test(k8s): remove internet access (#256)

Co-authored-by: chenk <hen.keinan@gmail.com>
2023-11-14 13:25:34 +06:00 · 2023-11-14 13:25:34 +06:00 · a948784f3a
commit a948784f3a
parent f022b19a87
13 changed files with 55 additions and 444 deletions
--- a/k8s/k8s.go
+++ b/k8s/k8s.go
@ -24,6 +24,34 @@ const (
 	upstreamFolder = "upstream"
 )

+type options struct {
+	mitreURL string
+}
+
+type option func(*options)
+
+func WithMitreURL(mitreURL string) option {
+	return func(opts *options) {
+		opts.mitreURL = mitreURL
+	}
+}
+
+type Updater struct {
+	*options
+}
+
+func NewUpdater(opts ...option) Updater {
+	o := &options{
+		mitreURL: mitreURL,
+	}
+	for _, opt := range opts {
+		opt(o)
+	}
+	return Updater{
+		options: o,
+	}
+}
+
 type VulnDB struct {
 	Cves []*osv.OSV
 }
@ -41,7 +69,7 @@ type Item struct {
 	URL           string `json:"url,omitempty"`
 }

-func Collect() (*VulnDB, error) {
+func (u Updater) Collect() (*VulnDB, error) {
 	response, err := http.Get(k8svulnDBURL)
 	if err != nil {
 		return nil, err
@ -55,7 +83,7 @@ func Collect() (*VulnDB, error) {
 	if err != nil {
 		return nil, err
 	}
-	return ParseVulnDBData(db, cvesMap)
+	return u.ParseVulnDBData(db, cvesMap)
 }

 const (
@ -63,17 +91,17 @@ const (
 	excludeNonCoreComponentsCves = "CVE-2019-11255,CVE-2020-10749,CVE-2020-8554"
 )

-func Update() error {
-	if err := update(); err != nil {
+func (u Updater) Update() error {
+	if err := u.update(); err != nil {
 		return xerrors.Errorf("error in k8s update: %w", err)
 	}
 	return nil
 }

-func update() error {
+func (u Updater) update() error {
 	log.Printf("Fetching k8s cves")

-	k8sdb, err := Collect()
+	k8sdb, err := u.Collect()
 	if err != nil {
 		return err
 	}
@ -86,7 +114,7 @@ func update() error {
 	return nil
 }

-func ParseVulnDBData(db CVE, cvesMap map[string]string) (*VulnDB, error) {
+func (u Updater) ParseVulnDBData(db CVE, cvesMap map[string]string) (*VulnDB, error) {
 	var fullVulnerabilities []*osv.OSV
 	for _, item := range db.Items {
 		for _, cveID := range getMultiIDs(item.ID) {
@ -94,7 +122,7 @@ func ParseVulnDBData(db CVE, cvesMap map[string]string) (*VulnDB, error) {
 			if strings.Contains(excludeNonCoreComponentsCves, item.ID) || olderCve(cveID, item.DatePublished, cvesMap) {
 				continue
 			}
-			vulnerability, err := parseMitreCve(item.ExternalURL, cveID)
+			vulnerability, err := parseMitreCve(item.ExternalURL, u.mitreURL, cveID)
 			if err != nil {
 				return nil, err
 			}
--- a/k8s/k8s_test.go
+++ b/k8s/k8s_test.go
@ -2,6 +2,8 @@ package k8s

 import (
 	"encoding/json"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"testing"

@ -14,7 +16,12 @@ func Test_ParseVulneDB(t *testing.T) {
 	var bi CVE
 	err = json.Unmarshal(b, &bi)
 	assert.NoError(t, err)
-	kvd, err := ParseVulnDBData(bi, map[string]string{})
+
+	ts := httptest.NewServer(http.FileServer(http.Dir("./testdata/mitreCVEs")))
+	defer ts.Close()
+
+	updater := NewUpdater(WithMitreURL(ts.URL))
+	kvd, err := updater.ParseVulnDBData(bi, map[string]string{})
 	assert.NoError(t, err)
 	gotVulnDB, err := json.Marshal(kvd.Cves)
 	assert.NoError(t, err)
--- a/k8s/mitre.go
+++ b/k8s/mitre.go
@ -71,7 +71,7 @@ type Version struct {
 	FixedIndex   int    `json:"-"`
 }

-func parseMitreCve(externalURL string, cveID string) (*Cve, error) {
+func parseMitreCve(externalURL, mitreURL, cveID string) (*Cve, error) {
 	if !strings.HasPrefix(externalURL, cveList) {
 		// if no external url provided, return empty vulnerability to be skipped
 		return &Cve{}, nil
--- a/k8s/testdata/expected-vulndb.json
+++ b/k8s/testdata/expected-vulndb.json
--- a/k8s/testdata/k8s-db.json
+++ b/k8s/testdata/k8s-db.json
--- a/k8s/testdata/mitreCVEs/CVE-2017-1002102
+++ b/k8s/testdata/mitreCVEs/CVE-2017-1002102
@ -0,0 +1 @@
+{"containers":{"cna":{"affected":[{"product":"Kubernetes","vendor":"Kubernetes","versions":[{"status":"affected","version":"v1.3.x"},{"status":"affected","version":"v1.4.x"},{"status":"affected","version":"v1.5.x"},{"status":"affected","version":"v1.6.x"},{"lessThan":"v1.7.14","status":"affected","version":"unspecified","versionType":"custom"},{"lessThan":"v1.8.9","status":"affected","version":"unspecified","versionType":"custom"},{"lessThan":"v1.9.4","status":"affected","version":"unspecified","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Reported by Joel Smith of Red Hat"}],"dateAssigned":"2017-12-06T00:00:00","datePublic":"2018-03-05T00:00:00","descriptions":[{"lang":"en","value":"In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running."}],"metrics":[{"cvssV3_0":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.0"}}],"problemTypes":[{"descriptions":[{"description":"handled symbolic links insecurely","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-03-14T09:57:01","orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes"},"references":[{"name":"RHSA-2018:0475","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2018:0475"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/kubernetes/kubernetes/issues/60814"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"jordan@liggitt.net","DATE_ASSIGNED":"2017-12-06","ID":"CVE-2017-1002102","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Kubernetes","version":{"version_data":[{"version_affected":"=","version_value":"v1.3.x"},{"version_affected":"=","version_value":"v1.4.x"},{"version_affected":"=","version_value":"v1.5.x"},{"version_affected":"=","version_value":"v1.6.x"},{"version_affected":"<","version_value":"v1.7.14"},{"version_affected":"<","version_value":"v1.8.9"},{"version_affected":"<","version_value":"v1.9.4"}]}}]},"vendor_name":"Kubernetes"}]}},"credit":["Reported by Joel Smith of Red Hat"],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"handled symbolic links insecurely"}]}]},"references":{"reference_data":[{"name":"RHSA-2018:0475","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:0475"},{"name":"https://github.com/kubernetes/kubernetes/issues/60814","refsource":"CONFIRM","url":"https://github.com/kubernetes/kubernetes/issues/60814"}]}}}},"cveMetadata":{"assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","assignerShortName":"kubernetes","cveId":"CVE-2017-1002102","datePublished":"2018-03-13T17:00:00","dateReserved":"2017-12-07T00:00:00","dateUpdated":"2018-03-14T09:57:01","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.0"}
--- a/k8s/testdata/mitreCVEs/CVE-2020-8557
+++ b/k8s/testdata/mitreCVEs/CVE-2020-8557
--- a/k8s/testdata/mitreCVEs/CVE-2021-3121
+++ b/k8s/testdata/mitreCVEs/CVE-2021-3121
@ -0,0 +1 @@
+{"containers":{"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2021-10-18T05:06:11","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"},{"tags":["x_refsource_MISC"],"url":"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2"},{"name":"[pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E"},{"name":"[pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3E"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20210219-0006/"},{"tags":["x_refsource_MISC"],"url":"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025"},{"name":"[skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-3121","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc","refsource":"MISC","url":"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"},{"name":"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2","refsource":"MISC","url":"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2"},{"name":"[pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E"},{"name":"[pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E"},{"name":"https://security.netapp.com/advisory/ntap-20210219-0006/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20210219-0006/"},{"name":"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025","refsource":"MISC","url":"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025"},{"name":"[skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2021-3121","datePublished":"2021-01-11T05:57:18","dateReserved":"2021-01-11T00:00:00","dateUpdated":"2021-10-18T05:06:11","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.0"}
--- a/k8s/testdata/mitreCVEs/CVE-2023-2431
+++ b/k8s/testdata/mitreCVEs/CVE-2023-2431
@ -0,0 +1 @@
+{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2023-2431","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-04-30T22:44:39.597Z","datePublished":"2023-06-16T07:08:33.476Z","dateUpdated":"2023-06-16T07:15:37.445Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-06-16T07:15:37.445Z"},"title":"Bypass of seccomp profile enforcement","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1287","description":"CWE-1287 Improper Validation of Specified Type of Input","type":"CWE"}]}],"affected":[{"vendor":"Kubernetes","product":"Kubernetes","repo":"https://github.com/kubernetes/kubernetes/","versions":[{"status":"affected","version":"0","lessThan":"v1.24.14","versionType":"kubelet v1.24"},{"status":"affected","version":"v1.25.0","lessThan":"v1.25.9","versionType":"kubelet v1.25"},{"status":"affected","version":"v1.26.0","lessThan":"v1.26.4","versionType":"kubelet v1.26"},{"status":"affected","version":"v1.27.0","lessThan":"v1.27.1","versionType":"kubelet v1.27"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet."}],"references":[{"url":"https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10"},{"url":"https://github.com/kubernetes/kubernetes/issues/118690"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"LOW","baseScore":3.4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"}}],"solutions":[{"lang":"en","value":"To mitigate these vulnerabilities, upgrade Kubelet:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/ https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"}],"credits":[{"lang":"en","value":"Tim Allclair","user":"00000000-0000-4000-9000-000000000000","type":"finder"},{"lang":"en","value":"Craig Ingram","user":"00000000-0000-4000-9000-000000000000","type":"remediation developer"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}}}
--- a/k8s/testdata/mitreCVEs/CVE-2023-2727
+++ b/k8s/testdata/mitreCVEs/CVE-2023-2727
@ -0,0 +1 @@
+{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2023-2727","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-05-16T00:31:53.873Z","datePublished":"2023-07-03T20:05:04.329Z","dateUpdated":"2023-07-03T20:05:04.329Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Kubernetes","vendor":"Kubernetes","versions":[{"lessThanOrEqual":"<=","status":"affected","version":"v1.24.14","versionType":"semver"},{"status":"affected","version":"v1.25.0 - v1.25.10"},{"status":"affected","version":"v1.26.0 - v1.26.5"},{"status":"affected","version":"v1.27.0 - v1.27.2"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Stanislav Láznička"}],"datePublic":"2023-06-15T04:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.</div>"}],"value":"Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n"}],"impacts":[{"capecId":"CAPEC-554","descriptions":[{"lang":"en","value":"CAPEC-554 Functionality Bypass"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-07-03T20:05:04.329Z"},"references":[{"tags":["mailing-list"],"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"},{"tags":["issue-tracking"],"url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/2"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster</a></div></div>"}],"value":"To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster \n\n\n\n"}],"source":{"discovery":"EXTERNAL"},"title":"Bypassing policies imposed by the ImagePolicyWebhook admission plugin","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>Prior to upgrading, this vulnerability can be mitigated by running v<span style=\"background-color: var(--wht);\">alidation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.</span></div></div>"}],"value":"Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.\n\n\n\n"}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}}}
--- a/k8s/testdata/mitreCVEs/CVE-2023-2728
+++ b/k8s/testdata/mitreCVEs/CVE-2023-2728
@ -0,0 +1 @@
+{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2023-2728","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-05-16T00:32:00.189Z","datePublished":"2023-07-03T20:06:11.796Z","dateUpdated":"2023-07-03T20:06:11.796Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Kubernetes","vendor":"Kubernetes","versions":[{"lessThanOrEqual":"<=","status":"affected","version":"v1.24.14","versionType":"semver"},{"status":"affected","version":"v1.25.0 - v1.25.10"},{"status":"affected","version":"v1.26.0 - v1.26.5"},{"status":"affected","version":"v1.27.0 - v1.27.2"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Rita Zhang"}],"datePublic":"2023-06-15T04:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.</div>"}],"value":"Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n"}],"impacts":[{"capecId":"CAPEC-554","descriptions":[{"lang":"en","value":"CAPEC-554 Functionality Bypass"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-07-03T20:06:11.796Z"},"references":[{"tags":["mailing-list"],"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"},{"tags":["issue-tracking"],"url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/3"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster</a></div></div>"}],"value":"To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster \n\n\n\n"}],"source":{"discovery":"INTERNAL"},"title":"Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin","x_generator":{"engine":"Vulnogram 0.1.0-dev"}}}}
--- a/k8s/testdata/mitreCVEs/CVE-2023-2878
+++ b/k8s/testdata/mitreCVEs/CVE-2023-2878
@ -0,0 +1 @@
+{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2023-2878","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-05-24T22:10:01.825Z","datePublished":"2023-06-07T14:35:10.295Z","dateUpdated":"2023-06-07T14:37:59.908Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-06-07T14:37:59.908Z"},"title":"Kubernetes secrets-store-csi-driver discloses service account tokens in logs","datePublic":"2023-05-25T04:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-532","description":"CWE-532 Insertion of Sensitive Information into Log File","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"affected":[{"vendor":"Kubernetes","product":"secrets-store-csi-driver","repo":"https://github.com/kubernetes-sigs/secrets-store-csi-driver","versions":[{"status":"affected","version":"0","lessThan":"1.3.3","versionType":"semver"},{"status":"unaffected","version":"1.3.3"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.\n","supportingMedia":[{"type":"text/html","base64":false,"value":"Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.<br>"}]}],"references":[{"url":"https://github.com/kubernetes/kubernetes/issues/118419","tags":["issue-tracking"]},{"url":"https://groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ","tags":["mailing-list"]},{"url":"https://security.netapp.com/advisory/ntap-20230814-0003/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":6.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}}],"workarounds":[{"lang":"en","value":"Prior to upgrading, this vulnerability can be mitigated by running secrets-store-csi-driver at log level 0 or 1 via the -v flag.\n\n","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>Prior to upgrading, this vulnerability can be mitigated by running secrets-store-csi-driver at log level 0 or 1 via the -v flag.</p>"}]}],"credits":[{"lang":"en","value":"Tomer Shaiman","user":"00000000-0000-4000-9000-000000000000","type":"reporter"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}}}
--- a/main.go
+++ b/main.go
@ -173,7 +173,8 @@ func run() error {
 			return xerrors.Errorf("Chainguard update error: %w", err)
 		}
 	case "k8s":
-		if err := k8s.Update(); err != nil {
+		ku := k8s.NewUpdater()
+		if err := ku.Update(); err != nil {
 			return xerrors.Errorf("k8s update error: %w", err)
 		}
 	default:
				`@ -0,0 +1 @@`
				{"containers":{"cna":{"affected":[{"product":"Kubernetes","vendor":"Kubernetes","versions":[{"status":"affected","version":"v1.3.x"},{"status":"affected","version":"v1.4.x"},{"status":"affected","version":"v1.5.x"},{"status":"affected","version":"v1.6.x"},{"lessThan":"v1.7.14","status":"affected","version":"unspecified","versionType":"custom"},{"lessThan":"v1.8.9","status":"affected","version":"unspecified","versionType":"custom"},{"lessThan":"v1.9.4","status":"affected","version":"unspecified","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Reported by Joel Smith of Red Hat"}],"dateAssigned":"2017-12-06T00:00:00","datePublic":"2018-03-05T00:00:00","descriptions":[{"lang":"en","value":"In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running."}],"metrics":[{"cvssV3_0":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.0"}}],"problemTypes":[{"descriptions":[{"description":"handled symbolic links insecurely","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-03-14T09:57:01","orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes"},"references":[{"name":"RHSA-2018:0475","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2018:0475"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/kubernetes/kubernetes/issues/60814"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"jordan@liggitt.net","DATE_ASSIGNED":"2017-12-06","ID":"CVE-2017-1002102","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Kubernetes","version":{"version_data":[{"version_affected":"=","version_value":"v1.3.x"},{"version_affected":"=","version_value":"v1.4.x"},{"version_affected":"=","version_value":"v1.5.x"},{"version_affected":"=","version_value":"v1.6.x"},{"version_affected":"<","version_value":"v1.7.14"},{"version_affected":"<","version_value":"v1.8.9"},{"version_affected":"<","version_value":"v1.9.4"}]}}]},"vendor_name":"Kubernetes"}]}},"credit":["Reported by Joel Smith of Red Hat"],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"handled symbolic links insecurely"}]}]},"references":{"reference_data":[{"name":"RHSA-2018:0475","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:0475"},{"name":"https://github.com/kubernetes/kubernetes/issues/60814","refsource":"CONFIRM","url":"https://github.com/kubernetes/kubernetes/issues/60814"}]}}}},"cveMetadata":{"assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","assignerShortName":"kubernetes","cveId":"CVE-2017-1002102","datePublished":"2018-03-13T17:00:00","dateReserved":"2017-12-07T00:00:00","dateUpdated":"2018-03-14T09:57:01","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.0"}
				`@ -0,0 +1 @@`
				{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2023-2431","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-04-30T22:44:39.597Z","datePublished":"2023-06-16T07:08:33.476Z","dateUpdated":"2023-06-16T07:15:37.445Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-06-16T07:15:37.445Z"},"title":"Bypass of seccomp profile enforcement","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1287","description":"CWE-1287 Improper Validation of Specified Type of Input","type":"CWE"}]}],"affected":[{"vendor":"Kubernetes","product":"Kubernetes","repo":"https://github.com/kubernetes/kubernetes/","versions":[{"status":"affected","version":"0","lessThan":"v1.24.14","versionType":"kubelet v1.24"},{"status":"affected","version":"v1.25.0","lessThan":"v1.25.9","versionType":"kubelet v1.25"},{"status":"affected","version":"v1.26.0","lessThan":"v1.26.4","versionType":"kubelet v1.26"},{"status":"affected","version":"v1.27.0","lessThan":"v1.27.1","versionType":"kubelet v1.27"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet."}],"references":[{"url":"https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10"},{"url":"https://github.com/kubernetes/kubernetes/issues/118690"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"LOW","baseScore":3.4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"}}],"solutions":[{"lang":"en","value":"To mitigate these vulnerabilities, upgrade Kubelet: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/ https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"}],"credits":[{"lang":"en","value":"Tim Allclair","user":"00000000-0000-4000-9000-000000000000","type":"finder"},{"lang":"en","value":"Craig Ingram","user":"00000000-0000-4000-9000-000000000000","type":"remediation developer"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}}}