as a 'Host Process' container. This field is alpha-level - and will only be honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature flag - will result in errors when validating the Pod. All of a - Pod's containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, if HostProcess - is true then HostNetwork must also be set to true. + be run as a 'Host Process' container. All of a Pod's containers + must have the same effective HostProcess value (it is not + allowed to have a mix of HostProcess containers and non-HostProcess + containers). In addition, if HostProcess is true then HostNetwork + must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint diff --git a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml index a9c978f6..2e3ed886 100644 --- a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml +++ b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: vulnerabilityreports.zora.undistro.io spec: group: zora.undistro.io @@ -85,13 +84,22 @@ spec: spec: description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport properties: + architecture: + type: string cluster: type: string digest: type: string + distro: + properties: + name: + type: string + version: + type: string + type: object image: type: string - repository: + os: type: string resources: additionalProperties: @@ -121,8 +129,10 @@ spec: - total - unknown type: object - tag: - type: string + tags: + items: + type: string + type: array totalResources: type: integer vulnerabilities: @@ -134,8 +144,14 @@ spec: type: string id: type: string + lastModifiedDate: + format: date-time + type: string package: type: string + publishedDate: + format: date-time + type: string score: type: string severity: @@ -160,6 +176,7 @@ spec: type: array required: - cluster + - digest - image - resources - summary diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index 22c344c9..cd9b025e 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -40,7 +40,6 @@ spec: --no-progress \ --all-namespaces \ --scanners=vuln \ - --report=summary \ -f=json \ {{- if .Values.scan.plugins.trivy.ignoreUnfixed }} --ignore-unfixed \ diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 44aeafae..a9728226 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -109,7 +109,7 @@ operator: # -- `kube-rbac-proxy` image repository repository: gcr.io/kubebuilder/kube-rbac-proxy # -- `kube-rbac-proxy` image tag - tag: v0.14.1 + tag: v0.15.0 # -- Image pull policy pullPolicy: IfNotPresent # -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container @@ -188,7 +188,7 @@ scan: # -- marvin plugin image repository repository: ghcr.io/undistro/marvin # -- marvin plugin image tag - tag: v0.2.0 + tag: v0.2.1 trivy: # -- Specifies whether only fixed vulnerabilities should be reported @@ -201,7 +201,7 @@ scan: # -- trivy plugin image repository repository: ghcr.io/aquasecurity/trivy # -- trivy plugin image tag - tag: 0.45.1 + tag: 0.48.2 popeye: # -- Specifies whether the following resources should be skipped by `popeye` scans. # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; @@ -231,7 +231,7 @@ kubexnsImage: # -- kubexns image repository repository: ghcr.io/undistro/kubexns # -- kubexns image tag - tag: v0.1.1 + tag: v0.1.2 # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks diff --git a/cmd/main.go b/cmd/main.go index a6fd66ad..f75625de 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -32,6 +32,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" zorav1alpha1 "github.com/undistro/zora/api/zora/v1alpha1" zoracontroller "github.com/undistro/zora/internal/controller/zora" @@ -95,8 +96,7 @@ func main() { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, - MetricsBindAddress: metricsAddr, - Port: 9443, + Metrics: metricsserver.Options{BindAddress: metricsAddr}, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "e0f4eef4.zora.undistro.io", diff --git a/config/crd/bases/zora.undistro.io_clusterissues.yaml b/config/crd/bases/zora.undistro.io_clusterissues.yaml index 8da8b890..80cd7747 100644 --- a/config/crd/bases/zora.undistro.io_clusterissues.yaml +++ b/config/crd/bases/zora.undistro.io_clusterissues.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterissues.zora.undistro.io spec: group: zora.undistro.io diff --git a/config/crd/bases/zora.undistro.io_clusters.yaml b/config/crd/bases/zora.undistro.io_clusters.yaml index d9675d2d..7d0aa2a7 100644 --- a/config/crd/bases/zora.undistro.io_clusters.yaml +++ b/config/crd/bases/zora.undistro.io_clusters.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusters.zora.undistro.io spec: group: zora.undistro.io diff --git a/config/crd/bases/zora.undistro.io_clusterscans.yaml b/config/crd/bases/zora.undistro.io_clusterscans.yaml index b89bd05a..2993a960 100644 --- a/config/crd/bases/zora.undistro.io_clusterscans.yaml +++ b/config/crd/bases/zora.undistro.io_clusterscans.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterscans.zora.undistro.io spec: group: zora.undistro.io diff --git a/config/crd/bases/zora.undistro.io_customchecks.yaml b/config/crd/bases/zora.undistro.io_customchecks.yaml index 939e936c..593405ca 100644 --- a/config/crd/bases/zora.undistro.io_customchecks.yaml +++ b/config/crd/bases/zora.undistro.io_customchecks.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: customchecks.zora.undistro.io spec: group: zora.undistro.io diff --git a/config/crd/bases/zora.undistro.io_plugins.yaml b/config/crd/bases/zora.undistro.io_plugins.yaml index 9b1d5903..de84fd53 100644 --- a/config/crd/bases/zora.undistro.io_plugins.yaml +++ b/config/crd/bases/zora.undistro.io_plugins.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: plugins.zora.undistro.io spec: group: zora.undistro.io @@ -395,7 +394,8 @@ spec: in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". + location. Must be set if type is "Localhost". Must NOT be + set for any other type. type: string type: description: "type indicates which kind of seccomp profile @@ -426,14 +426,11 @@ spec: type: string hostProcess: description: HostProcess determines if a container should - be run as a 'Host Process' container. This field is alpha-level - and will only be honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature flag - will result in errors when validating the Pod. All of a - Pod's containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, if HostProcess - is true then HostNetwork must also be set to true. + be run as a 'Host Process' container. All of a Pod's containers + must have the same effective HostProcess value (it is not + allowed to have a mix of HostProcess containers and non-HostProcess + containers). In addition, if HostProcess is true then HostNetwork + must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint diff --git a/config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml b/config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml index cf30e827..e80ff2d8 100644 --- a/config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml +++ b/config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: vulnerabilityreports.zora.undistro.io spec: group: zora.undistro.io @@ -71,13 +70,22 @@ spec: spec: description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport properties: + architecture: + type: string cluster: type: string digest: type: string + distro: + properties: + name: + type: string + version: + type: string + type: object image: type: string - repository: + os: type: string resources: additionalProperties: @@ -107,8 +115,10 @@ spec: - total - unknown type: object - tag: - type: string + tags: + items: + type: string + type: array totalResources: type: integer vulnerabilities: @@ -120,8 +130,14 @@ spec: type: string id: type: string + lastModifiedDate: + format: date-time + type: string package: type: string + publishedDate: + format: date-time + type: string score: type: string severity: @@ -146,6 +162,7 @@ spec: type: array required: - cluster + - digest - image - resources - summary diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 352b2e31..2f1414b3 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -15,7 +15,7 @@ spec: capabilities: drop: - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 1c3ca96f..1fbc95be 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: diff --git a/config/samples/zora_v1alpha1_plugin_marvin.yaml b/config/samples/zora_v1alpha1_plugin_marvin.yaml index 495dd427..64e41c1b 100644 --- a/config/samples/zora_v1alpha1_plugin_marvin.yaml +++ b/config/samples/zora_v1alpha1_plugin_marvin.yaml @@ -10,7 +10,7 @@ metadata: name: marvin spec: type: misconfiguration - image: ghcr.io/undistro/marvin:v0.2.0 + image: ghcr.io/undistro/marvin:v0.2.1 resources: limits: cpu: 500m diff --git a/config/samples/zora_v1alpha1_plugin_trivy.yaml b/config/samples/zora_v1alpha1_plugin_trivy.yaml index 019f9991..6c392499 100644 --- a/config/samples/zora_v1alpha1_plugin_trivy.yaml +++ b/config/samples/zora_v1alpha1_plugin_trivy.yaml @@ -10,7 +10,7 @@ metadata: name: trivy spec: type: vulnerability - image: ghcr.io/aquasecurity/trivy:0.45.1 + image: ghcr.io/aquasecurity/trivy:0.48.2 securityContext: allowPrivilegeEscalation: false env: @@ -25,7 +25,6 @@ spec: --no-progress \ --all-namespaces \ --scanners=vuln \ - --report=summary \ -f=json \ -o $(DONE_DIR)/results.json \ cluster diff --git a/docs/plugins/index.md b/docs/plugins/index.md index 07467739..2f76272e 100644 --- a/docs/plugins/index.md +++ b/docs/plugins/index.md @@ -15,9 +15,9 @@ kubectl get plugins -n zora-system ``` ``` NAME IMAGE TYPE AGE -marvin ghcr.io/undistro/marvin:v0.2.0 misconfiguration 14m +marvin ghcr.io/undistro/marvin:v0.2.1 misconfiguration 14m popeye ghcr.io/undistro/popeye:pr252 misconfiguration 14m -trivy ghcr.io/aquasecurity/trivy:0.45.1 vulnerability 14m +trivy ghcr.io/aquasecurity/trivy:0.48.2 vulnerability 14m ``` Each item listed above is an instance of `Plugin` CRD and represents the execution configuration of a plugin. diff --git a/docs/plugins/marvin.md b/docs/plugins/marvin.md index fabea5c5..36574769 100644 --- a/docs/plugins/marvin.md +++ b/docs/plugins/marvin.md @@ -11,6 +11,6 @@ Marvin enables Zora's custom checks using CEL. For further information, please v :octicons-codescan-24: **Type**: `misconfiguration` -:simple-docker: **Image**: `ghcr.io/undistro/marvin:v0.2.0` +:simple-docker: **Image**: `ghcr.io/undistro/marvin:v0.2.1` :simple-github: **GitHub repository**: [https://github.com/undistro/marvin](https://github.com/undistro/marvin){:target="_blank"} diff --git a/docs/plugins/trivy.md b/docs/plugins/trivy.md index 00d68ac5..881e5c5e 100644 --- a/docs/plugins/trivy.md +++ b/docs/plugins/trivy.md @@ -11,7 +11,7 @@ in different targets like containers, code repositories and **Kubernetes cluster :octicons-codescan-24: **Type**: `vulnerability` -:simple-docker: **Image**: `ghcr.io/aquasecurity/trivy:0.45.1` +:simple-docker: **Image**: `ghcr.io/aquasecurity/trivy:0.48.2` :simple-github: **GitHub repository**: [https://github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy){:target="_blank"} diff --git a/go.mod b/go.mod index d5329e78..81c0b44d 100644 --- a/go.mod +++ b/go.mod @@ -3,59 +3,60 @@ module github.com/undistro/zora go 1.20 require ( - github.com/aquasecurity/trivy v0.44.1 + github.com/aquasecurity/trivy v0.48.2 github.com/caarlos0/env/v9 v9.0.0 - github.com/go-logr/logr v1.2.4 - github.com/google/go-cmp v0.5.9 - github.com/onsi/ginkgo/v2 v2.9.5 - github.com/onsi/gomega v1.27.7 + github.com/go-logr/logr v1.3.0 + github.com/google/go-cmp v0.6.0 + github.com/onsi/ginkgo/v2 v2.11.0 + github.com/onsi/gomega v1.27.10 github.com/robfig/cron/v3 v3.0.1 - github.com/undistro/marvin v0.1.6 - go.uber.org/zap v1.24.0 - k8s.io/api v0.27.4 - k8s.io/apiextensions-apiserver v0.27.2 - k8s.io/apimachinery v0.27.4 - k8s.io/client-go v0.27.3 - k8s.io/metrics v0.27.2 - k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 - sigs.k8s.io/controller-runtime v0.15.0 - sigs.k8s.io/yaml v1.3.0 + github.com/undistro/marvin v0.2.1 + go.uber.org/zap v1.26.0 + k8s.io/api v0.28.4 + k8s.io/apiextensions-apiserver v0.28.4 + k8s.io/apimachinery v0.28.4 + k8s.io/client-go v0.28.4 + k8s.io/metrics v0.28.4 + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + sigs.k8s.io/controller-runtime v0.16.3 + sigs.k8s.io/yaml v1.4.0 ) require ( - github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 // indirect + github.com/CycloneDX/cyclonedx-go v0.7.2 // indirect github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect - github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect - github.com/aquasecurity/go-dep-parser v0.0.0-20230803125501-bd9cf68d8636 // indirect + github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect + github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf // indirect github.com/aquasecurity/table v1.8.0 // indirect github.com/aquasecurity/tml v0.6.1 // indirect - github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb // indirect - github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9 // indirect + github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d // indirect + github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231203080602-50a069120091 // indirect + github.com/aws/aws-sdk-go v1.48.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fatih/color v1.14.1 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect + github.com/fatih/color v1.15.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-logr/zapr v1.2.4 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.1 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.4 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/btree v1.1.2 // indirect - github.com/google/cel-go v0.13.0 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-containerregistry v0.15.2 // indirect + github.com/google/cel-go v0.16.1 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-containerregistry v0.17.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.4.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/imdario/mergo v0.3.15 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -66,58 +67,60 @@ require ( github.com/mailru/easyjson v0.7.7 // indirect github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect - github.com/mattn/go-runewidth v0.0.13 // indirect + github.com/mattn/go-isatty v0.0.19 // indirect + github.com/mattn/go-runewidth v0.0.14 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/package-url/packageurl-go v0.1.1 // indirect + github.com/package-url/packageurl-go v0.1.2 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_golang v1.15.1 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.42.0 // indirect - github.com/prometheus/procfs v0.9.0 // indirect + github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/samber/lo v1.38.1 // indirect - github.com/spdx/tools-golang v0.5.0 // indirect + github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // indirect github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect github.com/stretchr/objx v0.5.0 // indirect github.com/stretchr/testify v1.8.4 // indirect - github.com/xlab/treeprint v1.1.0 // indirect + github.com/xlab/treeprint v1.2.0 // indirect go.etcd.io/bbolt v1.3.7 // indirect - go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - go.uber.org/atomic v1.10.0 // indirect - go.uber.org/multierr v1.9.0 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect + go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + golang.org/x/net v0.18.0 // indirect + golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/sync v0.4.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.10.0 // indirect + golang.org/x/tools v0.13.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiserver v0.27.2 // indirect - k8s.io/cli-runtime v0.27.3 // indirect - k8s.io/component-base v0.27.3 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/apiserver v0.28.4 // indirect + k8s.io/cli-runtime v0.28.4 // indirect + k8s.io/component-base v0.28.4 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.13.2 // indirect - sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect ) diff --git a/go.sum b/go.sum index 3c5ebeed..73a71a44 100644 --- a/go.sum +++ b/go.sum @@ -1,15 +1,16 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= -cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY= +cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= +cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k= -cloud.google.com/go/storage v1.29.0 h1:6weCgzRvMg7lzuUurI4697AqIRPU1SvzHhynwpW31jI= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic= +cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= +cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdTCI= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= -github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 h1:NqeV+ZMqpcosu0Xg2VW14Ru9ayBs/toe2oihS7sN6Xo= -github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs= +github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ= +github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= @@ -17,41 +18,43 @@ github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= -github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 h1:ZK3C5DtzV2nVAQTx5S5jQvMeDqWtD1By5mOoyY/xJek= -github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= -github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A= -github.com/aquasecurity/go-dep-parser v0.0.0-20230803125501-bd9cf68d8636 h1:8f/1XPe9xcd8BkXU0LfQXNKmlCUB957674usf+Y/af0= -github.com/aquasecurity/go-dep-parser v0.0.0-20230803125501-bd9cf68d8636/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I= +github.com/aquasecurity/defsec v0.93.2-0.20231208181342-318642ac6f08 h1:mjQvKTiKYXWGxHU5pw37q1n6deky0KcJq5JJwtuVrF4= +github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf h1:kweQrNMfarPfjZGI1537GtuujhpzhsuT/MvmW2FwaBE= +github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas= github.com/aquasecurity/table v1.8.0 h1:9ntpSwrUfjrM6/YviArlx/ZBGd6ix8W+MtojQcM7tv0= github.com/aquasecurity/table v1.8.0/go.mod h1:eqOmvjjB7AhXFgFqpJUEE/ietg7RrMSJZXyTN8E/wZw= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy v0.44.1 h1:KcYhS/sNheabe6U3NTVYb+NSMg34OzWzWv5VyPbCl0c= -github.com/aquasecurity/trivy v0.44.1/go.mod h1:jVUjY3SwpovchdasfIoY/3P3w9u6UyhcFo1lyXQvHe8= -github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb h1:uz2+9G7E0/mjf5Q0MB/BwbpdObU34CKGUdnypTYWTfs= -github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb/go.mod h1:st35g9O0ecDGBqnRHNFFz8imlDD3GWTCwo1WyJixI2c= -github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9 h1:PA91rctNeAZY0hb2tPK68lAEpau3ItSto4FnqFXPF4g= -github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9/go.mod h1:R7LNrrjSc4PEs0suUd+pXSqSUMMU/eY5byWHfKSZyjQ= +github.com/aquasecurity/trivy v0.48.2 h1:dHz/ywbscRibFXF6J743Oi7KhVQc5L6Or/iHicERIUM= +github.com/aquasecurity/trivy v0.48.2/go.mod h1:TGYdgxSoNVqahAp6q8O7Ebh4unu9TwkDbeUS6PlrsUU= +github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c= +github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs= +github.com/aquasecurity/trivy-iac v0.7.1 h1:YqA0B1P/5uJy2YOrT+QtoB8Z/DCqMxApsMkvmyd5Lsg= +github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231203080602-50a069120091 h1:OTJMSbvKQYxbQ2NQ8Nht2NSL1bL36YfBCrlsGGxHPlI= +github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231203080602-50a069120091/go.mod h1:Yh+tmpPtbqVWYONrAuapImHfD1ghZgnZHLlMBA6Ukfg= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= -github.com/aws/aws-sdk-go v1.44.273 h1:CX8O0gK+cGrgUyv7bgJ6QQP9mQg7u5mweHdNzULH47c= -github.com/aws/smithy-go v1.14.0 h1:+X90sB94fizKjDmwb4vyl2cTTPXTE5E2G/1mjByb0io= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/aws/aws-sdk-go v1.48.4 h1:HS2L7ynVhkcRrQRro9CLJZ/xLRb4UOzDEfPzgevZwXM= +github.com/aws/aws-sdk-go v1.48.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/smithy-go v1.18.1 h1:pOdBTUfXNazOlxLrgeYalVnuTpKreACHtc62xLwIB3c= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= -github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0= github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A= @@ -66,25 +69,25 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= -github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg= +github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicHP3SZILw= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= -github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE= +github.com/docker/cli v24.0.5+incompatible h1:WeBimjvS0eKdH4Ygx+ihVq1Q++xg36M/rMi4aXAvodc= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= -github.com/docker/docker v23.0.7-0.20230714215826-f00e7af96042+incompatible h1:j7cPAKd+yLS4f16Jqri/wXRK+7TtFQCt89WPqECWnIM= +github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= -github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= @@ -93,29 +96,31 @@ github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= -github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= -github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= +github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= -github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= -github.com/go-git/go-git/v5 v5.7.0 h1:t9AudWVLmqzlo+4bqdf7GY+46SUuRsx59SboFxkq2aE= -github.com/go-gorp/gorp/v3 v3.0.5 h1:PUjzYdYu3HBOh8LE+UUmRG2P0IRDak9XMeGNvaeq4Ow= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-git/v5 v5.10.1 h1:tu8/D8i+TWxgKpzQ3Vc43e+kkhXqtsZCKI/egajKnxk= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= -github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -136,49 +141,51 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.13.0 h1:z+8OBOcmh7IeKyqwT/6IlnMvy621fYUqnTVPEdegGlU= -github.com/google/cel-go v0.13.0/go.mod h1:K2hpQgEjDp18J76a2DKFRlPBPpgRZgi6EbnpDgIhJ8s= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/cel-go v0.16.1 h1:3hZfSNiAU3KOiNtxuFXVp5WFy4hf/Ly3Sa4/7F8SXNo= +github.com/google/cel-go v0.16.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE= -github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk= +github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/s2a-go v0.1.3 h1:FAgZmpLl/SXurPEZyCMPBIiiYeTbqfjlbdnCNTAkbGE= +github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= -github.com/hashicorp/go-getter v1.7.1 h1:SWiSWN/42qdpR0MdhaOc/bLR48PLuP1ZQtYLRlM69uY= +github.com/hashicorp/go-getter v1.7.2 h1:uJDtyXwEfalmp1PqdxuhZqrNkUyClZAhVeZYTArbqkg= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= -github.com/hashicorp/hcl/v2 v2.14.1 h1:x0BpjfZ+CYdbiz+8yZTQ+gdLO7IXvOut7Da+XJayx34= +github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= @@ -196,11 +203,10 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= +github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk= github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 h1:aC6MEAs3PE3lWD7lqrJfDxHd6hcced9R4JTZu85cJwU= github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -211,7 +217,7 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= github.com/liamg/iamgo v0.0.9 h1:tADGm3xVotyRJmuKKaH4+zsBn7LOcvgdpuF3WsSKW3c= github.com/liamg/jfather v0.0.7 h1:Xf78zS263yfT+xr2VSo6+kyAy4ROlCacRqJG7s5jt4k= -github.com/liamg/memoryfs v1.4.3 h1:+ChjcuPRYpjJSulD13PXDNR3JeJ5HUYKjLHyWVK0bqU= +github.com/liamg/memoryfs v1.6.0 h1:jAFec2HI1PgMTem5gR7UT8zi9u4BfG5jorCRlLH06W8= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= @@ -222,10 +228,10 @@ github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70/go.m github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= -github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU= +github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= @@ -233,6 +239,7 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -249,17 +256,17 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= -github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs= -github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU= -github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/owenrumney/squealer v1.2.1 h1:4ryMMT59aaz8VMsqsD+FDkarADJz0F1dcq2fd0DRR+c= +github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4= +github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= @@ -268,22 +275,22 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= -github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= -github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rubenv/sql-migrate v1.3.1 h1:Vx+n4Du8X8VTYuXbhNxdEUoh6wiJERA0GlWocR5FrbA= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM= @@ -291,10 +298,10 @@ github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXn github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/skeema/knownhosts v1.1.1 h1:MTk78x9FPgDFVFkDLTrsnnfCJl7g1C/nnKvePgrIngE= +github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ= github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= -github.com/spdx/tools-golang v0.5.0 h1:/fqihV2Jna7fmow65dHpgKNsilgLK7ICpd2tkCnPEyY= -github.com/spdx/tools-golang v0.5.0/go.mod h1:kkGlrSXXfHwuSzHQZJRV3aKu9ZXCq/MSf2+xyiJH1lM= +github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a h1:uuREJ3I15VLjYZuhxjTQnA2bTqzRQX1HKEphYBzqT9o= +github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a/go.mod h1:BHs8QEhK6MbFGdyjxvuBtzJtCLrN5bwUBC9fzQlYBXs= github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= @@ -313,47 +320,48 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo= -github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= -github.com/undistro/marvin v0.1.6 h1:4fRGNgdXL9+/+b5hsygB0e76TgPBy/5W6okNf+nPVJs= -github.com/undistro/marvin v0.1.6/go.mod h1:lKwqT15MtbE39CtiWhvanIHy33jPTtC3k+w6vgVdYSk= +github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +github.com/undistro/marvin v0.2.1 h1:/GKS8LZ1lA4OAor7OqsbGpOLoY4u70HsaZaiZolAJFU= +github.com/undistro/marvin v0.2.1/go.mod h1:DtRT/eHZlzs9wsTectyVWMULQQzweq4axMOvMghLZNQ= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= -github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= -github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= -github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0= -github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0= +github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= +github.com/zclconf/go-cty-yaml v1.0.3 h1:og/eOQ7lvA/WWhHGFETVWNduJM7Rjsv2RRpx1sdFMLc= go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ= go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= -go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM= -go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= -go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI= -go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc= golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= @@ -364,7 +372,7 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -375,11 +383,11 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= -golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -387,28 +395,31 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -420,17 +431,17 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg= -golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= -gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.121.0 h1:8Oopoo8Vavxx6gt+sgs8s8/X60WBAtKQq6JqnkF+xow= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -438,13 +449,15 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -452,14 +465,13 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk= @@ -471,45 +483,45 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.12.1 h1:lzU7etZX24A6BTMXYQF3bFq0ECfD8s+fKlNBBL8AbEc= +helm.sh/helm/v3 v3.13.0 h1:XPJKIU30K4JTQ6VX/6e0hFAmEIonYa8E7wx5aqv4xOc= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= -k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= -k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= -k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/apiserver v0.27.2 h1:p+tjwrcQEZDrEorCZV2/qE8osGTINPuS5ZNqWAvKm5E= -k8s.io/apiserver v0.27.2/go.mod h1:EsOf39d75rMivgvvwjJ3OW/u9n1/BmUMK5otEOJrb1Y= -k8s.io/cli-runtime v0.27.3 h1:h592I+2eJfXj/4jVYM+tu9Rv8FEc/dyCoD80UJlMW2Y= -k8s.io/cli-runtime v0.27.3/go.mod h1:LzXud3vFFuDFXn2LIrWnscPgUiEj7gQQcYZE2UPn9Kw= -k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= -k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= -k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k= -k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/kubectl v0.27.3 h1:HyC4o+8rCYheGDWrkcOQHGwDmyLKR5bxXFgpvF82BOw= -k8s.io/metrics v0.27.2 h1:TD6z3dhhN9bgg5YkbTh72bPiC1BsxipBLPBWyC3VQAU= -k8s.io/metrics v0.27.2/go.mod h1:v3OT7U0DBvoAzWVzGZWQhdV4qsRJWchzs/LeVN8bhW4= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -oras.land/oras-go v1.2.2 h1:0E9tOHUfrNH7TCDk5KU0jVBEzCqbfdyuVfGmJ7ZeRPE= -sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= -sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= +k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= +k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= +k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= +k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= +k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= +k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= +k8s.io/apiserver v0.28.4 h1:BJXlaQbAU/RXYX2lRz+E1oPe3G3TKlozMMCZWu5GMgg= +k8s.io/apiserver v0.28.4/go.mod h1:Idq71oXugKZoVGUUL2wgBCTHbUR+FYTWa4rq9j4n23w= +k8s.io/cli-runtime v0.28.4 h1:IW3aqSNFXiGDllJF4KVYM90YX4cXPGxuCxCVqCD8X+Q= +k8s.io/cli-runtime v0.28.4/go.mod h1:MLGRB7LWTIYyYR3d/DOgtUC8ihsAPA3P8K8FDNIqJ0k= +k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= +k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= +k8s.io/component-base v0.28.4 h1:c/iQLWPdUgI90O+T9TeECg8o7N3YJTiuz2sKxILYcYo= +k8s.io/component-base v0.28.4/go.mod h1:m9hR0uvqXDybiGL2nf/3Lf0MerAfQXzkfWhUY58JUbU= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/kubectl v0.28.3 h1:H1Peu1O3EbN9zHkJCcvhiJ4NUj6lb88sGPO5wrWIM6k= +k8s.io/metrics v0.28.4 h1:u36fom9+6c8jX2sk8z58H0hFaIUfrPWbXIxN7GT2blk= +k8s.io/metrics v0.28.4/go.mod h1:bBqAJxH20c7wAsTQxDXOlVqxGMdce49d7WNr1WeaLac= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go v1.2.3 h1:v8PJl+gEAntI1pJ/LCrDgsuk+1PKVavVEPsYIHFE5uY= +sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= +sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.13.2 h1:kejWfLeJhUsTGioDoFNJET5LQe/ajzXhJGYoU+pJsiA= -sigs.k8s.io/kustomize/api v0.13.2/go.mod h1:DUp325VVMFVcQSq+ZxyDisA8wtldwHxLZbr1g94UHsw= -sigs.k8s.io/kustomize/kyaml v0.14.1 h1:c8iibius7l24G2wVAGZn/Va2wNys03GXLjYVIcFVxKA= -sigs.k8s.io/kustomize/kyaml v0.14.1/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/internal/controller/zora/clusterscan_controller.go b/internal/controller/zora/clusterscan_controller.go index 64f9318c..52d8c8b4 100644 --- a/internal/controller/zora/clusterscan_controller.go +++ b/internal/controller/zora/clusterscan_controller.go @@ -212,6 +212,7 @@ func (r *ClusterScanReconciler) reconcile(ctx context.Context, clusterscan *v1al Suspend: notReadyErr != nil, KubexnsImage: r.KubexnsImage, ChecksConfigMap: r.ChecksConfigMap, + ClusterUID: cluster.UID, } result, err := ctrl.CreateOrUpdate(ctx, r.Client, cronJob, cronJobMutator.Mutate) diff --git a/internal/controller/zora/suite_test.go b/internal/controller/zora/suite_test.go index 21e69e48..d4806489 100644 --- a/internal/controller/zora/suite_test.go +++ b/internal/controller/zora/suite_test.go @@ -15,7 +15,9 @@ package zora import ( + "fmt" "path/filepath" + "runtime" "testing" . "github.com/onsi/ginkgo/v2" @@ -52,6 +54,14 @@ var _ = BeforeSuite(func() { testEnv = &envtest.Environment{ CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, ErrorIfCRDPathMissing: true, + + // The BinaryAssetsDirectory is only required if you want to run the tests directly + // without call the makefile target test. If not informed it will look for the + // default path defined in controller-runtime which is /usr/local/kubebuilder/. + // Note that you must have the required binaries setup under the bin directory to perform + // the tests directly. When we run make test it will be setup and used automatically. + BinaryAssetsDirectory: filepath.Join("..", "..", "..", "bin", "k8s", + fmt.Sprintf("1.28.3-%s-%s", runtime.GOOS, runtime.GOARCH)), } var err error diff --git a/pkg/clientset/versioned/doc.go b/pkg/clientset/versioned/doc.go deleted file mode 100644 index 0e0c2a89..00000000 --- a/pkg/clientset/versioned/doc.go +++ /dev/null @@ -1,4 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_cluster.go b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_cluster.go index 448e327f..184cbbb1 100644 --- a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_cluster.go +++ b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_cluster.go @@ -8,7 +8,6 @@ import ( v1alpha1 "github.com/undistro/zora/api/zora/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" ) @@ -18,9 +17,9 @@ type FakeClusters struct { ns string } -var clustersResource = schema.GroupVersionResource{Group: "zora", Version: "v1alpha1", Resource: "clusters"} +var clustersResource = v1alpha1.SchemeGroupVersion.WithResource("clusters") -var clustersKind = schema.GroupVersionKind{Group: "zora", Version: "v1alpha1", Kind: "Cluster"} +var clustersKind = v1alpha1.SchemeGroupVersion.WithKind("Cluster") // Get takes name of the cluster, and returns the corresponding cluster object, and an error if there is any. func (c *FakeClusters) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.Cluster, err error) { diff --git a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterissue.go b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterissue.go index c736d0d7..58bc6c6d 100644 --- a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterissue.go +++ b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterissue.go @@ -8,7 +8,6 @@ import ( v1alpha1 "github.com/undistro/zora/api/zora/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" types "k8s.io/apimachinery/pkg/types" watch "k8s.io/apimachinery/pkg/watch" testing "k8s.io/client-go/testing" @@ -20,9 +19,9 @@ type FakeClusterIssues struct { ns string } -var clusterissuesResource = schema.GroupVersionResource{Group: "zora", Version: "v1alpha1", Resource: "clusterissues"} +var clusterissuesResource = v1alpha1.SchemeGroupVersion.WithResource("clusterissues") -var clusterissuesKind = schema.GroupVersionKind{Group: "zora", Version: "v1alpha1", Kind: "ClusterIssue"} +var clusterissuesKind = v1alpha1.SchemeGroupVersion.WithKind("ClusterIssue") // Get takes name of the clusterIssue, and returns the corresponding clusterIssue object, and an error if there is any. func (c *FakeClusterIssues) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterIssue, err error) { diff --git a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterscan.go b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterscan.go index a93b3dff..2c34ab54 100644 --- a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterscan.go +++ b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_clusterscan.go @@ -8,7 +8,6 @@ import ( v1alpha1 "github.com/undistro/zora/api/zora/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" ) @@ -18,9 +17,9 @@ type FakeClusterScans struct { ns string } -var clusterscansResource = schema.GroupVersionResource{Group: "zora", Version: "v1alpha1", Resource: "clusterscans"} +var clusterscansResource = v1alpha1.SchemeGroupVersion.WithResource("clusterscans") -var clusterscansKind = schema.GroupVersionKind{Group: "zora", Version: "v1alpha1", Kind: "ClusterScan"} +var clusterscansKind = v1alpha1.SchemeGroupVersion.WithKind("ClusterScan") // Get takes name of the clusterScan, and returns the corresponding clusterScan object, and an error if there is any. func (c *FakeClusterScans) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterScan, err error) { diff --git a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_vulnerabilityreport.go b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_vulnerabilityreport.go index 4a03bb77..27f77329 100644 --- a/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_vulnerabilityreport.go +++ b/pkg/clientset/versioned/typed/zora/v1alpha1/fake/fake_vulnerabilityreport.go @@ -8,7 +8,6 @@ import ( v1alpha1 "github.com/undistro/zora/api/zora/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" types "k8s.io/apimachinery/pkg/types" watch "k8s.io/apimachinery/pkg/watch" testing "k8s.io/client-go/testing" @@ -20,9 +19,9 @@ type FakeVulnerabilityReports struct { ns string } -var vulnerabilityreportsResource = schema.GroupVersionResource{Group: "zora", Version: "v1alpha1", Resource: "vulnerabilityreports"} +var vulnerabilityreportsResource = v1alpha1.SchemeGroupVersion.WithResource("vulnerabilityreports") -var vulnerabilityreportsKind = schema.GroupVersionKind{Group: "zora", Version: "v1alpha1", Kind: "VulnerabilityReport"} +var vulnerabilityreportsKind = v1alpha1.SchemeGroupVersion.WithKind("VulnerabilityReport") // Get takes name of the vulnerabilityReport, and returns the corresponding vulnerabilityReport object, and an error if there is any. func (c *FakeVulnerabilityReports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.VulnerabilityReport, err error) { diff --git a/pkg/discovery/zz_generated.deepcopy.go b/pkg/discovery/zz_generated.deepcopy.go index 17823b92..7d103a52 100644 --- a/pkg/discovery/zz_generated.deepcopy.go +++ b/pkg/discovery/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated // Copyright 2023 Undistro Authors // diff --git a/pkg/kubeconfig/config.go b/pkg/kubeconfig/config.go index 00494795..3ffe778b 100644 --- a/pkg/kubeconfig/config.go +++ b/pkg/kubeconfig/config.go @@ -38,8 +38,8 @@ func SecretFromRef(ctx context.Context, client ctrlclient.Client, name types.Nam } // ConfigFromSecretName return a rest.Config from a kubeconfig secret name -func ConfigFromSecretName(ctx context.Context, client ctrlclient.Client, name types.NamespacedName) (*rest.Config, error) { - existing, err := SecretFromRef(ctx, client, name) +func ConfigFromSecretName(ctx context.Context, cli ctrlclient.Client, name types.NamespacedName) (*rest.Config, error) { + existing, err := SecretFromRef(ctx, cli, name) if err != nil { return nil, err } diff --git a/pkg/plugins/cronjob.go b/pkg/plugins/cronjob.go index 26059b9e..db21e9ab 100644 --- a/pkg/plugins/cronjob.go +++ b/pkg/plugins/cronjob.go @@ -21,6 +21,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" "k8s.io/utils/pointer" ctrl "sigs.k8s.io/controller-runtime" @@ -29,16 +30,17 @@ import ( ) const ( - checksVolumeName = "custom-checks" - checksPath = "/custom-checks" - workerContainerName = "worker" - kubeconfigVolumeName = "kubeconfig" - kubeconfigMountPath = "/etc/zora" - kubeconfigFile = "kubeconfig.yml" - resultsVolumeName = "results" - resultsDir = "/tmp/zora/results" - LabelClusterScan = "zora.undistro.io/cluster-scan" - LabelPlugin = "zora.undistro.io/plugin" + checksVolumeName = "custom-checks" + checksPath = "/custom-checks" + workerContainerName = "worker" + kubeconfigVolumeName = "kubeconfig" + kubeconfigMountPath = "/etc/zora" + kubeconfigFile = "kubeconfig.yml" + resultsVolumeName = "results" + resultsDir = "/tmp/zora/results" + labelClusterScan = "zora.undistro.io/cluster-scan" + labelPlugin = "zora.undistro.io/plugin" + annotationDefaultContainer = "kubectl.kubernetes.io/default-container" ) var ( @@ -91,6 +93,7 @@ type CronJobMutator struct { Suspend bool KubexnsImage string ChecksConfigMap string + ClusterUID types.UID } // Mutate returns a function which mutates the existing CronJob into it's desired state. @@ -98,8 +101,8 @@ func (r *CronJobMutator) Mutate() error { if r.Existing.ObjectMeta.Labels == nil { r.Existing.ObjectMeta.Labels = make(map[string]string) } - r.Existing.ObjectMeta.Labels[LabelClusterScan] = r.ClusterScan.Name - r.Existing.ObjectMeta.Labels[LabelPlugin] = r.Plugin.Name + r.Existing.ObjectMeta.Labels[labelClusterScan] = r.ClusterScan.Name + r.Existing.ObjectMeta.Labels[labelPlugin] = r.Plugin.Name r.Existing.Spec.Schedule = r.ClusterScan.Spec.Schedule r.Existing.Spec.ConcurrencyPolicy = batchv1.ForbidConcurrent r.Existing.Spec.SuccessfulJobsHistoryLimit = r.ClusterScan.Spec.SuccessfulScansHistoryLimit @@ -112,7 +115,7 @@ func (r *CronJobMutator) Mutate() error { r.Existing.Spec.JobTemplate.Spec.Template.Spec.RestartPolicy = corev1.RestartPolicyNever r.Existing.Spec.JobTemplate.Spec.BackoffLimit = pointer.Int32(0) r.Existing.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = r.ServiceAccountName - r.Existing.Spec.JobTemplate.Spec.Template.Annotations = map[string]string{"kubectl.kubernetes.io/default-container": r.Plugin.Name} + r.Existing.Spec.JobTemplate.Spec.Template.Annotations = map[string]string{annotationDefaultContainer: r.Plugin.Name} r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes = []corev1.Volume{ { Name: resultsVolumeName, @@ -124,6 +127,7 @@ func (r *CronJobMutator) Mutate() error { }, } if r.KubeconfigSecret != nil { + //nolint:lll r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes = append(r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes, corev1.Volume{ Name: kubeconfigVolumeName, VolumeSource: corev1.VolumeSource{ @@ -277,6 +281,10 @@ func (r *CronJobMutator) workerEnv() []corev1.EnvVar { Name: "CLUSTER_NAME", Value: r.ClusterScan.Spec.ClusterRef.Name, }, + corev1.EnvVar{ + Name: "CLUSTER_UID", + Value: string(r.ClusterUID), + }, corev1.EnvVar{ Name: "NAMESPACE", ValueFrom: &corev1.EnvVarSource{ diff --git a/pkg/worker/config.go b/pkg/worker/config.go index 636c46dd..f152c94d 100644 --- a/pkg/worker/config.go +++ b/pkg/worker/config.go @@ -28,6 +28,7 @@ type config struct { PluginName string `env:"PLUGIN_NAME,required"` PluginType string `env:"PLUGIN_TYPE,required"` ClusterName string `env:"CLUSTER_NAME,required"` + ClusterUID string `env:"CLUSTER_UID,required"` Namespace string `env:"NAMESPACE,required"` JobName string `env:"JOB_NAME,required"` JobUID string `env:"JOB_UID,required"` diff --git a/pkg/worker/config_test.go b/pkg/worker/config_test.go index e1b689fa..6ec82905 100644 --- a/pkg/worker/config_test.go +++ b/pkg/worker/config_test.go @@ -38,6 +38,7 @@ func TestConfigFromEnv(t *testing.T) { "PLUGIN_NAME": "plugin", "PLUGIN_TYPE": "misconfiguration", "CLUSTER_NAME": "cluster", + "CLUSTER_UID": "9a1d324c-9170-4aa7-9f64-76f01c9d7989", "NAMESPACE": "ns", "JOB_NAME": "cluster-plugin-28140229", "JOB_UID": "50c8957e-c9e1-493a-9fa4-d0786deea017", @@ -49,6 +50,7 @@ func TestConfigFromEnv(t *testing.T) { PluginName: "plugin", PluginType: "misconfiguration", ClusterName: "cluster", + ClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", Namespace: "ns", JobName: "cluster-plugin-28140229", JobUID: "50c8957e-c9e1-493a-9fa4-d0786deea017", @@ -63,10 +65,11 @@ func TestConfigFromEnv(t *testing.T) { //"PLUGIN_NAME": "plugin", "PLUGIN_TYPE": "misconfiguration", "CLUSTER_NAME": "cluster", - "NAMESPACE": "ns", - "JOB_NAME": "cluster-plugin-28140229", - "JOB_UID": "50c8957e-c9e1-493a-9fa4-d0786deea017", - "POD_NAME": "cluster-plugin-28140229-h9kcn", + //"CLUSTER_UID": "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + "NAMESPACE": "ns", + "JOB_NAME": "cluster-plugin-28140229", + "JOB_UID": "50c8957e-c9e1-493a-9fa4-d0786deea017", + "POD_NAME": "cluster-plugin-28140229-h9kcn", }, wantErr: true, }, @@ -76,6 +79,7 @@ func TestConfigFromEnv(t *testing.T) { "PLUGIN_NAME": "plugin", "PLUGIN_TYPE": "vulnerability", "CLUSTER_NAME": "cluster", + "CLUSTER_UID": "9a1d324c-9170-4aa7-9f64-76f01c9d7989", "NAMESPACE": "ns", "JOB_NAME": "cluster-plugin-28140229", "JOB_UID": "50c8957e-c9e1-493a-9fa4-d0786deea017", @@ -90,6 +94,7 @@ func TestConfigFromEnv(t *testing.T) { PluginName: "plugin", PluginType: "vulnerability", ClusterName: "cluster", + ClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", Namespace: "ns", JobName: "cluster-plugin-28140229", JobUID: "50c8957e-c9e1-493a-9fa4-d0786deea017", diff --git a/pkg/worker/misconfig.go b/pkg/worker/misconfig.go index e1f36dd4..113031f0 100644 --- a/pkg/worker/misconfig.go +++ b/pkg/worker/misconfig.go @@ -16,7 +16,6 @@ package worker import ( "context" - "errors" "fmt" "io" "strconv" @@ -64,7 +63,7 @@ func handleMisconfiguration(ctx context.Context, cfg *config, results io.Reader, func parseMisconfigResults(ctx context.Context, cfg *config, results io.Reader) ([]v1alpha1.ClusterIssue, error) { parseFunc, ok := misconfigPlugins[cfg.PluginName] if !ok { - return nil, errors.New(fmt.Sprintf("invalid plugin %q", cfg.PluginName)) + return nil, fmt.Errorf("invalid plugin %q", cfg.PluginName) } specs, err := parseFunc(ctx, results) if err != nil { @@ -88,13 +87,14 @@ func newClusterIssue(cfg *config, spec v1alpha1.ClusterIssueSpec, owner metav1.O Namespace: cfg.Namespace, OwnerReferences: []metav1.OwnerReference{owner}, Labels: map[string]string{ - v1alpha1.LabelScanID: cfg.JobUID, - v1alpha1.LabelCluster: cfg.ClusterName, - v1alpha1.LabelPlugin: cfg.PluginName, - v1alpha1.LabelSeverity: string(spec.Severity), - v1alpha1.LabelIssueID: spec.ID, - v1alpha1.LabelCategory: strings.ReplaceAll(spec.Category, " ", ""), - v1alpha1.LabelCustom: strconv.FormatBool(spec.Custom), + v1alpha1.LabelScanID: cfg.JobUID, + v1alpha1.LabelCluster: cfg.ClusterName, + v1alpha1.LabelClusterUID: cfg.ClusterUID, + v1alpha1.LabelPlugin: cfg.PluginName, + v1alpha1.LabelSeverity: string(spec.Severity), + v1alpha1.LabelIssueID: spec.ID, + v1alpha1.LabelCategory: strings.ReplaceAll(spec.Category, " ", ""), + v1alpha1.LabelCustom: strconv.FormatBool(spec.Custom), }, }, Spec: spec, diff --git a/pkg/worker/misconfig_test.go b/pkg/worker/misconfig_test.go index 2c1c36eb..f0b4ed91 100644 --- a/pkg/worker/misconfig_test.go +++ b/pkg/worker/misconfig_test.go @@ -61,6 +61,7 @@ func TestParseMisconfigResults(t *testing.T) { cfg: &config{ PluginName: "marvin", ClusterName: "cluster", + ClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", Namespace: "ns", JobName: "cluster-marvin-28140229", JobUID: "50c8957e-c9e1-493a-9fa4-d0786deea017", @@ -84,13 +85,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), - v1alpha1.LabelIssueID: "M-400", - v1alpha1.LabelCategory: "BestPractices", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), + v1alpha1.LabelIssueID: "M-400", + v1alpha1.LabelCategory: "BestPractices", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -120,13 +122,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), - v1alpha1.LabelIssueID: "M-407", - v1alpha1.LabelCategory: "Reliability", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), + v1alpha1.LabelIssueID: "M-407", + v1alpha1.LabelCategory: "Reliability", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -156,13 +159,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), - v1alpha1.LabelIssueID: "M-116", - v1alpha1.LabelCategory: "Security", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), + v1alpha1.LabelIssueID: "M-116", + v1alpha1.LabelCategory: "Security", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -192,13 +196,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), - v1alpha1.LabelIssueID: "M-113", - v1alpha1.LabelCategory: "Security", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityMedium), + v1alpha1.LabelIssueID: "M-113", + v1alpha1.LabelCategory: "Security", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -228,13 +233,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), - v1alpha1.LabelIssueID: "M-115", - v1alpha1.LabelCategory: "Security", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), + v1alpha1.LabelIssueID: "M-115", + v1alpha1.LabelCategory: "Security", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -264,13 +270,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), - v1alpha1.LabelIssueID: "M-202", - v1alpha1.LabelCategory: "Security", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), + v1alpha1.LabelIssueID: "M-202", + v1alpha1.LabelCategory: "Security", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ @@ -300,13 +307,14 @@ func TestParseMisconfigResults(t *testing.T) { }, }, Labels: map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), - v1alpha1.LabelIssueID: "M-300", - v1alpha1.LabelCategory: "Security", - v1alpha1.LabelPlugin: "marvin", - v1alpha1.LabelCustom: "false", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", + v1alpha1.LabelSeverity: string(v1alpha1.SeverityLow), + v1alpha1.LabelIssueID: "M-300", + v1alpha1.LabelCategory: "Security", + v1alpha1.LabelPlugin: "marvin", + v1alpha1.LabelCustom: "false", }, }, Spec: v1alpha1.ClusterIssueSpec{ diff --git a/pkg/worker/report/marvin/parse.go b/pkg/worker/report/marvin/parse.go index a0f94bfd..9202936e 100644 --- a/pkg/worker/report/marvin/parse.go +++ b/pkg/worker/report/marvin/parse.go @@ -38,7 +38,7 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.ClusterIssueSpec, if err := json.NewDecoder(results).Decode(report); err != nil { return nil, err } - var css []v1alpha1.ClusterIssueSpec + css := make([]v1alpha1.ClusterIssueSpec, 0, len(report.Checks)) for _, check := range report.Checks { if check.Status != marvin.StatusFailed { continue diff --git a/pkg/worker/report/marvin/urls.go b/pkg/worker/report/marvin/urls.go index 724548ce..1d96e76a 100644 --- a/pkg/worker/report/marvin/urls.go +++ b/pkg/worker/report/marvin/urls.go @@ -22,6 +22,7 @@ const ( k8sResourcesURL = "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" ) +//nolint:lll var urls = map[string]string{ "M-100": pssBaselineURL, "M-101": pssBaselineURL, diff --git a/pkg/worker/report/popeye/parse.go b/pkg/worker/report/popeye/parse.go index 54ee22b8..8cdf2e14 100644 --- a/pkg/worker/report/popeye/parse.go +++ b/pkg/worker/report/popeye/parse.go @@ -87,7 +87,7 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.ClusterIssueSpec, ID: id, Message: msg, Severity: LevelToIssueSeverity[iss.Level], - Category: IssueIDtoCategory[id], + Category: getCategory(id), Url: IssueIDtoUrl[id], Resources: map[string][]string{}, TotalResources: 0, diff --git a/pkg/worker/report/popeye/parse_types.go b/pkg/worker/report/popeye/parse_types.go index 1461d77f..e31aad65 100644 --- a/pkg/worker/report/popeye/parse_types.go +++ b/pkg/worker/report/popeye/parse_types.go @@ -14,7 +14,12 @@ package popeye -import zorav1a1 "github.com/undistro/zora/api/zora/v1alpha1" +import ( + "strconv" + "strings" + + zorav1a1 "github.com/undistro/zora/api/zora/v1alpha1" +) var ( // LevelToIssueSeverity maps Popeye's type to Zora's @@ -104,6 +109,7 @@ var ( // IssueIDtoUrl maps Popeye's issue codes to urls for wiki pages, blog // posts and other sources documenting the issue. + //nolint:lll IssueIDtoUrl = map[string]string{ // Container "POP-100": "https://kubernetes.io/docs/concepts/containers/images/#image-names", @@ -218,106 +224,47 @@ var ( // RBAC "POP-1300": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding", } - - // IssueIDtoCategory maps Popeye's issue codes to Category as described - IssueIDtoCategory = map[string]string{ - "POP-100": "Container", - "POP-101": "Container", - "POP-102": "Container", - "POP-103": "Container", - "POP-104": "Container", - "POP-105": "Container", - "POP-106": "Container", - "POP-107": "Container", - "POP-108": "Container", - "POP-109": "Container", - "POP-110": "Container", - "POP-111": "Container", - "POP-112": "Container", - "POP-113": "Container", - - "POP-200": "Pod", - "POP-201": "Pod", - "POP-202": "Pod", - "POP-203": "Pod", - "POP-204": "Pod", - "POP-205": "Pod", - "POP-206": "Pod", - "POP-207": "Pod", - "POP-208": "Pod", - - "POP-300": "Security", - "POP-301": "Security", - "POP-302": "Security", - "POP-303": "Security", - "POP-304": "Security", - "POP-305": "Security", - "POP-306": "Security", - - "POP-400": "General", - "POP-401": "General", - "POP-402": "General", - "POP-403": "General", - "POP-404": "General", - "POP-405": "General", - "POP-406": "General", - - "POP-500": "Workloads", - "POP-501": "Workloads", - "POP-503": "Workloads", - "POP-504": "Workloads", - "POP-505": "Workloads", - "POP-506": "Workloads", - "POP-507": "Workloads", - - "POP-600": "HorizontalPodAutoscaler", - "POP-601": "HorizontalPodAutoscaler", - "POP-602": "HorizontalPodAutoscaler", - "POP-603": "HorizontalPodAutoscaler", - "POP-604": "HorizontalPodAutoscaler", - "POP-605": "HorizontalPodAutoscaler", - - "POP-700": "Node", - "POP-701": "Node", - "POP-702": "Node", - "POP-703": "Node", - "POP-704": "Node", - "POP-705": "Node", - "POP-706": "Node", - "POP-707": "Node", - "POP-708": "Node", - "POP-709": "Node", - "POP-710": "Node", - "POP-711": "Node", - "POP-712": "Node", - - "POP-800": "Namespace", - - "POP-900": "PodDisruptionBudget", - "POP-901": "PodDisruptionBudget", - - "POP-1000": "Volumes", - "POP-1001": "Volumes", - "POP-1002": "Volumes", - "POP-1003": "Volumes", - "POP-1004": "Volumes", - - "POP-1100": "Service", - "POP-1101": "Service", - "POP-1102": "Service", - "POP-1103": "Service", - "POP-1104": "Service", - "POP-1105": "Service", - "POP-1106": "Service", - "POP-1107": "Service", - "POP-1108": "Service", - "POP-1109": "Service", - - "POP-1120": "ReplicaSet", - - "POP-1200": "NetworkPolicies", - "POP-1201": "NetworkPolicies", - - "POP-1300": "RBAC", + categoriesInterval = map[int]string{ + 1: "Container", + 2: "Pod", + 3: "Security", + 4: "General", + 5: "Workloads", + 6: "HorizontalPodAutoscaler", + 7: "Node", + 8: "Namespace", + 9: "PodDisruptionBudget", + 10: "Volumes", + 11: "Service", + // exception for "ReplicaSet" of POP-1120 + 12: "NetworkPolicies", + 13: "RBAC", } ) + +// getCategory returns a category from the given issue ID. +// https://github.com/derailed/popeye/blob/master/docs/codes.md +func getCategory(s string) string { + ss := strings.SplitN(s, "-", 2) + if len(ss) != 2 { + return "" + } + + id, err := strconv.Atoi(ss[1]) + if err != nil { + return "" + } + + if id == 1120 { + return "ReplicaSet" + } + + for i, category := range categoriesInterval { + start := i * 100 + if id >= start && id < start+100 { + return category + } + } + + return "" +} diff --git a/pkg/worker/report/popeye/parse_types_test.go b/pkg/worker/report/popeye/parse_types_test.go new file mode 100644 index 00000000..9d85b5f5 --- /dev/null +++ b/pkg/worker/report/popeye/parse_types_test.go @@ -0,0 +1,192 @@ +// Copyright 2024 Undistro Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package popeye + +import "testing" + +func Test_getCategory(t *testing.T) { + tests := []struct { + id string + want string + }{ + { + id: "POP-100", + want: "Container", + }, + { + id: "POP-101", + want: "Container", + }, + { + id: "POP-199", + want: "Container", + }, + { + id: "POP-200", + want: "Pod", + }, + { + id: "POP-201", + want: "Pod", + }, + { + id: "POP-299", + want: "Pod", + }, + { + id: "POP-300", + want: "Security", + }, + { + id: "POP-301", + want: "Security", + }, + { + id: "POP-399", + want: "Security", + }, + { + id: "POP-400", + want: "General", + }, + { + id: "POP-401", + want: "General", + }, + { + id: "POP-499", + want: "General", + }, + { + id: "POP-500", + want: "Workloads", + }, + { + id: "POP-501", + want: "Workloads", + }, + { + id: "POP-599", + want: "Workloads", + }, + { + id: "POP-600", + want: "HorizontalPodAutoscaler", + }, + { + id: "POP-601", + want: "HorizontalPodAutoscaler", + }, + { + id: "POP-699", + want: "HorizontalPodAutoscaler", + }, + { + id: "POP-700", + want: "Node", + }, + { + id: "POP-701", + want: "Node", + }, + { + id: "POP-799", + want: "Node", + }, + { + id: "POP-800", + want: "Namespace", + }, + { + id: "POP-801", + want: "Namespace", + }, + { + id: "POP-899", + want: "Namespace", + }, + { + id: "POP-900", + want: "PodDisruptionBudget", + }, + { + id: "POP-901", + want: "PodDisruptionBudget", + }, + { + id: "POP-999", + want: "PodDisruptionBudget", + }, + { + id: "POP-1000", + want: "Volumes", + }, + { + id: "POP-1001", + want: "Volumes", + }, + { + id: "POP-1099", + want: "Volumes", + }, + { + id: "POP-1100", + want: "Service", + }, + { + id: "POP-1101", + want: "Service", + }, + { + id: "POP-1199", + want: "Service", + }, + { + id: "POP-1120", + want: "ReplicaSet", + }, + { + id: "POP-1200", + want: "NetworkPolicies", + }, + { + id: "POP-1201", + want: "NetworkPolicies", + }, + { + id: "POP-1299", + want: "NetworkPolicies", + }, + { + id: "POP-1300", + want: "RBAC", + }, + { + id: "POP-1301", + want: "RBAC", + }, + { + id: "POP-1399", + want: "RBAC", + }, + } + for _, tt := range tests { + t.Run(tt.id, func(t *testing.T) { + if got := getCategory(tt.id); got != tt.want { + t.Errorf("getCategory() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/worker/report/trivy/parse.go b/pkg/worker/report/trivy/parse.go index 26776cba..1e9fc578 100644 --- a/pkg/worker/report/trivy/parse.go +++ b/pkg/worker/report/trivy/parse.go @@ -22,17 +22,19 @@ import ( "os" "strconv" "strings" + "time" trivyreport "github.com/aquasecurity/trivy/pkg/k8s/report" trivytypes "github.com/aquasecurity/trivy/pkg/types" "github.com/go-logr/logr" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/undistro/zora/api/zora/v1alpha1" ) func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityReportSpec, error) { log := logr.FromContextOrDiscard(ctx) - report := &trivyreport.ConsolidatedReport{} + report := &trivyreport.Report{} if err := json.NewDecoder(results).Decode(report); err != nil { return nil, err } @@ -42,28 +44,29 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityRepo // map to control which image + class was parsed parsed := make(map[string]bool) - for _, f := range report.Findings { - if f.Kind == "" { + for _, r := range report.Resources { + if r.Kind == "" { continue } - if len(f.Error) > 0 { - log.Info(fmt.Sprintf("trivy error for %q \"%s/%s\": %s", f.Kind, f.Namespace, f.Name, f.Error)) + if len(r.Error) > 0 { + log.Info(fmt.Sprintf("trivy error for %q \"%s/%s\": %s", r.Kind, r.Namespace, r.Name, r.Error)) continue } - img := getImage(f) + img := getImage(r) if img == "" { log.Info(`skipping finding without "os-pkgs" result`) continue } - for _, result := range f.Results { + for _, result := range r.Results { if len(result.Vulnerabilities) == 0 { + log.Info("skipping result without vulnerabilities") continue } if _, ok := vulnsByImage[img]; !ok { - vulnsByImage[img] = &v1alpha1.VulnerabilityReportSpec{Image: img} + vulnsByImage[img] = newSpec(img, r) } spec := vulnsByImage[img] - addResource(spec, f.Kind, f.Namespace, f.Name) + addResource(spec, r.Kind, r.Namespace, r.Name) k := fmt.Sprintf("%s;%s", img, result.Class) if _, ok := parsed[k]; ok { @@ -72,7 +75,7 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityRepo parsed[k] = true for _, vuln := range result.Vulnerabilities { - spec.Vulnerabilities = append(spec.Vulnerabilities, newVulnerability(vuln, ignoreDescriptions, result.Type)) + spec.Vulnerabilities = append(spec.Vulnerabilities, newVulnerability(vuln, ignoreDescriptions, string(result.Type))) } } } @@ -84,30 +87,60 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityRepo return specs, nil } -func newVulnerability(vuln trivytypes.DetectedVulnerability, ignoreDescriptions bool, resultType string) v1alpha1.Vulnerability { +func newSpec(img string, resource trivyreport.Resource) *v1alpha1.VulnerabilityReportSpec { + meta := resource.Metadata + s := &v1alpha1.VulnerabilityReportSpec{ + Image: img, + Tags: meta.RepoTags, + Architecture: meta.ImageConfig.Architecture, + OS: meta.ImageConfig.OS, + } + if len(meta.RepoDigests) > 0 { + s.Digest = meta.RepoDigests[0] + } + if o := meta.OS; o != nil { + s.Distro = &v1alpha1.Distro{ + Name: string(o.Family), + Version: o.Name, + } + } + return s +} + +func newVulnerability(vuln trivytypes.DetectedVulnerability, ignoreDescription bool, t string) v1alpha1.Vulnerability { description := "" - if !ignoreDescriptions { + if !ignoreDescription { description = vuln.Description } return v1alpha1.Vulnerability{ - ID: vuln.VulnerabilityID, - Severity: vuln.Severity, - Title: vuln.Title, - Description: description, - Package: vuln.PkgName, - Version: vuln.InstalledVersion, - FixVersion: vuln.FixedVersion, - URL: vuln.PrimaryURL, - Status: vuln.Status.String(), - Score: getScore(vuln), - Type: resultType, + ID: vuln.VulnerabilityID, + Severity: vuln.Severity, + Title: vuln.Title, + Description: description, + Package: vuln.PkgName, + Version: vuln.InstalledVersion, + FixVersion: vuln.FixedVersion, + URL: vuln.PrimaryURL, + Status: vuln.Status.String(), + Score: getScore(vuln), + Type: t, + PublishedDate: parseTime(vuln.PublishedDate), + LastModifiedDate: parseTime(vuln.LastModifiedDate), + } +} + +func parseTime(t *time.Time) *metav1.Time { + if t == nil { + return nil } + return &metav1.Time{Time: *t} } func getScore(vuln trivytypes.DetectedVulnerability) string { var vendor *float64 for id, cvss := range vuln.CVSS { + cvss := cvss if cvss.V3Score == 0.0 { continue } @@ -122,8 +155,8 @@ func getScore(vuln trivytypes.DetectedVulnerability) string { return fmt.Sprintf("%v", *vendor) } -func getImage(finding trivyreport.Resource) string { - for _, r := range finding.Results { +func getImage(resource trivyreport.Resource) string { + for _, r := range resource.Results { if r.Class == "os-pkgs" { return strings.SplitN(r.Target, " (", 2)[0] } diff --git a/pkg/worker/report/trivy/parse_test.go b/pkg/worker/report/trivy/parse_test.go index 606e3464..e075adb7 100644 --- a/pkg/worker/report/trivy/parse_test.go +++ b/pkg/worker/report/trivy/parse_test.go @@ -21,8 +21,10 @@ import ( "sort" "strings" "testing" + "time" "github.com/google/go-cmp/cmp" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/undistro/zora/api/zora/v1alpha1" ) @@ -40,170 +42,215 @@ func TestParse(t *testing.T) { wantErr: false, want: []v1alpha1.VulnerabilityReportSpec{ { - Image: "registry.k8s.io/kube-apiserver:v1.25.3", - Resources: map[string][]string{"Pod": {"kube-system/kube-apiserver-kind-control-plane"}}, + Image: "registry.k8s.io/kube-apiserver:v1.27.3", + Tags: []string{"registry.k8s.io/kube-apiserver:v1.27.3"}, + Digest: "registry.k8s.io/kube-apiserver@sha256:fd03335dd2e7163e5e36e933a0c735d7fec6f42b33ddafad0bc54f333e4a23c0", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "11.7"}, TotalResources: 1, + Resources: map[string][]string{"Pod": {"kube-system/kube-apiserver-kind-control-plane"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2022-41723", - Severity: "HIGH", - Title: "avoid quadratic complexity in HPACK decoding", - Description: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - Package: "golang.org/x/net", - Version: "v0.0.0-20220722155237-a158d28d115b", - FixVersion: "0.7.0", - URL: "https://avd.aquasec.com/nvd/cve-2022-41723", - Status: "fixed", - Type: "gobinary", - Score: "7.5", + ID: "CVE-2022-41723", + Severity: "HIGH", + Title: "avoid quadratic complexity in HPACK decoding", + Description: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + Package: "golang.org/x/net", + Version: "v0.0.0-20220722155237-a158d28d115b", + FixVersion: "0.7.0", + URL: "https://avd.aquasec.com/nvd/cve-2022-41723", + Status: "fixed", + Type: "gobinary", + Score: "7.5", + PublishedDate: newTime("2023-02-28T18:15:00Z"), + LastModifiedDate: newTime("2023-05-16T10:50:00Z"), }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 1, High: 1}, }, { Image: "quay.io/kiwigrid/k8s-sidecar:1.22.0", - Resources: map[string][]string{"Deployment": {"apps/app1", "apps/app2"}}, + Tags: []string{"quay.io/kiwigrid/k8s-sidecar:1.22.0"}, + Digest: "quay.io/kiwigrid/k8s-sidecar@sha256:eaa478cdd0b8e1be7a4813bc1b01948b838e2feaa6d999e60c997dc823013824", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "alpine", Version: "3.16.3"}, TotalResources: 2, + Resources: map[string][]string{"Deployment": {"apps/app1", "apps/app2"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2022-4450", - Severity: "HIGH", - Title: "double free after calling PEM_read_bio_ex", - Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - Package: "libssl1.1", - Version: "1.1.1s-r0", - FixVersion: "1.1.1t-r0", - URL: "https://avd.aquasec.com/nvd/cve-2022-4450", - Status: "fixed", - Type: "alpine", - Score: "7.5", + ID: "CVE-2022-4450", + Severity: "HIGH", + Title: "double free after calling PEM_read_bio_ex", + Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", + Package: "libssl1.1", + Version: "1.1.1s-r0", + FixVersion: "1.1.1t-r0", + URL: "https://avd.aquasec.com/nvd/cve-2022-4450", + Status: "fixed", + Type: "alpine", + Score: "7.5", + PublishedDate: newTime("2023-02-08T20:15:00Z"), + LastModifiedDate: newTime("2023-07-19T00:57:00Z"), }, { - ID: "CVE-2022-4450", - Severity: "HIGH", - Title: "double free after calling PEM_read_bio_ex", - Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - Package: "libcrypto1.1", - Version: "1.1.1s-r0", - FixVersion: "1.1.1t-r0", - URL: "https://avd.aquasec.com/nvd/cve-2022-4450", - Status: "fixed", - Type: "alpine", - Score: "7.5", + ID: "CVE-2022-4450", + Severity: "HIGH", + Title: "double free after calling PEM_read_bio_ex", + Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", + Package: "libcrypto1.1", + Version: "1.1.1s-r0", + FixVersion: "1.1.1t-r0", + URL: "https://avd.aquasec.com/nvd/cve-2022-4450", + Status: "fixed", + Type: "alpine", + Score: "7.5", + PublishedDate: newTime("2023-02-08T20:15:00Z"), + LastModifiedDate: newTime("2023-07-19T00:57:00Z"), }, { - ID: "CVE-2023-37920", - Severity: "CRITICAL", - Title: "Removal of e-Tugra root certificate", - Description: "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.", - Package: "certifi", - Version: "2022.12.7", - FixVersion: "2023.7.22", - URL: "https://avd.aquasec.com/nvd/cve-2023-37920", - Status: "fixed", - Type: "python-pkg", - Score: "9.8", + ID: "CVE-2023-37920", + Severity: "CRITICAL", + Title: "Removal of e-Tugra root certificate", + Description: "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.", + Package: "certifi", + Version: "2022.12.7", + FixVersion: "2023.7.22", + URL: "https://avd.aquasec.com/nvd/cve-2023-37920", + Status: "fixed", + Type: "python-pkg", + Score: "9.8", + PublishedDate: newTime("2023-07-25T21:15:00Z"), + LastModifiedDate: newTime("2023-08-12T06:16:00Z"), }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 3, Critical: 1, High: 2}, }, { Image: "docker.io/istio/examples-bookinfo-ratings-v1:1.17.0", - Resources: map[string][]string{"Deployment": {"apps/app1"}}, + Tags: []string{"istio/examples-bookinfo-ratings-v1:1.17.0"}, + Digest: "istio/examples-bookinfo-ratings-v1@sha256:b6a6b88d35785c19f6dcb6acf055aa585511f2126bb0b5802f3107b7d37ead0b", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "9.12"}, TotalResources: 1, + Resources: map[string][]string{"Deployment": {"apps/app1"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "DLA-3051-1", - Severity: "UNKNOWN", - Title: "tzdata - new timezone database", - Description: "", - Package: "tzdata", - Version: "2019c-0+deb9u1", - FixVersion: "2021a-0+deb9u4", - URL: "", - Status: "fixed", - Type: "debian", + ID: "DLA-3051-1", + Severity: "UNKNOWN", + Title: "tzdata - new timezone database", + Description: "", + Package: "tzdata", + Version: "2019c-0+deb9u1", + FixVersion: "2021a-0+deb9u4", + URL: "", + Status: "fixed", + Type: "debian", + PublishedDate: nil, + LastModifiedDate: nil, }, { - ID: "CVE-2016-2779", - Severity: "HIGH", - Title: "util-linux: runuser tty hijack via TIOCSTI ioctl", - Description: "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - Package: "bsdutils", - Version: "1:2.29.2-1+deb9u1", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2016-2779", - Status: "affected", - Type: "debian", - Score: "7.8", + ID: "CVE-2016-2779", + Severity: "HIGH", + Title: "util-linux: runuser tty hijack via TIOCSTI ioctl", + Description: "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + Package: "bsdutils", + Version: "1:2.29.2-1+deb9u1", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2016-2779", + Status: "affected", + Type: "debian", + Score: "7.8", + PublishedDate: newTime("2017-02-07T15:59:00Z"), + LastModifiedDate: newTime("2019-01-04T14:14:00Z"), }, { - ID: "GHSA-jmqm-f2gx-4fjv", - Severity: "MEDIUM", - Title: "Sensitive information exposure through logs in npm-registry-fetch", - Description: "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", - Package: "npm-registry-fetch", - Version: "4.0.4", - FixVersion: "8.1.1, 4.0.5", - URL: "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", - Status: "fixed", - Type: "node-pkg", - Score: "5.3", + ID: "GHSA-jmqm-f2gx-4fjv", + Severity: "MEDIUM", + Title: "Sensitive information exposure through logs in npm-registry-fetch", + Description: "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", + Package: "npm-registry-fetch", + Version: "4.0.4", + FixVersion: "8.1.1, 4.0.5", + URL: "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", + Status: "fixed", + Type: "node-pkg", + Score: "5.3", + PublishedDate: nil, + LastModifiedDate: nil, }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 3, High: 1, Medium: 1, Unknown: 1}, }, { Image: "docker.io/istio/examples-bookinfo-details-v1:1.17.0", - Resources: map[string][]string{"Deployment": {"apps/app2"}}, + Tags: []string{"istio/examples-bookinfo-details-v1:1.17.0"}, + Digest: "istio/examples-bookinfo-details-v1@sha256:2b081e3c86dd8105040ea1f2adcc94cb473f41249dc9c91ebc1c2885ddd56c13", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "10.5"}, TotalResources: 1, + Resources: map[string][]string{"Deployment": {"apps/app2"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2016-2781", - Severity: "LOW", - Title: "coreutils: Non-privileged session can escape to the parent session in chroot", - Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - Package: "coreutils", - Version: "8.30-3", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2016-2781", - Status: "will_not_fix", - Type: "debian", - Score: "6.5", + ID: "CVE-2016-2781", + Severity: "LOW", + Title: "coreutils: Non-privileged session can escape to the parent session in chroot", + Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + Package: "coreutils", + Version: "8.30-3", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2016-2781", + Status: "will_not_fix", + Type: "debian", + Score: "6.5", + PublishedDate: newTime("2017-02-07T15:59:00Z"), + LastModifiedDate: newTime("2021-02-25T17:15:00Z"), }, { - ID: "CVE-2023-28755", - Severity: "HIGH", - Title: "ReDoS vulnerability in URI", - Description: "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.", - Package: "uri", - Version: "0.10.0", - FixVersion: "~\u003e 0.10.0.1, ~\u003e 0.10.2, ~\u003e 0.11.1, \u003e= 0.12.1", - URL: "https://avd.aquasec.com/nvd/cve-2023-28755", - Status: "fixed", - Type: "gemspec", - Score: "5.3", + ID: "CVE-2023-28755", + Severity: "HIGH", + Title: "ReDoS vulnerability in URI", + Description: "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.", + Package: "uri", + Version: "0.10.0", + FixVersion: "~\u003e 0.10.0.1, ~\u003e 0.10.2, ~\u003e 0.11.1, \u003e= 0.12.1", + URL: "https://avd.aquasec.com/nvd/cve-2023-28755", + Status: "fixed", + Type: "gemspec", + Score: "5.3", + PublishedDate: newTime("2023-03-31T04:15:00Z"), + LastModifiedDate: newTime("2023-05-30T17:17:00Z"), }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 2, High: 1, Low: 1}, }, { Image: "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305", + Tags: []string{"nginx:1.25.0"}, + Digest: "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "11.7"}, TotalResources: 1, Resources: map[string][]string{"Deployment": {"default/nginx"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2023-3446", - Severity: "MEDIUM", - Title: "Excessive time spent checking DH keys and parameters", - Description: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - Package: "openssl", - Version: "1.1.1n-0+deb11u4", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2023-3446", - Status: "fix_deferred", - Type: "debian", - Score: "5.3", + ID: "CVE-2023-3446", + Severity: "MEDIUM", + Title: "Excessive time spent checking DH keys and parameters", + Description: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + Package: "openssl", + Version: "1.1.1n-0+deb11u4", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2023-3446", + Status: "fix_deferred", + Type: "debian", + Score: "5.3", + PublishedDate: newTime("2023-07-19T12:15:00Z"), + LastModifiedDate: newTime("2023-08-16T08:15:00Z"), }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 1, Medium: 1}, @@ -244,3 +291,11 @@ func sortVulns(specs []v1alpha1.VulnerabilityReportSpec) { }) } } + +func newTime(s string) *metav1.Time { + p, err := time.Parse(time.RFC3339, s) + if err != nil { + return nil + } + return &metav1.Time{Time: p} +} diff --git a/pkg/worker/report/trivy/testdata/report.json b/pkg/worker/report/trivy/testdata/report.json index 074dbc6b..303338ac 100644 --- a/pkg/worker/report/trivy/testdata/report.json +++ b/pkg/worker/report/trivy/testdata/report.json @@ -1,6 +1,6 @@ { "ClusterName": "kind-kind", - "Findings": [ + "Resources": [ { "Kind": "", "Name": "" @@ -15,6 +15,68 @@ "Namespace": "kube-system", "Kind": "Deployment", "Name": "coredns", + "Metadata": { + "ImageID": "sha256:ead0a4a53df89fd173874b46093b6e62d8c72967bbf606d672c9e8c9b601a4fc", + "DiffIDs": [ + "sha256:6a4a177e62f374d68e6889ffa22b644db056e1d47ee4085c88408fa1d153871d", + "sha256:398c9baff0cedc8a35520742c35f0c216f9fd7f300f5f1e5e469504a93dc03bf" + ], + "RepoTags": [ + "registry.k8s.io/coredns/coredns:v1.10.1" + ], + "RepoDigests": [ + "registry.k8s.io/coredns/coredns@sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2023-02-06T18:31:00.426815885Z", + "history": [ + { + "created": "2023-02-06T18:31:00.19534776Z", + "created_by": "COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-02-06T18:31:00.426815885Z", + "created_by": "ADD coredns /coredns # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-02-06T18:31:00.426815885Z", + "created_by": "EXPOSE map[53/tcp:{} 53/udp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-02-06T18:31:00.426815885Z", + "created_by": "ENTRYPOINT [\"/coredns\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:6a4a177e62f374d68e6889ffa22b644db056e1d47ee4085c88408fa1d153871d", + "sha256:398c9baff0cedc8a35520742c35f0c216f9fd7f300f5f1e5e469504a93dc03bf" + ] + }, + "config": { + "Entrypoint": [ + "/coredns" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "WorkingDir": "/", + "ExposedPorts": { + "53/tcp": {}, + "53/udp": {} + } + } + } + }, "Results": [ { "Target": "coredns", @@ -48,9 +110,140 @@ "Namespace": "kube-system", "Kind": "Pod", "Name": "kube-apiserver-kind-control-plane", + "Metadata": { + "OS": { + "Family": "debian", + "Name": "11.7" + }, + "ImageID": "sha256:08a0c939e61b7340db53ebf07b4d0e908a35ad8d94e2cb7d0f958210e567079a", + "DiffIDs": [ + "sha256:e023e0e48e6e29e90e519f4dd356d058ff2bffbd16e28b802f3b8f93aa4ccb17", + "sha256:6fbdf253bbc2490dcfede5bdb58ca0db63ee8aff565f6ea9f918f3bce9e2d5aa", + "sha256:7bea6b893187b14fc0a759fe5f8972d1292a9c0554c87cbf485f0947c26b8a05", + "sha256:ff5700ec54186528cbae40f54c24b1a34fb7c01527beaa1232868c16e2353f52", + "sha256:d52f02c6501c9c4410568f0bf6ff30d30d8290f57794c308fe36ea78393afac2", + "sha256:e624a5370eca2b8266e74d179326e2a8767d361db14d13edd9fb57e408731784", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:d2d7ec0f6756eb51cf1602c6f8ac4dd811d3d052661142e0110357bf0b581457", + "sha256:4cb10dd2545bd173858450b80853b850e49608260f1a0789e0d0b39edf12f500", + "sha256:1b8d05b4878684b6d03d768101f88cab6d01c1ac91bb7001fbc314c13b8a7383", + "sha256:53452b6da21ce309163ed7b8190ad495797e30408efed45e49a50a67cb62449e" + ], + "RepoTags": [ + "registry.k8s.io/kube-apiserver:v1.27.3" + ], + "RepoDigests": [ + "registry.k8s.io/kube-apiserver@sha256:fd03335dd2e7163e5e36e933a0c735d7fec6f42b33ddafad0bc54f333e4a23c0" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2023-06-14T10:04:53.012648525Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2023-06-07T04:08:19.793812974Z", + "created_by": "LABEL maintainers=Kubernetes Authors", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-06-07T04:08:19.793812974Z", + "created_by": "LABEL description=go based runner for distroless scenarios", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-06-07T04:08:19.793812974Z", + "created_by": "WORKDIR /", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-06-07T04:08:19.793812974Z", + "created_by": "COPY /workspace/go-runner . # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-06-07T04:08:19.793812974Z", + "created_by": "ENTRYPOINT [\"/go-runner\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-06-14T10:04:53.012648525Z", + "created_by": "ARG BINARY", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-06-14T10:04:53.012648525Z", + "created_by": "COPY /kube-apiserver /usr/local/bin/kube-apiserver # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:e023e0e48e6e29e90e519f4dd356d058ff2bffbd16e28b802f3b8f93aa4ccb17", + "sha256:6fbdf253bbc2490dcfede5bdb58ca0db63ee8aff565f6ea9f918f3bce9e2d5aa", + "sha256:7bea6b893187b14fc0a759fe5f8972d1292a9c0554c87cbf485f0947c26b8a05", + "sha256:ff5700ec54186528cbae40f54c24b1a34fb7c01527beaa1232868c16e2353f52", + "sha256:d52f02c6501c9c4410568f0bf6ff30d30d8290f57794c308fe36ea78393afac2", + "sha256:e624a5370eca2b8266e74d179326e2a8767d361db14d13edd9fb57e408731784", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:d2d7ec0f6756eb51cf1602c6f8ac4dd811d3d052661142e0110357bf0b581457", + "sha256:4cb10dd2545bd173858450b80853b850e49608260f1a0789e0d0b39edf12f500", + "sha256:1b8d05b4878684b6d03d768101f88cab6d01c1ac91bb7001fbc314c13b8a7383", + "sha256:53452b6da21ce309163ed7b8190ad495797e30408efed45e49a50a67cb62449e" + ] + }, + "config": { + "Entrypoint": [ + "/go-runner" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Labels": { + "description": "go based runner for distroless scenarios", + "maintainers": "Kubernetes Authors" + }, + "User": "0", + "WorkingDir": "/" + } + } + }, "Results": [ { - "Target": "registry.k8s.io/kube-apiserver:v1.25.3 (debian 11.5)", + "Target": "registry.k8s.io/kube-apiserver:v1.27.3 (debian 11.7)", "Class": "os-pkgs", "Type": "debian" }, @@ -132,6 +325,169 @@ "Namespace": "apps", "Kind": "Deployment", "Name": "app1", + "Metadata": { + "OS": { + "Family": "debian", + "Name": "9.12", + "EOSL": true + }, + "ImageID": "sha256:bc1431aee95794187947c398fa6806bf5936736de1215fed291e078930a4c2dc", + "DiffIDs": [ + "sha256:333e2cb4c707229901f45d7f5e4e3caf5a983229da7fefb0605975ff3a1eaf6f", + "sha256:90a1d8ebd7b4107bb74cb50c6ba3dcb144ff738c7afd01a753826641458476a4", + "sha256:98b7d0c5ef14f59e0a17429a6430028b12c5ea3c6312c4bbc1d99c4a6cd62538", + "sha256:d136f6518ac73d9588ec725d5899e0c5279a0b05b5fdece684874b9c21b90bc6", + "sha256:2577840953762b3cfb5a299ead93c0764da096200eee9f0cbd3243eff9cddf09", + "sha256:d40de8d65ee499720b9d54269112b014b07089fe50d9bf2c4e3f84585c84a927", + "sha256:7f4d5ea130c3e5f7b4f0ab9e0a9664165e9b5e381a05d045f8d15081b8d853fa", + "sha256:c6a3bd834638efb20573ad1c5f2f3d722070c1d67e3c424fc03d807968d90bbc", + "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef", + "sha256:681e1481ec7c7e0054ab8f7106134d0c1eddc5e3094bb3de6c6cfb1fe881e119" + ], + "RepoTags": [ + "istio/examples-bookinfo-ratings-v1:1.17.0" + ], + "RepoDigests": [ + "istio/examples-bookinfo-ratings-v1@sha256:b6a6b88d35785c19f6dcb6acf055aa585511f2126bb0b5802f3107b7d37ead0b" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2022-09-06T15:39:06.6095144Z", + "history": [ + { + "created": "2020-06-09T01:23:35.675588078Z", + "created_by": "/bin/sh -c #(nop) ADD file:57b431451a292755d0f13673f5f3bea9f62aea36c7a1b59d34d7d200ba134fea in / " + }, + { + "created": "2020-06-09T01:23:35.907722594Z", + "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]", + "empty_layer": true + }, + { + "created": "2020-06-09T16:04:25.808972997Z", + "created_by": "/bin/sh -c groupadd --gid 1000 node \u0026\u0026 useradd --uid 1000 --gid node --shell /bin/bash --create-home node" + }, + { + "created": "2020-06-18T20:31:56.038855054Z", + "created_by": "/bin/sh -c #(nop) ENV NODE_VERSION=12.18.1", + "empty_layer": true + }, + { + "created": "2020-06-18T20:32:15.128258973Z", + "created_by": "/bin/sh -c ARCH= \u0026\u0026 dpkgArch=\"$(dpkg --print-architecture)\" \u0026\u0026 case \"${dpkgArch##*-}\" in amd64) ARCH='x64';; ppc64el) ARCH='ppc64le';; s390x) ARCH='s390x';; arm64) ARCH='arm64';; armhf) ARCH='armv7l';; i386) ARCH='x86';; *) echo \"unsupported architecture\"; exit 1 ;; esac \u0026\u0026 set -ex \u0026\u0026 apt-get update \u0026\u0026 apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 for key in 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 B9AE9905FFD7803F25714661B63B535A4C206CA9 77984A986EBC2AA786BC0F66B01FBB92821C587A 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 4ED778F539E3634C779C87C6D7062848A1AB005C A48C2BEE680E841632CD4E44F07496B3EB3C1762 B9E2F5981AA6E0CD28160D9FF13993A75599653C ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys \"$key\" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys \"$key\" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz\" \u0026\u0026 curl -fsSLO --compressed \"https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc\" \u0026\u0026 gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \u0026\u0026 grep \" node-v$NODE_VERSION-linux-$ARCH.tar.xz\\$\" SHASUMS256.txt | sha256sum -c - \u0026\u0026 tar -xJf \"node-v$NODE_VERSION-linux-$ARCH.tar.xz\" -C /usr/local --strip-components=1 --no-same-owner \u0026\u0026 rm \"node-v$NODE_VERSION-linux-$ARCH.tar.xz\" SHASUMS256.txt.asc SHASUMS256.txt \u0026\u0026 apt-mark auto '.*' \u003e /dev/null \u0026\u0026 find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=\u003e/ { print $(NF-1) }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual \u0026\u0026 apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \u0026\u0026 ln -s /usr/local/bin/node /usr/local/bin/nodejs \u0026\u0026 node --version \u0026\u0026 npm --version" + }, + { + "created": "2020-06-18T20:32:15.451094637Z", + "created_by": "/bin/sh -c #(nop) ENV YARN_VERSION=1.22.4", + "empty_layer": true + }, + { + "created": "2020-06-18T20:32:30.870119365Z", + "created_by": "/bin/sh -c set -ex \u0026\u0026 savedAptMark=\"$(apt-mark showmanual)\" \u0026\u0026 apt-get update \u0026\u0026 apt-get install -y ca-certificates curl wget gnupg dirmngr --no-install-recommends \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys \"$key\" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys \"$key\" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys \"$key\" ; done \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz\" \u0026\u0026 curl -fsSLO --compressed \"https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc\" \u0026\u0026 gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 mkdir -p /opt \u0026\u0026 tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn \u0026\u0026 ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg \u0026\u0026 rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \u0026\u0026 apt-mark auto '.*' \u003e /dev/null \u0026\u0026 { [ -z \"$savedAptMark\" ] || apt-mark manual $savedAptMark \u003e /dev/null; } \u0026\u0026 find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=\u003e/ { print $(NF-1) }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual \u0026\u0026 apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \u0026\u0026 yarn --version" + }, + { + "created": "2020-06-18T20:32:31.073261798Z", + "created_by": "/bin/sh -c #(nop) COPY file:238737301d47304174e4d24f4def935b29b3069c03c72ae8de97d94624382fce in /usr/local/bin/ " + }, + { + "created": "2020-06-18T20:32:31.232069353Z", + "created_by": "/bin/sh -c #(nop) ENTRYPOINT [\"docker-entrypoint.sh\"]", + "empty_layer": true + }, + { + "created": "2020-06-18T20:32:31.395588375Z", + "created_by": "/bin/sh -c #(nop) CMD [\"node\"]", + "empty_layer": true + }, + { + "created": "2022-09-06T15:39:04.704306208Z", + "created_by": "RUN /bin/sh -c apt-get update \u0026\u0026 apt-get install curl --no-install-recommends -y \u0026\u0026 rm -rf /var/lib/apt/lists/* # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:39:04.739145041Z", + "created_by": "ARG service_version", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:39:04.739145041Z", + "created_by": "ENV SERVICE_VERSION=v1", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:39:04.739145041Z", + "created_by": "COPY package.json /opt/microservices/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:39:04.768059975Z", + "created_by": "COPY ratings.js /opt/microservices/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:39:04.79666825Z", + "created_by": "WORKDIR /opt/microservices", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:39:06.6095144Z", + "created_by": "RUN |1 service_version=v1 /bin/sh -c npm install # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:39:06.6095144Z", + "created_by": "EXPOSE map[9080/tcp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:39:06.6095144Z", + "created_by": "CMD [\"node\" \"/opt/microservices/ratings.js\" \"9080\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:333e2cb4c707229901f45d7f5e4e3caf5a983229da7fefb0605975ff3a1eaf6f", + "sha256:90a1d8ebd7b4107bb74cb50c6ba3dcb144ff738c7afd01a753826641458476a4", + "sha256:98b7d0c5ef14f59e0a17429a6430028b12c5ea3c6312c4bbc1d99c4a6cd62538", + "sha256:d136f6518ac73d9588ec725d5899e0c5279a0b05b5fdece684874b9c21b90bc6", + "sha256:2577840953762b3cfb5a299ead93c0764da096200eee9f0cbd3243eff9cddf09", + "sha256:d40de8d65ee499720b9d54269112b014b07089fe50d9bf2c4e3f84585c84a927", + "sha256:7f4d5ea130c3e5f7b4f0ab9e0a9664165e9b5e381a05d045f8d15081b8d853fa", + "sha256:c6a3bd834638efb20573ad1c5f2f3d722070c1d67e3c424fc03d807968d90bbc", + "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef", + "sha256:681e1481ec7c7e0054ab8f7106134d0c1eddc5e3094bb3de6c6cfb1fe881e119" + ] + }, + "config": { + "Cmd": [ + "node", + "/opt/microservices/ratings.js", + "9080" + ], + "Entrypoint": [ + "docker-entrypoint.sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "NODE_VERSION=12.18.1", + "YARN_VERSION=1.22.4", + "SERVICE_VERSION=v1" + ], + "WorkingDir": "/opt/microservices", + "ExposedPorts": { + "9080/tcp": {} + }, + "ArgsEscaped": true + } + } + }, "Results": [ { "Target": "docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 (debian 9.12)", @@ -259,6 +615,172 @@ "Namespace": "apps", "Kind": "Deployment", "Name": "app1", + "Metadata": { + "OS": { + "Family": "alpine", + "Name": "3.16.3" + }, + "ImageID": "sha256:5493d548b163d6bfa8d1a06a63148425857abb925cb35f294a127d88d67d0b81", + "DiffIDs": [ + "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + "sha256:f80ab90a8af02011fc7ec3e94ee27788925af0ad2d9acb0b38fb50a1183af534", + "sha256:4a58a9711165524b9f07d087a586c3bbe3208863e5a3d25973e61878ce44ce28", + "sha256:9cdca906b6b00f8f12b274ed4ef6eaef66e0f55bf6fa0ef91ebb99d3c94a868e", + "sha256:e067457cde3692987ba197b0179551bf008afa41f61717f6a7fff96c1ee4f363", + "sha256:250f5d7c4338d844a6250be796b46c6cddb508aaac7e959bdfaf85bcc694736b", + "sha256:ce34393fe7243a48e39beea73159b7b4ee007a57463f3bf5d4deff2b05220841" + ], + "RepoTags": [ + "quay.io/kiwigrid/k8s-sidecar:1.22.0" + ], + "RepoDigests": [ + "quay.io/kiwigrid/k8s-sidecar@sha256:eaa478cdd0b8e1be7a4813bc1b01948b838e2feaa6d999e60c997dc823013824" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2023-01-17T08:32:05.175738444Z", + "history": [ + { + "created": "2022-11-12T04:19:23.05154209Z", + "created_by": "/bin/sh -c #(nop) ADD file:ceeb6e8632fafc657116cbf3afbd522185a16963230b57881073dad22eb0e1a3 in / " + }, + { + "created": "2022-11-12T04:19:23.199716539Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + }, + { + "created": "2022-11-12T05:56:57.396927424Z", + "created_by": "/bin/sh -c #(nop) ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "empty_layer": true + }, + { + "created": "2022-11-12T06:39:07.636263263Z", + "created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8", + "empty_layer": true + }, + { + "created": "2022-11-12T06:39:08.897309213Z", + "created_by": "/bin/sh -c set -eux; \tapk add --no-cache \t\tca-certificates \t\ttzdata \t;" + }, + { + "created": "2022-11-12T06:57:28.607739372Z", + "created_by": "/bin/sh -c #(nop) ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D", + "empty_layer": true + }, + { + "created": "2022-12-08T01:08:35.20421488Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_VERSION=3.11.1", + "empty_layer": true + }, + { + "created": "2022-12-08T01:27:05.815228143Z", + "created_by": "/bin/sh -c set -eux; \t\tapk add --no-cache --virtual .build-deps \t\tgnupg \t\ttar \t\txz \t\t\t\tbluez-dev \t\tbzip2-dev \t\tdpkg-dev dpkg \t\texpat-dev \t\tfindutils \t\tgcc \t\tgdbm-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibnsl-dev \t\tlibtirpc-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl-dev \t\tpax-utils \t\treadline-dev \t\tsqlite-dev \t\ttcl-dev \t\ttk \t\ttk-dev \t\tutil-linux-dev \t\txz-dev \t\tzlib-dev \t; \t\twget -O python.tar.xz \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\"; \twget -O python.tar.xz.asc \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\"; \tGNUPGHOME=\"$(mktemp -d)\"; export GNUPGHOME; \tgpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$GPG_KEY\"; \tgpg --batch --verify python.tar.xz.asc python.tar.xz; \tcommand -v gpgconf \u003e /dev/null \u0026\u0026 gpgconf --kill all || :; \trm -rf \"$GNUPGHOME\" python.tar.xz.asc; \tmkdir -p /usr/src/python; \ttar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \trm python.tar.xz; \t\tcd /usr/src/python; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--enable-loadable-sqlite-extensions \t\t--enable-optimizations \t\t--enable-option-checking=fatal \t\t--enable-shared \t\t--with-lto \t\t--with-system-expat \t\t--without-ensurepip \t; \tnproc=\"$(nproc)\"; \tmake -j \"$nproc\" \t\tEXTRA_CFLAGS=\"-DTHREAD_STACK_SIZE=0x100000\" \t\tLDFLAGS=\"-Wl,--strip-all\" \t; \tmake install; \t\tcd /; \trm -rf /usr/src/python; \t\tfind /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \\) \\) \t\t\\) -exec rm -rf '{}' + \t; \t\tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \t\t| tr ',' '\\n' \t\t| sort -u \t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t\t| xargs -rt apk add --no-network --virtual .python-rundeps \t; \tapk del --no-network .build-deps; \t\tpython3 --version" + }, + { + "created": "2022-12-08T01:27:06.532823707Z", + "created_by": "/bin/sh -c set -eux; \tfor src in idle3 pydoc3 python3 python3-config; do \t\tdst=\"$(echo \"$src\" | tr -d 3)\"; \t\t[ -s \"/usr/local/bin/$src\" ]; \t\t[ ! -e \"/usr/local/bin/$dst\" ]; \t\tln -svT \"$src\" \"/usr/local/bin/$dst\"; \tdone" + }, + { + "created": "2022-12-08T01:27:06.644083913Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_PIP_VERSION=22.3.1", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:31.916649178Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_SETUPTOOLS_VERSION=65.5.1", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:32.019128924Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66030fa03382b4914d4c4d0896961a0bdeeeb274/public/get-pip.py", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:32.125306121Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_GET_PIP_SHA256=1e501cf004eac1b7eb1f97266d28f995ae835d30250bec7f8850562703067dc6", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:38.555958395Z", + "created_by": "/bin/sh -c set -eux; \t\twget -O get-pip.py \"$PYTHON_GET_PIP_URL\"; \techo \"$PYTHON_GET_PIP_SHA256 *get-pip.py\" | sha256sum -c -; \t\texport PYTHONDONTWRITEBYTECODE=1; \t\tpython get-pip.py \t\t--disable-pip-version-check \t\t--no-cache-dir \t\t--no-compile \t\t\"pip==$PYTHON_PIP_VERSION\" \t\t\"setuptools==$PYTHON_SETUPTOOLS_VERSION\" \t; \trm -f get-pip.py; \t\tpip --version" + }, + { + "created": "2023-01-06T18:42:38.710203313Z", + "created_by": "/bin/sh -c #(nop) CMD [\"python3\"]", + "empty_layer": true + }, + { + "created": "2023-01-17T08:31:18.688094602Z", + "created_by": "ENV PYTHONUNBUFFERED=1", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:31:18.688094602Z", + "created_by": "WORKDIR /app", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "COPY /app /app # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "ENV PATH=/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "USER 65534:65534", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "CMD [\"python\" \"-u\" \"/app/sidecar.py\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + "sha256:f80ab90a8af02011fc7ec3e94ee27788925af0ad2d9acb0b38fb50a1183af534", + "sha256:4a58a9711165524b9f07d087a586c3bbe3208863e5a3d25973e61878ce44ce28", + "sha256:9cdca906b6b00f8f12b274ed4ef6eaef66e0f55bf6fa0ef91ebb99d3c94a868e", + "sha256:e067457cde3692987ba197b0179551bf008afa41f61717f6a7fff96c1ee4f363", + "sha256:250f5d7c4338d844a6250be796b46c6cddb508aaac7e959bdfaf85bcc694736b", + "sha256:ce34393fe7243a48e39beea73159b7b4ee007a57463f3bf5d4deff2b05220841" + ] + }, + "config": { + "Cmd": [ + "python", + "-u", + "/app/sidecar.py" + ], + "Env": [ + "PATH=/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "LANG=C.UTF-8", + "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D", + "PYTHON_VERSION=3.11.1", + "PYTHON_PIP_VERSION=22.3.1", + "PYTHON_SETUPTOOLS_VERSION=65.5.1", + "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66030fa03382b4914d4c4d0896961a0bdeeeb274/public/get-pip.py", + "PYTHON_GET_PIP_SHA256=1e501cf004eac1b7eb1f97266d28f995ae835d30250bec7f8850562703067dc6", + "PYTHONUNBUFFERED=1" + ], + "User": "65534:65534", + "WorkingDir": "/app", + "ArgsEscaped": true + } + } + }, "Results": [ { "Target": "quay.io/kiwigrid/k8s-sidecar:1.22.0 (alpine 3.16.3)", @@ -518,6 +1040,172 @@ "Namespace": "apps", "Kind": "Deployment", "Name": "app2", + "Metadata": { + "OS": { + "Family": "alpine", + "Name": "3.16.3" + }, + "ImageID": "sha256:5493d548b163d6bfa8d1a06a63148425857abb925cb35f294a127d88d67d0b81", + "DiffIDs": [ + "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + "sha256:f80ab90a8af02011fc7ec3e94ee27788925af0ad2d9acb0b38fb50a1183af534", + "sha256:4a58a9711165524b9f07d087a586c3bbe3208863e5a3d25973e61878ce44ce28", + "sha256:9cdca906b6b00f8f12b274ed4ef6eaef66e0f55bf6fa0ef91ebb99d3c94a868e", + "sha256:e067457cde3692987ba197b0179551bf008afa41f61717f6a7fff96c1ee4f363", + "sha256:250f5d7c4338d844a6250be796b46c6cddb508aaac7e959bdfaf85bcc694736b", + "sha256:ce34393fe7243a48e39beea73159b7b4ee007a57463f3bf5d4deff2b05220841" + ], + "RepoTags": [ + "quay.io/kiwigrid/k8s-sidecar:1.22.0" + ], + "RepoDigests": [ + "quay.io/kiwigrid/k8s-sidecar@sha256:eaa478cdd0b8e1be7a4813bc1b01948b838e2feaa6d999e60c997dc823013824" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2023-01-17T08:32:05.175738444Z", + "history": [ + { + "created": "2022-11-12T04:19:23.05154209Z", + "created_by": "/bin/sh -c #(nop) ADD file:ceeb6e8632fafc657116cbf3afbd522185a16963230b57881073dad22eb0e1a3 in / " + }, + { + "created": "2022-11-12T04:19:23.199716539Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + }, + { + "created": "2022-11-12T05:56:57.396927424Z", + "created_by": "/bin/sh -c #(nop) ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "empty_layer": true + }, + { + "created": "2022-11-12T06:39:07.636263263Z", + "created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8", + "empty_layer": true + }, + { + "created": "2022-11-12T06:39:08.897309213Z", + "created_by": "/bin/sh -c set -eux; \tapk add --no-cache \t\tca-certificates \t\ttzdata \t;" + }, + { + "created": "2022-11-12T06:57:28.607739372Z", + "created_by": "/bin/sh -c #(nop) ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D", + "empty_layer": true + }, + { + "created": "2022-12-08T01:08:35.20421488Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_VERSION=3.11.1", + "empty_layer": true + }, + { + "created": "2022-12-08T01:27:05.815228143Z", + "created_by": "/bin/sh -c set -eux; \t\tapk add --no-cache --virtual .build-deps \t\tgnupg \t\ttar \t\txz \t\t\t\tbluez-dev \t\tbzip2-dev \t\tdpkg-dev dpkg \t\texpat-dev \t\tfindutils \t\tgcc \t\tgdbm-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibnsl-dev \t\tlibtirpc-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl-dev \t\tpax-utils \t\treadline-dev \t\tsqlite-dev \t\ttcl-dev \t\ttk \t\ttk-dev \t\tutil-linux-dev \t\txz-dev \t\tzlib-dev \t; \t\twget -O python.tar.xz \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\"; \twget -O python.tar.xz.asc \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\"; \tGNUPGHOME=\"$(mktemp -d)\"; export GNUPGHOME; \tgpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$GPG_KEY\"; \tgpg --batch --verify python.tar.xz.asc python.tar.xz; \tcommand -v gpgconf \u003e /dev/null \u0026\u0026 gpgconf --kill all || :; \trm -rf \"$GNUPGHOME\" python.tar.xz.asc; \tmkdir -p /usr/src/python; \ttar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \trm python.tar.xz; \t\tcd /usr/src/python; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--enable-loadable-sqlite-extensions \t\t--enable-optimizations \t\t--enable-option-checking=fatal \t\t--enable-shared \t\t--with-lto \t\t--with-system-expat \t\t--without-ensurepip \t; \tnproc=\"$(nproc)\"; \tmake -j \"$nproc\" \t\tEXTRA_CFLAGS=\"-DTHREAD_STACK_SIZE=0x100000\" \t\tLDFLAGS=\"-Wl,--strip-all\" \t; \tmake install; \t\tcd /; \trm -rf /usr/src/python; \t\tfind /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \\) \\) \t\t\\) -exec rm -rf '{}' + \t; \t\tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \t\t| tr ',' '\\n' \t\t| sort -u \t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t\t| xargs -rt apk add --no-network --virtual .python-rundeps \t; \tapk del --no-network .build-deps; \t\tpython3 --version" + }, + { + "created": "2022-12-08T01:27:06.532823707Z", + "created_by": "/bin/sh -c set -eux; \tfor src in idle3 pydoc3 python3 python3-config; do \t\tdst=\"$(echo \"$src\" | tr -d 3)\"; \t\t[ -s \"/usr/local/bin/$src\" ]; \t\t[ ! -e \"/usr/local/bin/$dst\" ]; \t\tln -svT \"$src\" \"/usr/local/bin/$dst\"; \tdone" + }, + { + "created": "2022-12-08T01:27:06.644083913Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_PIP_VERSION=22.3.1", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:31.916649178Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_SETUPTOOLS_VERSION=65.5.1", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:32.019128924Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66030fa03382b4914d4c4d0896961a0bdeeeb274/public/get-pip.py", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:32.125306121Z", + "created_by": "/bin/sh -c #(nop) ENV PYTHON_GET_PIP_SHA256=1e501cf004eac1b7eb1f97266d28f995ae835d30250bec7f8850562703067dc6", + "empty_layer": true + }, + { + "created": "2023-01-06T18:42:38.555958395Z", + "created_by": "/bin/sh -c set -eux; \t\twget -O get-pip.py \"$PYTHON_GET_PIP_URL\"; \techo \"$PYTHON_GET_PIP_SHA256 *get-pip.py\" | sha256sum -c -; \t\texport PYTHONDONTWRITEBYTECODE=1; \t\tpython get-pip.py \t\t--disable-pip-version-check \t\t--no-cache-dir \t\t--no-compile \t\t\"pip==$PYTHON_PIP_VERSION\" \t\t\"setuptools==$PYTHON_SETUPTOOLS_VERSION\" \t; \trm -f get-pip.py; \t\tpip --version" + }, + { + "created": "2023-01-06T18:42:38.710203313Z", + "created_by": "/bin/sh -c #(nop) CMD [\"python3\"]", + "empty_layer": true + }, + { + "created": "2023-01-17T08:31:18.688094602Z", + "created_by": "ENV PYTHONUNBUFFERED=1", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:31:18.688094602Z", + "created_by": "WORKDIR /app", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "COPY /app /app # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "ENV PATH=/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "USER 65534:65534", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2023-01-17T08:32:05.175738444Z", + "created_by": "CMD [\"python\" \"-u\" \"/app/sidecar.py\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + "sha256:f80ab90a8af02011fc7ec3e94ee27788925af0ad2d9acb0b38fb50a1183af534", + "sha256:4a58a9711165524b9f07d087a586c3bbe3208863e5a3d25973e61878ce44ce28", + "sha256:9cdca906b6b00f8f12b274ed4ef6eaef66e0f55bf6fa0ef91ebb99d3c94a868e", + "sha256:e067457cde3692987ba197b0179551bf008afa41f61717f6a7fff96c1ee4f363", + "sha256:250f5d7c4338d844a6250be796b46c6cddb508aaac7e959bdfaf85bcc694736b", + "sha256:ce34393fe7243a48e39beea73159b7b4ee007a57463f3bf5d4deff2b05220841" + ] + }, + "config": { + "Cmd": [ + "python", + "-u", + "/app/sidecar.py" + ], + "Env": [ + "PATH=/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "LANG=C.UTF-8", + "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D", + "PYTHON_VERSION=3.11.1", + "PYTHON_PIP_VERSION=22.3.1", + "PYTHON_SETUPTOOLS_VERSION=65.5.1", + "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66030fa03382b4914d4c4d0896961a0bdeeeb274/public/get-pip.py", + "PYTHON_GET_PIP_SHA256=1e501cf004eac1b7eb1f97266d28f995ae835d30250bec7f8850562703067dc6", + "PYTHONUNBUFFERED=1" + ], + "User": "65534:65534", + "WorkingDir": "/app", + "ArgsEscaped": true + } + } + }, "Results": [ { "Target": "quay.io/kiwigrid/k8s-sidecar:1.22.0 (alpine 3.16.3)", @@ -769,6 +1457,182 @@ "Namespace": "apps", "Kind": "Deployment", "Name": "app2", + "Metadata": { + "OS": { + "Family": "debian", + "Name": "10.5" + }, + "ImageID": "sha256:b6e2475a1d4b23324913d03cdb9dcdcd87367b654bb39fa7e4e8692faed72d86", + "DiffIDs": [ + "sha256:07cab433985205f29909739f511777a810f4a9aff486355b71308bb654cdc868", + "sha256:d85310698a88f6963dfb9b4e978d719489e46aa56779ae209ce1a497ecdaefea", + "sha256:15364b93b273198a177bf57f6e9a9dfdef58907fbb53ddbc871450aa528a0a3d", + "sha256:3ef556e0d9e2bd857ebdd209ef980f7b78c351f3180ad4359ff98bf1909a6046", + "sha256:c709bce24c1e9e63c7188663862ed5863d155d39763fb0411db522785c818a3c", + "sha256:603b36a7ede76de95e98760fcc2c65b3664796ce49ce1f5db69befab1786e041", + "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef" + ], + "RepoTags": [ + "istio/examples-bookinfo-details-v1:1.17.0" + ], + "RepoDigests": [ + "istio/examples-bookinfo-details-v1@sha256:2b081e3c86dd8105040ea1f2adcc94cb473f41249dc9c91ebc1c2885ddd56c13" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2022-09-06T15:37:44.298449203Z", + "history": [ + { + "created": "2020-09-10T00:23:29.698339558Z", + "created_by": "/bin/sh -c #(nop) ADD file:e7407f2294ad23634565820b9669b18ff2a2ca0212a7ec84b9c89d8550859954 in / " + }, + { + "created": "2020-09-10T00:23:30.055763036Z", + "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]", + "empty_layer": true + }, + { + "created": "2020-09-10T19:47:42.374173351Z", + "created_by": "/bin/sh -c set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tbzip2 \t\tca-certificates \t\tlibffi-dev \t\tlibgmp-dev \t\tlibssl-dev \t\tlibyaml-dev \t\tprocps \t\tzlib1g-dev \t; \trm -rf /var/lib/apt/lists/*" + }, + { + "created": "2020-09-10T19:47:43.328803438Z", + "created_by": "/bin/sh -c set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} \u003e\u003e /usr/local/etc/gemrc" + }, + { + "created": "2020-09-10T19:47:43.553098481Z", + "created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8", + "empty_layer": true + }, + { + "created": "2020-09-10T19:47:43.757867771Z", + "created_by": "/bin/sh -c #(nop) ENV RUBY_MAJOR=2.7", + "empty_layer": true + }, + { + "created": "2020-09-10T19:47:43.968550367Z", + "created_by": "/bin/sh -c #(nop) ENV RUBY_VERSION=2.7.1", + "empty_layer": true + }, + { + "created": "2020-09-10T19:47:44.259766336Z", + "created_by": "/bin/sh -c #(nop) ENV RUBY_DOWNLOAD_SHA256=b224f9844646cc92765df8288a46838511c1cec5b550d8874bd4686a904fcee7", + "empty_layer": true + }, + { + "created": "2020-09-10T19:51:48.539526923Z", + "created_by": "/bin/sh -c set -eux; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tautoconf \t\tbison \t\tdpkg-dev \t\tgcc \t\tlibbz2-dev \t\tlibgdbm-compat-dev \t\tlibgdbm-dev \t\tlibglib2.0-dev \t\tlibncurses-dev \t\tlibreadline-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tmake \t\truby \t\twget \t\txz-utils \t; \trm -rf /var/lib/apt/lists/*; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} \u003e file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\tapt-mark auto '.*' \u003e /dev/null; \tapt-mark manual $savedAptMark \u003e /dev/null; \tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec ldd '{}' ';' \t\t| awk '/=\u003e/ { print $(NF-1) }' \t\t| sort -u \t\t| xargs -r dpkg-query --search \t\t| cut -d: -f1 \t\t| sort -u \t\t| xargs -r apt-mark manual \t; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\tcd /; \trm -r /usr/src/ruby; \t! dpkg -l | grep -i ruby; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version" + }, + { + "created": "2020-09-10T19:51:48.827166009Z", + "created_by": "/bin/sh -c #(nop) ENV GEM_HOME=/usr/local/bundle", + "empty_layer": true + }, + { + "created": "2020-09-10T19:51:49.026841584Z", + "created_by": "/bin/sh -c #(nop) ENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle", + "empty_layer": true + }, + { + "created": "2020-09-10T19:51:49.239784956Z", + "created_by": "/bin/sh -c #(nop) ENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "empty_layer": true + }, + { + "created": "2020-09-10T19:51:50.026322119Z", + "created_by": "/bin/sh -c mkdir -p \"$GEM_HOME\" \u0026\u0026 chmod 777 \"$GEM_HOME\"" + }, + { + "created": "2020-09-10T19:51:50.238628193Z", + "created_by": "/bin/sh -c #(nop) CMD [\"irb\"]", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.270259728Z", + "created_by": "COPY details.rb /opt/microservices/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "ARG service_version", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "ENV SERVICE_VERSION=v1", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "ARG enable_external_book_service", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "ENV ENABLE_EXTERNAL_BOOK_SERVICE=false", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "EXPOSE map[9080/tcp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "WORKDIR /opt/microservices", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-09-06T15:37:44.298449203Z", + "created_by": "CMD [\"ruby\" \"details.rb\" \"9080\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:07cab433985205f29909739f511777a810f4a9aff486355b71308bb654cdc868", + "sha256:d85310698a88f6963dfb9b4e978d719489e46aa56779ae209ce1a497ecdaefea", + "sha256:15364b93b273198a177bf57f6e9a9dfdef58907fbb53ddbc871450aa528a0a3d", + "sha256:3ef556e0d9e2bd857ebdd209ef980f7b78c351f3180ad4359ff98bf1909a6046", + "sha256:c709bce24c1e9e63c7188663862ed5863d155d39763fb0411db522785c818a3c", + "sha256:603b36a7ede76de95e98760fcc2c65b3664796ce49ce1f5db69befab1786e041", + "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef" + ] + }, + "config": { + "Cmd": [ + "ruby", + "details.rb", + "9080" + ], + "Env": [ + "PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "LANG=C.UTF-8", + "RUBY_MAJOR=2.7", + "RUBY_VERSION=2.7.1", + "RUBY_DOWNLOAD_SHA256=b224f9844646cc92765df8288a46838511c1cec5b550d8874bd4686a904fcee7", + "GEM_HOME=/usr/local/bundle", + "BUNDLE_SILENCE_ROOT_WARNING=1", + "BUNDLE_APP_CONFIG=/usr/local/bundle", + "SERVICE_VERSION=v1", + "ENABLE_EXTERNAL_BOOK_SERVICE=false" + ], + "WorkingDir": "/opt/microservices", + "ExposedPorts": { + "9080/tcp": {} + }, + "ArgsEscaped": true + } + } + }, "Results": [ { "Target": "docker.io/istio/examples-bookinfo-details-v1:1.17.0 (debian 10.5)", @@ -916,6 +1780,137 @@ "Namespace": "default", "Kind": "Deployment", "Name": "nginx", + "Metadata": { + "OS": { + "Family": "debian", + "Name": "11.7" + }, + "ImageID": "sha256:f9c14fe76d502861ba0939bc3189e642c02e257f06f4c0214b1f8ca329326cda", + "DiffIDs": [ + "sha256:8cbe4b54fa88d8fc0198ea0cc3a5432aea41573e6a0ee26eca8c79f9fbfa40e3", + "sha256:4b8862fe7056d8a3c2c0910eb38ebb8fc08785eaa1f9f53b2043bf7ca8adbafb", + "sha256:e60266289ce4a890aaf52b93228090998e28220aef04f128704141864992dd15", + "sha256:7daac92f43be84ad9675f94875c1a00357b975d6c58b11d17104e0a0e04da370", + "sha256:5e099cf3f3c83c449b8c062f944ac025c9bf2dd7ec255837c53430021f5a1517", + "sha256:4fd83434130318dede62defafcc5853d03dae8636eccfa1b9dcd385d92e3ff19" + ], + "RepoTags": [ + "nginx:1.25.0" + ], + "RepoDigests": [ + "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305" + ], + "ImageConfig": { + "architecture": "amd64", + "container": "23b0fce2f40be83daa129eacbf79b8a57c6524a7898bf3aba06e10c15b433d0d", + "created": "2023-05-24T22:43:48.18207587Z", + "docker_version": "20.10.23", + "history": [ + { + "created": "2023-05-23T01:20:14Z", + "created_by": "/bin/sh -c #(nop) ADD file:88252a7f118b4d6f55dd5baf49dbcaa053c9d6172c652963c1151fa76f625e44 in / " + }, + { + "created": "2023-05-23T01:20:14Z", + "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]", + "empty_layer": true + }, + { + "created": "2023-05-23T08:51:20Z", + "created_by": "/bin/sh -c #(nop) LABEL maintainer=NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:27Z", + "created_by": "/bin/sh -c #(nop) ENV NGINX_VERSION=1.25.0", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:27Z", + "created_by": "/bin/sh -c #(nop) ENV NJS_VERSION=0.7.12", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:27Z", + "created_by": "/bin/sh -c #(nop) ENV PKG_RELEASE=1~bullseye", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c set -x \u0026\u0026 addgroup --system --gid 101 nginx \u0026\u0026 adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos \"nginx user\" --shell /bin/false --uid 101 nginx \u0026\u0026 apt-get update \u0026\u0026 apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \u0026\u0026 NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; export GNUPGHOME=\"$(mktemp -d)\"; found=''; for server in hkp://keyserver.ubuntu.com:80 pgp.mit.edu ; do echo \"Fetching GPG key $NGINX_GPGKEY from $server\"; gpg1 --keyserver \"$server\" --keyserver-options timeout=10 --recv-keys \"$NGINX_GPGKEY\" \u0026\u0026 found=yes \u0026\u0026 break; done; test -z \"$found\" \u0026\u0026 echo \u003e\u00262 \"error: failed to fetch GPG key $NGINX_GPGKEY\" \u0026\u0026 exit 1; gpg1 --export \"$NGINX_GPGKEY\" \u003e \"$NGINX_GPGKEY_PATH\" ; rm -rf \"$GNUPGHOME\"; apt-get remove --purge --auto-remove -y gnupg1 \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 dpkgArch=\"$(dpkg --print-architecture)\" \u0026\u0026 nginxPackages=\" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \" \u0026\u0026 case \"$dpkgArch\" in amd64|arm64) echo \"deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bullseye nginx\" \u003e\u003e /etc/apt/sources.list.d/nginx.list \u0026\u0026 apt-get update ;; *) echo \"deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bullseye nginx\" \u003e\u003e /etc/apt/sources.list.d/nginx.list \u0026\u0026 tempDir=\"$(mktemp -d)\" \u0026\u0026 chmod 777 \"$tempDir\" \u0026\u0026 savedAptMark=\"$(apt-mark showmanual)\" \u0026\u0026 apt-get update \u0026\u0026 apt-get build-dep -y $nginxPackages \u0026\u0026 ( cd \"$tempDir\" \u0026\u0026 DEB_BUILD_OPTIONS=\"nocheck parallel=$(nproc)\" apt-get source --compile $nginxPackages ) \u0026\u0026 apt-mark showmanual | xargs apt-mark auto \u003e /dev/null \u0026\u0026 { [ -z \"$savedAptMark\" ] || apt-mark manual $savedAptMark; } \u0026\u0026 ls -lAFh \"$tempDir\" \u0026\u0026 ( cd \"$tempDir\" \u0026\u0026 dpkg-scanpackages . \u003e Packages ) \u0026\u0026 grep '^Package: ' \"$tempDir/Packages\" \u0026\u0026 echo \"deb [ trusted=yes ] file://$tempDir ./\" \u003e /etc/apt/sources.list.d/temp.list \u0026\u0026 apt-get -o Acquire::GzipIndexes=false update ;; esac \u0026\u0026 apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base curl \u0026\u0026 apt-get remove --purge --auto-remove -y \u0026\u0026 rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \u0026\u0026 if [ -n \"$tempDir\" ]; then apt-get purge -y --auto-remove \u0026\u0026 rm -rf \"$tempDir\" /etc/apt/sources.list.d/temp.list; fi \u0026\u0026 ln -sf /dev/stdout /var/log/nginx/access.log \u0026\u0026 ln -sf /dev/stderr /var/log/nginx/error.log \u0026\u0026 mkdir /docker-entrypoint.d" + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c #(nop) COPY file:7b307b62e82255f040c9812421a30090bf9abf3685f27b02d77fcca99f997911 in / " + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c #(nop) COPY file:5c18272734349488bd0c94ec8d382c872c1a0a435cca13bd4671353d6021d2cb in /docker-entrypoint.d " + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c #(nop) COPY file:36429cfeeb299f9913b84ea136b004be12fbe4bb4f975a977a3608044e8bfa91 in /docker-entrypoint.d " + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c #(nop) COPY file:e57eef017a414ca793499729d80a7b9075790c9a804f930f1417e56d506970cf in /docker-entrypoint.d " + }, + { + "created": "2023-05-24T22:43:47Z", + "created_by": "/bin/sh -c #(nop) ENTRYPOINT [\"/docker-entrypoint.sh\"]", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:48Z", + "created_by": "/bin/sh -c #(nop) EXPOSE 80", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:48Z", + "created_by": "/bin/sh -c #(nop) STOPSIGNAL SIGQUIT", + "empty_layer": true + }, + { + "created": "2023-05-24T22:43:48Z", + "created_by": "/bin/sh -c #(nop) CMD [\"nginx\" \"-g\" \"daemon off;\"]", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:8cbe4b54fa88d8fc0198ea0cc3a5432aea41573e6a0ee26eca8c79f9fbfa40e3", + "sha256:4b8862fe7056d8a3c2c0910eb38ebb8fc08785eaa1f9f53b2043bf7ca8adbafb", + "sha256:e60266289ce4a890aaf52b93228090998e28220aef04f128704141864992dd15", + "sha256:7daac92f43be84ad9675f94875c1a00357b975d6c58b11d17104e0a0e04da370", + "sha256:5e099cf3f3c83c449b8c062f944ac025c9bf2dd7ec255837c53430021f5a1517", + "sha256:4fd83434130318dede62defafcc5853d03dae8636eccfa1b9dcd385d92e3ff19" + ] + }, + "config": { + "Cmd": [ + "nginx", + "-g", + "daemon off;" + ], + "Entrypoint": [ + "/docker-entrypoint.sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "NGINX_VERSION=1.25.0", + "NJS_VERSION=0.7.12", + "PKG_RELEASE=1~bullseye" + ], + "Image": "sha256:a14a5803cbf095a0268663fe3235681c2f7fd5d0b59c242d99e7b1ebb59284f3", + "Labels": { + "maintainer": "NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e" + }, + "StopSignal": "SIGQUIT" + } + } + }, "Results": [ { "Target": "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305 (debian 11.7)", diff --git a/pkg/worker/vuln.go b/pkg/worker/vuln.go index 6d11fe64..0e94d01f 100644 --- a/pkg/worker/vuln.go +++ b/pkg/worker/vuln.go @@ -16,7 +16,6 @@ package worker import ( "context" - "errors" "fmt" "io" "regexp" @@ -60,7 +59,7 @@ func handleVulnerability(ctx context.Context, cfg *config, results io.Reader, cl func parseVulnResults(ctx context.Context, cfg *config, results io.Reader) ([]v1alpha1.VulnerabilityReport, error) { parseFunc, ok := vulnPlugins[cfg.PluginName] if !ok { - return nil, errors.New(fmt.Sprintf("invalid plugin %q", cfg.PluginName)) + return nil, fmt.Errorf("invalid plugin %q", cfg.PluginName) } specs, err := parseFunc(ctx, results) if err != nil { @@ -79,19 +78,24 @@ func newVulnReport(cfg *config, spec v1alpha1.VulnerabilityReportSpec, owner met return v1alpha1.VulnerabilityReport{ TypeMeta: vulnReportTypeMeta, ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("%s-%s-%s", cfg.ClusterName, strings.ToLower(cleanString(spec.Image)), cfg.suffix), + Name: vulnReportName(cfg, spec), Namespace: cfg.Namespace, OwnerReferences: []metav1.OwnerReference{owner}, Labels: map[string]string{ - v1alpha1.LabelScanID: cfg.JobUID, - v1alpha1.LabelCluster: cfg.ClusterName, - v1alpha1.LabelPlugin: cfg.PluginName, + v1alpha1.LabelScanID: cfg.JobUID, + v1alpha1.LabelCluster: cfg.ClusterName, + v1alpha1.LabelClusterUID: cfg.ClusterUID, + v1alpha1.LabelPlugin: cfg.PluginName, }, }, Spec: spec, } } +func vulnReportName(cfg *config, spec v1alpha1.VulnerabilityReportSpec) string { + return fmt.Sprintf("%s-%s-%s", cfg.ClusterName, strings.ToLower(cleanString(spec.Image)), cfg.suffix) +} + func cleanString(s string) string { return nonAlphanumericRegex.ReplaceAllString(s, "") } diff --git a/pkg/worker/vuln_test.go b/pkg/worker/vuln_test.go index cdf28ecf..ccfc9a0c 100644 --- a/pkg/worker/vuln_test.go +++ b/pkg/worker/vuln_test.go @@ -22,6 +22,7 @@ import ( "sort" "strings" "testing" + "time" "github.com/google/go-cmp/cmp" batchv1 "k8s.io/api/batch/v1" @@ -32,9 +33,10 @@ import ( ) var labels = map[string]string{ - v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", - v1alpha1.LabelCluster: "cluster", - v1alpha1.LabelPlugin: "trivy", + v1alpha1.LabelScanID: "50c8957e-c9e1-493a-9fa4-d0786deea017", + v1alpha1.LabelCluster: "cluster", + v1alpha1.LabelPlugin: "trivy", + v1alpha1.LabelClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", } var owners = []metav1.OwnerReference{ @@ -78,6 +80,7 @@ func TestParseVulnResults(t *testing.T) { cfg: &config{ PluginName: "trivy", ClusterName: "cluster", + ClusterUID: "9a1d324c-9170-4aa7-9f64-76f01c9d7989", Namespace: "ns", JobName: "cluster-trivy-28140229", JobUID: "50c8957e-c9e1-493a-9fa4-d0786deea017", @@ -90,30 +93,37 @@ func TestParseVulnResults(t *testing.T) { { TypeMeta: vulnReportTypeMeta, ObjectMeta: metav1.ObjectMeta{ - Name: "cluster-registryk8siokubeapiserverv1253-h9kcn", + Name: "cluster-registryk8siokubeapiserverv1273-h9kcn", Namespace: "ns", OwnerReferences: owners, Labels: labels, }, Spec: v1alpha1.VulnerabilityReportSpec{ Cluster: "cluster", - Image: "registry.k8s.io/kube-apiserver:v1.25.3", + Image: "registry.k8s.io/kube-apiserver:v1.27.3", + Tags: []string{"registry.k8s.io/kube-apiserver:v1.27.3"}, + Digest: "registry.k8s.io/kube-apiserver@sha256:fd03335dd2e7163e5e36e933a0c735d7fec6f42b33ddafad0bc54f333e4a23c0", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "11.7"}, Resources: map[string][]string{"Pod": {"kube-system/kube-apiserver-kind-control-plane"}}, TotalResources: 1, Summary: v1alpha1.VulnerabilitySummary{Total: 1, High: 1}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2022-41723", - Severity: "HIGH", - Title: "avoid quadratic complexity in HPACK decoding", - Description: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - Package: "golang.org/x/net", - Version: "v0.0.0-20220722155237-a158d28d115b", - FixVersion: "0.7.0", - URL: "https://avd.aquasec.com/nvd/cve-2022-41723", - Status: "fixed", - Type: "gobinary", - Score: "7.5", + ID: "CVE-2022-41723", + Severity: "HIGH", + Title: "avoid quadratic complexity in HPACK decoding", + Description: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + Package: "golang.org/x/net", + Version: "v0.0.0-20220722155237-a158d28d115b", + FixVersion: "0.7.0", + URL: "https://avd.aquasec.com/nvd/cve-2022-41723", + Status: "fixed", + Type: "gobinary", + Score: "7.5", + PublishedDate: newTime("2023-02-28T18:15:00Z"), + LastModifiedDate: newTime("2023-05-16T10:50:00Z"), }, }, }, @@ -129,48 +139,59 @@ func TestParseVulnResults(t *testing.T) { Spec: v1alpha1.VulnerabilityReportSpec{ Cluster: "cluster", Image: "quay.io/kiwigrid/k8s-sidecar:1.22.0", + Tags: []string{"quay.io/kiwigrid/k8s-sidecar:1.22.0"}, + Digest: "quay.io/kiwigrid/k8s-sidecar@sha256:eaa478cdd0b8e1be7a4813bc1b01948b838e2feaa6d999e60c997dc823013824", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "alpine", Version: "3.16.3"}, Resources: map[string][]string{"Deployment": {"apps/app1", "apps/app2"}}, TotalResources: 2, Summary: v1alpha1.VulnerabilitySummary{Total: 3, Critical: 1, High: 2}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2022-4450", - Severity: "HIGH", - Title: "double free after calling PEM_read_bio_ex", - Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - Package: "libssl1.1", - Version: "1.1.1s-r0", - FixVersion: "1.1.1t-r0", - URL: "https://avd.aquasec.com/nvd/cve-2022-4450", - Status: "fixed", - Type: "alpine", - Score: "7.5", + ID: "CVE-2022-4450", + Severity: "HIGH", + Title: "double free after calling PEM_read_bio_ex", + Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", + Package: "libssl1.1", + Version: "1.1.1s-r0", + FixVersion: "1.1.1t-r0", + URL: "https://avd.aquasec.com/nvd/cve-2022-4450", + Status: "fixed", + Type: "alpine", + Score: "7.5", + PublishedDate: newTime("2023-02-08T20:15:00Z"), + LastModifiedDate: newTime("2023-07-19T00:57:00Z"), }, { - ID: "CVE-2022-4450", - Severity: "HIGH", - Title: "double free after calling PEM_read_bio_ex", - Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - Package: "libcrypto1.1", - Version: "1.1.1s-r0", - FixVersion: "1.1.1t-r0", - URL: "https://avd.aquasec.com/nvd/cve-2022-4450", - Status: "fixed", - Type: "alpine", - Score: "7.5", + ID: "CVE-2022-4450", + Severity: "HIGH", + Title: "double free after calling PEM_read_bio_ex", + Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", + Package: "libcrypto1.1", + Version: "1.1.1s-r0", + FixVersion: "1.1.1t-r0", + URL: "https://avd.aquasec.com/nvd/cve-2022-4450", + Status: "fixed", + Type: "alpine", + Score: "7.5", + PublishedDate: newTime("2023-02-08T20:15:00Z"), + LastModifiedDate: newTime("2023-07-19T00:57:00Z"), }, { - ID: "CVE-2023-37920", - Severity: "CRITICAL", - Title: "Removal of e-Tugra root certificate", - Description: "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.", - Package: "certifi", - Version: "2022.12.7", - FixVersion: "2023.7.22", - URL: "https://avd.aquasec.com/nvd/cve-2023-37920", - Status: "fixed", - Type: "python-pkg", - Score: "9.8", + ID: "CVE-2023-37920", + Severity: "CRITICAL", + Title: "Removal of e-Tugra root certificate", + Description: "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.", + Package: "certifi", + Version: "2022.12.7", + FixVersion: "2023.7.22", + URL: "https://avd.aquasec.com/nvd/cve-2023-37920", + Status: "fixed", + Type: "python-pkg", + Score: "9.8", + PublishedDate: newTime("2023-07-25T21:15:00Z"), + LastModifiedDate: newTime("2023-08-12T06:16:00Z"), }, }, }, @@ -186,47 +207,58 @@ func TestParseVulnResults(t *testing.T) { Spec: v1alpha1.VulnerabilityReportSpec{ Cluster: "cluster", Image: "docker.io/istio/examples-bookinfo-ratings-v1:1.17.0", + Tags: []string{"istio/examples-bookinfo-ratings-v1:1.17.0"}, + Digest: "istio/examples-bookinfo-ratings-v1@sha256:b6a6b88d35785c19f6dcb6acf055aa585511f2126bb0b5802f3107b7d37ead0b", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "9.12"}, Resources: map[string][]string{"Deployment": {"apps/app1"}}, TotalResources: 1, Summary: v1alpha1.VulnerabilitySummary{Total: 3, High: 1, Medium: 1, Unknown: 1}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "DLA-3051-1", - Severity: "UNKNOWN", - Title: "tzdata - new timezone database", - Description: "", - Package: "tzdata", - Version: "2019c-0+deb9u1", - FixVersion: "2021a-0+deb9u4", - URL: "", - Status: "fixed", - Type: "debian", + ID: "DLA-3051-1", + Severity: "UNKNOWN", + Title: "tzdata - new timezone database", + Description: "", + Package: "tzdata", + Version: "2019c-0+deb9u1", + FixVersion: "2021a-0+deb9u4", + URL: "", + Status: "fixed", + Type: "debian", + PublishedDate: nil, + LastModifiedDate: nil, }, { - ID: "CVE-2016-2779", - Severity: "HIGH", - Title: "util-linux: runuser tty hijack via TIOCSTI ioctl", - Description: "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - Package: "bsdutils", - Version: "1:2.29.2-1+deb9u1", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2016-2779", - Status: "affected", - Type: "debian", - Score: "7.8", + ID: "CVE-2016-2779", + Severity: "HIGH", + Title: "util-linux: runuser tty hijack via TIOCSTI ioctl", + Description: "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + Package: "bsdutils", + Version: "1:2.29.2-1+deb9u1", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2016-2779", + Status: "affected", + Type: "debian", + Score: "7.8", + PublishedDate: newTime("2017-02-07T15:59:00Z"), + LastModifiedDate: newTime("2019-01-04T14:14:00Z"), }, { - ID: "GHSA-jmqm-f2gx-4fjv", - Severity: "MEDIUM", - Title: "Sensitive information exposure through logs in npm-registry-fetch", - Description: "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", - Package: "npm-registry-fetch", - Version: "4.0.4", - FixVersion: "8.1.1, 4.0.5", - URL: "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", - Status: "fixed", - Type: "node-pkg", - Score: "5.3", + ID: "GHSA-jmqm-f2gx-4fjv", + Severity: "MEDIUM", + Title: "Sensitive information exposure through logs in npm-registry-fetch", + Description: "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.", + Package: "npm-registry-fetch", + Version: "4.0.4", + FixVersion: "8.1.1, 4.0.5", + URL: "https://github.com/advisories/GHSA-jmqm-f2gx-4fjv", + Status: "fixed", + Type: "node-pkg", + Score: "5.3", + PublishedDate: nil, + LastModifiedDate: nil, }, }, }, @@ -242,35 +274,44 @@ func TestParseVulnResults(t *testing.T) { Spec: v1alpha1.VulnerabilityReportSpec{ Cluster: "cluster", Image: "docker.io/istio/examples-bookinfo-details-v1:1.17.0", + Tags: []string{"istio/examples-bookinfo-details-v1:1.17.0"}, + Digest: "istio/examples-bookinfo-details-v1@sha256:2b081e3c86dd8105040ea1f2adcc94cb473f41249dc9c91ebc1c2885ddd56c13", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "10.5"}, Resources: map[string][]string{"Deployment": {"apps/app2"}}, TotalResources: 1, Summary: v1alpha1.VulnerabilitySummary{Total: 2, High: 1, Low: 1}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2016-2781", - Severity: "LOW", - Title: "coreutils: Non-privileged session can escape to the parent session in chroot", - Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - Package: "coreutils", - Version: "8.30-3", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2016-2781", - Status: "will_not_fix", - Type: "debian", - Score: "6.5", + ID: "CVE-2016-2781", + Severity: "LOW", + Title: "coreutils: Non-privileged session can escape to the parent session in chroot", + Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + Package: "coreutils", + Version: "8.30-3", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2016-2781", + Status: "will_not_fix", + Type: "debian", + Score: "6.5", + PublishedDate: newTime("2017-02-07T15:59:00Z"), + LastModifiedDate: newTime("2021-02-25T17:15:00Z"), }, { - ID: "CVE-2023-28755", - Severity: "HIGH", - Title: "ReDoS vulnerability in URI", - Description: "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.", - Package: "uri", - Version: "0.10.0", - FixVersion: "~\u003e 0.10.0.1, ~\u003e 0.10.2, ~\u003e 0.11.1, \u003e= 0.12.1", - URL: "https://avd.aquasec.com/nvd/cve-2023-28755", - Status: "fixed", - Type: "gemspec", - Score: "5.3", + ID: "CVE-2023-28755", + Severity: "HIGH", + Title: "ReDoS vulnerability in URI", + Description: "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.", + Package: "uri", + Version: "0.10.0", + FixVersion: "~\u003e 0.10.0.1, ~\u003e 0.10.2, ~\u003e 0.11.1, \u003e= 0.12.1", + URL: "https://avd.aquasec.com/nvd/cve-2023-28755", + Status: "fixed", + Type: "gemspec", + Score: "5.3", + PublishedDate: newTime("2023-03-31T04:15:00Z"), + LastModifiedDate: newTime("2023-05-30T17:17:00Z"), }, }, }, @@ -286,21 +327,28 @@ func TestParseVulnResults(t *testing.T) { Spec: v1alpha1.VulnerabilityReportSpec{ Cluster: "cluster", Image: "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305", + Tags: []string{"nginx:1.25.0"}, + Digest: "nginx@sha256:af296b188c7b7df99ba960ca614439c99cb7cf252ed7bbc23e90cfda59092305", + Architecture: "amd64", + OS: "linux", + Distro: &v1alpha1.Distro{Name: "debian", Version: "11.7"}, TotalResources: 1, Resources: map[string][]string{"Deployment": {"default/nginx"}}, Vulnerabilities: []v1alpha1.Vulnerability{ { - ID: "CVE-2023-3446", - Severity: "MEDIUM", - Title: "Excessive time spent checking DH keys and parameters", - Description: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - Package: "openssl", - Version: "1.1.1n-0+deb11u4", - FixVersion: "", - URL: "https://avd.aquasec.com/nvd/cve-2023-3446", - Status: "fix_deferred", - Type: "debian", - Score: "5.3", + ID: "CVE-2023-3446", + Severity: "MEDIUM", + Title: "Excessive time spent checking DH keys and parameters", + Description: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + Package: "openssl", + Version: "1.1.1n-0+deb11u4", + FixVersion: "", + URL: "https://avd.aquasec.com/nvd/cve-2023-3446", + Status: "fix_deferred", + Type: "debian", + Score: "5.3", + PublishedDate: newTime("2023-07-19T12:15:00Z"), + LastModifiedDate: newTime("2023-08-16T08:15:00Z"), }, }, Summary: v1alpha1.VulnerabilitySummary{Total: 1, Medium: 1}, @@ -348,3 +396,11 @@ func sortVulns(vulns []v1alpha1.VulnerabilityReport) { }) } } + +func newTime(s string) *metav1.Time { + p, err := time.Parse(time.RFC3339, s) + if err != nil { + return nil + } + return &metav1.Time{Time: p} +}