From 26712bf2d04a682b3aac17360e5ffdcea772b80b Mon Sep 17 00:00:00 2001 From: olsova Date: Tue, 3 Dec 2024 17:57:31 +0600 Subject: [PATCH] feat: add k8s scan report --- go.mod | 8 + go.sum | 94 + render/render.go | 14 +- render/render_test.go | 5 + render/template/html.tpl | 6 +- render/testdata/golden/happy-k8s.html | 17141 ++++++++ render/testdata/input/happy-k8s.json | 54184 ++++++++++++++++++++++++ 7 files changed, 71448 insertions(+), 4 deletions(-) create mode 100644 render/testdata/golden/happy-k8s.html create mode 100644 render/testdata/input/happy-k8s.json diff --git a/go.mod b/go.mod index bb4b185..af3d007 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,7 @@ require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/BurntSushi/toml v1.4.0 // indirect + github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect @@ -32,8 +33,11 @@ require ( github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d // indirect + github.com/aquasecurity/table v1.8.0 // indirect + github.com/aquasecurity/tml v0.6.1 // indirect github.com/aquasecurity/trivy-checks v1.2.2 // indirect github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 // indirect + github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241029051843-2606b7e0f0b4 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.5 // indirect github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2 // indirect @@ -116,6 +120,8 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.17.9 // indirect + github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 // indirect + github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/liamg/iamgo v0.0.9 // indirect @@ -135,6 +141,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/buildkit v0.16.0 // indirect @@ -186,6 +193,7 @@ require ( github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/zclconf/go-cty v1.15.0 // indirect github.com/zclconf/go-cty-yaml v1.0.3 // indirect + go.etcd.io/bbolt v1.3.11 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect diff --git a/go.sum b/go.sum index bd0763d..449396d 100644 --- a/go.sum +++ b/go.sum @@ -223,6 +223,10 @@ github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7Oputl github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ= github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs= +github.com/Intevation/gval v1.3.0 h1:+Ze5sft5MmGbZrHj06NVUbcxCb67l9RaPTLMNr37mjw= +github.com/Intevation/gval v1.3.0/go.mod h1:xmGyGpP5be12EL0P12h+dqiYG8qn2j3PJxIgkoOHO5o= +github.com/Intevation/jsonpath v0.2.1 h1:rINNQJ0Pts5XTFEG+zamtdL7l9uuE1z0FBA+r55Sw+A= +github.com/Intevation/jsonpath v0.2.1/go.mod h1:WnZ8weMmwAx/fAO3SutjYFU+v7DFreNYnibV7CiaYIw= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -264,10 +268,16 @@ github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4t github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= +github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 h1:vmXNl+HDfqqXgr0uY1UgK1GAhps8nbAAtqHNBcgyf+4= github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.mod h1:olhPNdiiAAMiSujemd1O/sc6GcyePr23f/6uGKtthNg= github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d h1:4zour5Sh9chOg+IqIinIcJ3qtr3cIf8FdFY6aArlXBw= github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d/go.mod h1:1cPOp4BaQZ1G2F5fnw4dFz6pkOyXJI9KTuak8ghIl3U= +github.com/aquasecurity/table v1.8.0 h1:9ntpSwrUfjrM6/YviArlx/ZBGd6ix8W+MtojQcM7tv0= +github.com/aquasecurity/table v1.8.0/go.mod h1:eqOmvjjB7AhXFgFqpJUEE/ietg7RrMSJZXyTN8E/wZw= +github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= +github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy v0.57.1 h1:loKFDGLDqZdlq1GPVjZypnEaPhbHz+q07hZEOTo2wEM= github.com/aquasecurity/trivy v0.57.1/go.mod h1:MPExNeIDQASo9nHkVjN4pSsx7Vxoka96FnjryoSnhk0= github.com/aquasecurity/trivy-checks v1.2.2 h1:EVHi0gthYzDLfqdAqBBwVGfg2l/gdZ622pIlC9rP+lU= @@ -276,6 +286,8 @@ github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 h1:G0gnacAOR github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1/go.mod h1:PYkSRx4dlgFATEt+okGwibvbxVEtqsOdH+vX/saACYE= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= +github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241029051843-2606b7e0f0b4 h1:i0Z0JS4xtMAcBVOpYSciS7slmIBi1SmjT6garbrJtcA= +github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241029051843-2606b7e0f0b4/go.mod h1:ctlibFXOQyjWybeVVQI6NLG6GJoPWZJ4cIirQ/wPCQs= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -321,10 +333,16 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I= github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= +github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= +github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A= +github.com/briandowns/spinner v1.23.0/go.mod h1:rPG4gmXeN3wQV/TsAY4w8lPdIM6RX3yqeBQJSrbXjuE= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= @@ -387,6 +405,10 @@ github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHf github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= +github.com/csaf-poc/csaf_distribution/v3 v3.0.0 h1:ob9+Fmpff0YWgTP3dYaw7G2hKQ9cegh9l3zksc+q3sM= +github.com/csaf-poc/csaf_distribution/v3 v3.0.0/go.mod h1:uilCTiNKivq+6zrDvjtZaUeLk70oe21iwKivo6ILwlQ= +github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= +github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -397,8 +419,14 @@ github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0 github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE= +github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I= +github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= @@ -456,11 +484,15 @@ github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7Dlme github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE= github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8= +github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= +github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= @@ -510,6 +542,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= +github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI= +github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo= github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -519,6 +553,8 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/goccy/go-yaml v1.9.5 h1:Eh/+3uk9kLxG4koCX6lRMAPS1OaMSAi+FJcya0INdB0= +github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= @@ -571,6 +607,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= +github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= @@ -690,6 +728,8 @@ github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= +github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= +github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/hcl/v2 v2.22.0 h1:hkZ3nCtqeJsDhPRFz5EA9iwcG1hNWGePOTw6oyul12M= github.com/hashicorp/hcl/v2 v2.22.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= @@ -704,6 +744,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= +github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -785,6 +827,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -842,6 +886,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= +github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= +github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= @@ -856,10 +902,20 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 h1:c4u0GIH0w2Q57Pm2Oldrq6EiHFnLCCnRs98A+ggj/YQ= +github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553/go.mod h1:z4b//Qi7p7zcM/c41ogeTy+/nqfMbbeYnfZ+EMCTCD0= +github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ= +github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo= +github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE= +github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU= +github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/owenrumney/squealer v1.2.4 h1:77CEDP10mgvFLWHzUIBTfFIj9RkJ5h36YQhZ48GtjsQ= github.com/owenrumney/squealer v1.2.4/go.mod h1:F3PF/UaTAzaexT/cvvMYCSRHLRPBCiUcPClz3SZ6618= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= +github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= @@ -912,8 +968,16 @@ github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlX github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= +github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= +github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= +github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= +github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4= +github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY= +github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= +github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= @@ -926,25 +990,35 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro= +github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y= github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= +github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= +github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A= github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= +github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= +github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk= github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= +github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -962,12 +1036,22 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= +github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= +github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo= +github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw= github.com/testcontainers/testcontainers-go v0.33.0 h1:zJS9PfXYT5O0ZFXM2xxXfk4J5UMw/kRiISng037Gxdw= github.com/testcontainers/testcontainers-go v0.33.0/go.mod h1:W80YpTa8D5C3Yy16icheD01UTDu+LmXIA2Keo+jWtT8= github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0 h1:AhbUGUjneEnMyTV5aTsPYzDiAWrba1duPtiV+Z9CKdY= github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0/go.mod h1:J5vMq1fXXiTfwcJplMClHhn+j8+MbIMv7Lic4d9E8qU= +github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g= +github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= +github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4= @@ -976,6 +1060,10 @@ github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY= github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8= github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= +github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= +github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= +github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU= +github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= @@ -1080,6 +1168,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1591,6 +1681,8 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk= +gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= @@ -1598,6 +1690,8 @@ gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKK gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/render/render.go b/render/render.go index 8c17ec1..d86c3b0 100644 --- a/render/render.go +++ b/render/render.go @@ -6,6 +6,7 @@ import ( "os" "text/template" + k8s "github.com/aquasecurity/trivy/pkg/k8s/report" "github.com/aquasecurity/trivy/pkg/types" "golang.org/x/xerrors" ) @@ -14,11 +15,22 @@ import ( var htmlTmpl []byte func Render(fileName string, inputData []byte) error { + var kubernetes k8s.Report var report types.Report + + if err := json.Unmarshal(inputData, &kubernetes); err != nil { + return xerrors.Errorf("error decoding body: %v\n", err) + } + if err := json.Unmarshal(inputData, &report); err != nil { return xerrors.Errorf("error decoding body: %v\n", err) } + results := report.Results + for _, resource := range kubernetes.Resources { + results = append(results, resource.Results...) + } + tmpl, err := template.New("temp").Parse(string(htmlTmpl)) if err != nil { return xerrors.Errorf("error parsing template: %v\n", err) @@ -30,7 +42,7 @@ func Render(fileName string, inputData []byte) error { } defer output.Close() - if err := tmpl.Execute(output, report); err != nil { + if err = tmpl.Execute(output, results); err != nil { return xerrors.Errorf("error executing template: %v\n", err) } diff --git a/render/render_test.go b/render/render_test.go index d0b3d02..a04308d 100644 --- a/render/render_test.go +++ b/render/render_test.go @@ -22,6 +22,11 @@ func TestRender(t *testing.T) { jsonPath: "testdata/input/happy.json", goldenPath: "testdata/golden/happy.html", }, + { + name: "happy k8s", + jsonPath: "testdata/input/happy-k8s.json", + goldenPath: "testdata/golden/happy-k8s.html", + }, { name: "happy empty", jsonPath: "testdata/input/empty.json", diff --git a/render/template/html.tpl b/render/template/html.tpl index 27a42f3..36f3b36 100644 --- a/render/template/html.tpl +++ b/render/template/html.tpl @@ -490,8 +490,8 @@
-{{- if .Results }} -

Trivy Report - {{ ( index .Results 0 ).Target }} +{{- if . }} +

Trivy Report - {{ ( index . 0 ).Target }}

-{{- range .Results }} +{{- range . }} {{- if or .Vulnerabilities .Misconfigurations .Secrets}}

{{ .Target}}

diff --git a/render/testdata/golden/happy-k8s.html b/render/testdata/golden/happy-k8s.html new file mode 100644 index 0000000..92d862e --- /dev/null +++ b/render/testdata/golden/happy-k8s.html @@ -0,0 +1,17141 @@ + + + + + + Trivy Report + + + + + + + + +
+

Trivy Report - ClusterRole/admin +

+
+ +
+
+

ClusterRole/admin

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'admin' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'admin' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'admin' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'admin' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'admin' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'admin' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'admin' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV049Manage configmapsMEDIUMClusterRole 'admin' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
Kubernetes Security CheckKSV050Manage Kubernetes RBAC resourcesCRITICALClusterRole 'admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv050 +
+
Kubernetes Security CheckKSV053Exec into PodsHIGHClusterRole 'admin' should not have access to resource '["pods/exec"]' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv053 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/cluster-admin

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV044No wildcard verb and resource rolesCRITICALRole permits wildcard verb on wildcard resource +
+ https://avd.aquasec.com/misconfig/ksv044 +
+
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'cluster-admin' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/edit

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'edit' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'edit' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV049Manage configmapsMEDIUMClusterRole 'edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
Kubernetes Security CheckKSV053Exec into PodsHIGHClusterRole 'edit' should not have access to resource '["pods/exec"]' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv053 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/local-path-provisioner-role

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV045No wildcard verb rolesCRITICALRole permits wildcard verb on specific resources +
+ https://avd.aquasec.com/misconfig/ksv045 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'local-path-provisioner-role' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'local-path-provisioner-role' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:aggregate-to-admin

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV050Manage Kubernetes RBAC resourcesCRITICALClusterRole 'system:aggregate-to-admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv050 +
+
+
+

ClusterRole/system:aggregate-to-edit

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:aggregate-to-edit' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:aggregate-to-edit' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV049Manage configmapsMEDIUMClusterRole 'system:aggregate-to-edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
Kubernetes Security CheckKSV053Exec into PodsHIGHClusterRole 'system:aggregate-to-edit' should not have access to resource '["pods/exec"]' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv053 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:controller:cronjob-controller

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:cronjob-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:cronjob-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:cronjob-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:daemon-set-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:daemon-set-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:deployment-controller

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:deployment-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:deployment-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:deployment-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:endpoint-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:controller:endpoint-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:controller:endpointslice-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:controller:endpointslice-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:controller:endpointslicemirroring-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:controller:endpointslicemirroring-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:controller:expand-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:controller:expand-controller' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
+
+

ClusterRole/system:controller:generic-garbage-collector

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:controller:generic-garbage-collector' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/system:controller:horizontal-pod-autoscaler

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:controller:horizontal-pod-autoscaler' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:controller:horizontal-pod-autoscaler' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/system:controller:job-controller

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:job-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:job-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:legacy-service-account-token-cleaner

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:controller:legacy-service-account-token-cleaner' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
+
+

ClusterRole/system:controller:namespace-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:controller:namespace-controller' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/system:controller:node-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:node-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:persistent-volume-binder

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:controller:persistent-volume-binder' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
Kubernetes Security CheckKSV056Manage Kubernetes networkingHIGHClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv056 +
+
+
+

ClusterRole/system:controller:pod-garbage-collector

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:pod-garbage-collector' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:replicaset-controller

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:replicaset-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:replicaset-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:replication-controller

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:replication-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:replication-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:resourcequota-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:controller:resourcequota-controller' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/system:controller:root-ca-cert-publisher

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV049Manage configmapsMEDIUMClusterRole 'system:controller:root-ca-cert-publisher' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
+
+

ClusterRole/system:controller:statefulset-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:statefulset-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:controller:ttl-after-finished-controller

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:controller:ttl-after-finished-controller' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:kube-controller-manager

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV046Manage all resourcesCRITICALClusterRole 'system:kube-controller-manager' shouldn't manage all resources +
+ https://avd.aquasec.com/misconfig/ksv046 +
+
+
+

ClusterRole/system:kube-scheduler

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:kube-scheduler' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRole/system:node

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV041Manage secretsCRITICALClusterRole 'system:node' shouldn't have access to manage resource 'secrets' +
+ https://avd.aquasec.com/misconfig/ksv041 +
+
Kubernetes Security CheckKSV048Manage Kubernetes workloads and podsMEDIUMClusterRole 'system:node' should not have access to resources ["pods", "deployments", "jobs", "cronjobs", "statefulsets", "daemonsets", "replicasets", "replicationcontrollers"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv048 +
+
+
+

ClusterRoleBinding/cluster-admin

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV111User with admin accessMEDIUMClusterRoleBinding 'cluster-admin' should not bind to roles ["cluster-admin", "admin", "edit"] +
+ https://avd.aquasec.com/misconfig/ksv111 +
+
+
+

ClusterRoleBinding/kubeadm:cluster-admins

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV111User with admin accessMEDIUMClusterRoleBinding 'kubeadm:cluster-admins' should not bind to roles ["cluster-admin", "admin", "edit"] +
+ https://avd.aquasec.com/misconfig/ksv111 +
+
+
+

NodeInfo/kind-control-plane

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKCV0056Ensure that the container network interface file permissions are set to 600 or more restrictiveHIGHEnsure that the Container Network Interface specification file permissions is set to 600 or more restrictive +
+ https://avd.aquasec.com/misconfig/kcv0056 +
+
Kubernetes Security CheckKCV0059Ensure that the etcd data directory ownership is set to etcd:etcdLOWEnsure that the etcd data directory ownership is set to etcd:etcd +
+ https://avd.aquasec.com/misconfig/kcv0059 +
+
Kubernetes Security CheckKCV0069Ensure that the kubelet service file permissions are set to 600 or more restrictiveHIGHEnsure that the kubelet service file permissions are set to 600 or more restrictive +
+ https://avd.aquasec.com/misconfig/kcv0069 +
+
Kubernetes Security CheckKCV0075Ensure that the certificate authorities file permissions are set to 600 or more restrictiveCRITICALEnsure that the certificate authorities file permissions are set to 600 or more restrictive +
+ https://avd.aquasec.com/misconfig/kcv0075 +
+
Kubernetes Security CheckKCV0077If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictiveHIGHEnsure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive. +
+ https://avd.aquasec.com/misconfig/kcv0077 +
+
+
+

Role/system:controller:bootstrap-signer

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV049Manage configmapsMEDIUMRole 'system:controller:bootstrap-signer' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
+
+

RoleBinding/kubeadm:bootstrap-signer-clusterinfo

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV122Anonymous user access bindingCRITICALRoleBinding 'kubeadm:bootstrap-signer-clusterinfo' should not bind to roles ["system:unauthenticated", "system:anonymous"] +
+ https://avd.aquasec.com/misconfig/ksv122 +
+
+
+

ConfigMap/extension-apiserver-authentication

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckAVD-KSV-01010ConfigMap with sensitive contentMEDIUMConfigMap 'extension-apiserver-authentication' in 'kube-system' namespace stores sensitive contents in key(s) or value(s) '{"requestheader-username-headers"}' +
+ https://avd.aquasec.com/misconfig/avd-ksv-01010 +
+
+
+

DaemonSet/kindnet

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'kindnet-cni' of DaemonSet 'kindnet' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHDaemonSet 'kindnet' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV022Specific capabilities addedMEDIUMContainer 'kindnet-cni' of DaemonSet 'kindnet' should not set 'securityContext.capabilities.add' +
+ https://avd.aquasec.com/misconfig/ksv022 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMDaemonSet 'kindnet' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV030Runtime/Default Seccomp profile not setLOWEither Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' +
+ https://avd.aquasec.com/misconfig/ksv030 +
+
Kubernetes Security CheckKSV037User Pods should not be placed in kube-system namespaceMEDIUMDaemonSet 'kindnet' should not be set with 'kube-system' namespace +
+ https://avd.aquasec.com/misconfig/ksv037 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "kindnet-cni" of daemonset "kindnet" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
Kubernetes Security CheckKSV119NET_RAW capability addedHIGHcontainer kindnet-cni of daemonset kindnet in kube-system namespace should not include 'NET_RAW' in securityContext.capabilities.add +
+ https://avd.aquasec.com/misconfig/ksv119 +
+
+
+

DaemonSet/kube-proxy

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHDaemonSet 'kube-proxy' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV015CPU requests not specifiedLOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.cpu' +
+ https://avd.aquasec.com/misconfig/ksv015 +
+
Kubernetes Security CheckKSV016Memory requests not specifiedLOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.memory' +
+ https://avd.aquasec.com/misconfig/ksv016 +
+
Kubernetes Security CheckKSV017PrivilegedHIGHContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.privileged' to false +
+ https://avd.aquasec.com/misconfig/ksv017 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMDaemonSet 'kube-proxy' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV030Runtime/Default Seccomp profile not setLOWEither Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' +
+ https://avd.aquasec.com/misconfig/ksv030 +
+
Kubernetes Security CheckKSV037User Pods should not be placed in kube-system namespaceMEDIUMDaemonSet 'kube-proxy' should not be set with 'kube-system' namespace +
+ https://avd.aquasec.com/misconfig/ksv037 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "kube-proxy" of daemonset "kube-proxy" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

Deployment/coredns

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'coredns' of Deployment 'coredns' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'coredns' of Deployment 'coredns' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'coredns' of Deployment 'coredns' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'coredns' of Deployment 'coredns' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV022Specific capabilities addedMEDIUMContainer 'coredns' of Deployment 'coredns' should not set 'securityContext.capabilities.add' +
+ https://avd.aquasec.com/misconfig/ksv022 +
+
Kubernetes Security CheckKSV030Runtime/Default Seccomp profile not setLOWEither Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' +
+ https://avd.aquasec.com/misconfig/ksv030 +
+
Kubernetes Security CheckKSV037User Pods should not be placed in kube-system namespaceMEDIUMDeployment 'coredns' should not be set with 'kube-system' namespace +
+ https://avd.aquasec.com/misconfig/ksv037 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "coredns" of deployment "coredns" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV117Prevent binding to privileged portsMEDIUMdeployment coredns in kube-system namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024 +
+ https://avd.aquasec.com/misconfig/ksv117 +
+
+
+

Pod/etcd-kind-control-plane

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'etcd' of Pod 'etcd-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHPod 'etcd-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMPod 'etcd-kind-control-plane' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "etcd" of pod "etcd-kind-control-plane" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

Pod/kube-apiserver-kind-control-plane

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKCV0001Ensure that the --anonymous-auth argument is set to falseMEDIUMEnsure that the --anonymous-auth argument is set to false +
+ https://avd.aquasec.com/misconfig/kcv0001 +
+
Kubernetes Security CheckKCV0006Ensure that the --kubelet-certificate-authority argument is set as appropriateLOWEnsure that the --kubelet-certificate-authority argument is set as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0006 +
+
Kubernetes Security CheckKCV0010Ensure that the admission control plugin EventRateLimit is setLOWEnsure that the admission control plugin EventRateLimit is set +
+ https://avd.aquasec.com/misconfig/kcv0010 +
+
Kubernetes Security CheckKSV0012Ensure that the admission control plugin AlwaysPullImages is setLOWEnsure that the admission control plugin AlwaysPullImages is set +
+ https://avd.aquasec.com/misconfig/ksv0012 +
+
Kubernetes Security CheckKCV0018Ensure that the --profiling argument is set to falseLOWEnsure that the --profiling argument is set to false +
+ https://avd.aquasec.com/misconfig/kcv0018 +
+
Kubernetes Security CheckKCV0019Ensure that the --audit-log-path argument is setLOWEnsure that the --audit-log-path argument is set +
+ https://avd.aquasec.com/misconfig/kcv0019 +
+
Kubernetes Security CheckKCV0020Ensure that the --audit-log-maxage argument is set to 30 or as appropriateLOWEnsure that the --audit-log-maxage argument is set to 30 or as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0020 +
+
Kubernetes Security CheckKCV0021Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriateLOWEnsure that the --audit-log-maxbackup argument is set to 10 or as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0021 +
+
Kubernetes Security CheckKCV0022Ensure that the --audit-log-maxsize argument is set to 100 or as appropriateLOWEnsure that the --audit-log-maxsize argument is set to 100 or as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0022 +
+
Kubernetes Security CheckKCV0030Ensure that the --encryption-provider-config argument is set as appropriateLOWEnsure that the --encryption-provider-config argument is set as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0030 +
+
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHPod 'kube-apiserver-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV016Memory requests not specifiedLOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.requests.memory' +
+ https://avd.aquasec.com/misconfig/ksv016 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMPod 'kube-apiserver-kind-control-plane' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "kube-apiserver" of pod "kube-apiserver-kind-control-plane" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

Pod/kube-controller-manager-kind-control-plane

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKCV0033Ensure that the --terminated-pod-gc-threshold argument is set as appropriateLOWEnsure that the --terminated-pod-gc-threshold argument is set as appropriate +
+ https://avd.aquasec.com/misconfig/kcv0033 +
+
Kubernetes Security CheckKCV0034Ensure that the --profiling argument is set to falseLOWEnsure that the --profiling argument is set to false +
+ https://avd.aquasec.com/misconfig/kcv0034 +
+
Kubernetes Security CheckKCV0038Ensure that the RotateKubeletServerCertificate argument is set to trueLOWEnsure that the RotateKubeletServerCertificate argument is set to true +
+ https://avd.aquasec.com/misconfig/kcv0038 +
+
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHPod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV016Memory requests not specifiedLOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.requests.memory' +
+ https://avd.aquasec.com/misconfig/ksv016 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMPod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "kube-controller-manager" of pod "kube-controller-manager-kind-control-plane" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

Pod/kube-scheduler-kind-control-plane

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKCV0040Ensure that the --profiling argument is set to falseLOWEnsure that the --profiling argument is set to false +
+ https://avd.aquasec.com/misconfig/kcv0040 +
+
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV009Access to host networkHIGHPod 'kube-scheduler-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true +
+ https://avd.aquasec.com/misconfig/ksv009 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV016Memory requests not specifiedLOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.requests.memory' +
+ https://avd.aquasec.com/misconfig/ksv016 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV023hostPath volumes mountedMEDIUMPod 'kube-scheduler-kind-control-plane' should not set 'spec.template.volumes.hostPath' +
+ https://avd.aquasec.com/misconfig/ksv023 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "kube-scheduler" of pod "kube-scheduler-kind-control-plane" in "kube-system" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

Role/system::leader-locking-kube-controller-manager

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV049Manage configmapsMEDIUMRole 'system::leader-locking-kube-controller-manager' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
+
+

Role/system::leader-locking-kube-scheduler

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV049Manage configmapsMEDIUMRole 'system::leader-locking-kube-scheduler' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
+
+

Role/system:controller:bootstrap-signer

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV113Manage namespace secretsMEDIUMRole 'system:controller:bootstrap-signer' shouldn't have access to manage secrets in namespace 'kube-system' +
+ https://avd.aquasec.com/misconfig/ksv113 +
+
+
+

Role/system:controller:cloud-provider

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV049Manage configmapsMEDIUMRole 'system:controller:cloud-provider' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] +
+ https://avd.aquasec.com/misconfig/ksv049 +
+
+
+

Role/system:controller:token-cleaner

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV113Manage namespace secretsMEDIUMRole 'system:controller:token-cleaner' shouldn't have access to manage secrets in namespace 'kube-system' +
+ https://avd.aquasec.com/misconfig/ksv113 +
+
+
+

Service/kube-dns

+
+ + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV037User Pods should not be placed in kube-system namespaceMEDIUMService 'kube-dns' should not be set with 'kube-system' namespace +
+ https://avd.aquasec.com/misconfig/ksv037 +
+
+
+

Deployment/local-path-provisioner

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Type + + + + Misconf ID + + + + Check + + + + Severity + + + + Message + + + +
Kubernetes Security CheckKSV001Can elevate its own privilegesMEDIUMContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.allowPrivilegeEscalation' to false +
+ https://avd.aquasec.com/misconfig/ksv001 +
+
Kubernetes Security CheckKSV003Default capabilities: some containers do not drop allLOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should add 'ALL' to 'securityContext.capabilities.drop' +
+ https://avd.aquasec.com/misconfig/ksv003 +
+
Kubernetes Security CheckKSV011CPU not limitedLOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.cpu' +
+ https://avd.aquasec.com/misconfig/ksv011 +
+
Kubernetes Security CheckKSV012Runs as root userMEDIUMContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsNonRoot' to true +
+ https://avd.aquasec.com/misconfig/ksv012 +
+
Kubernetes Security CheckKSV014Root file system is not read-onlyHIGHContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.readOnlyRootFilesystem' to true +
+ https://avd.aquasec.com/misconfig/ksv014 +
+
Kubernetes Security CheckKSV015CPU requests not specifiedLOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.cpu' +
+ https://avd.aquasec.com/misconfig/ksv015 +
+
Kubernetes Security CheckKSV016Memory requests not specifiedLOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.memory' +
+ https://avd.aquasec.com/misconfig/ksv016 +
+
Kubernetes Security CheckKSV018Memory not limitedLOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.memory' +
+ https://avd.aquasec.com/misconfig/ksv018 +
+
Kubernetes Security CheckKSV020Runs with UID <= 10000LOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsUser' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv020 +
+
Kubernetes Security CheckKSV021Runs with GID <= 10000LOWContainer 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsGroup' > 10000 +
+ https://avd.aquasec.com/misconfig/ksv021 +
+
Kubernetes Security CheckKSV030Runtime/Default Seccomp profile not setLOWEither Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault' +
+ https://avd.aquasec.com/misconfig/ksv030 +
+
Kubernetes Security CheckKSV104Seccomp policies disabledMEDIUMcontainer "local-path-provisioner" of deployment "local-path-provisioner" in "local-path-storage" namespace should specify a seccomp profile +
+ https://avd.aquasec.com/misconfig/ksv104 +
+
Kubernetes Security CheckKSV106Container capabilities must only include NET_BIND_SERVICELOWcontainer should drop all +
+ https://avd.aquasec.com/misconfig/ksv106 +
+
+
+

registry.k8s.io/coredns/coredns:v1.11.3 (debian 11.10)

+
+ + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
tzdataDLA-3972-1UNKNOWN2024a-0+deb11u12024b-0+deb11u1 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
base-files@11.1+deb11u10base-files11.1+deb11u10base-files11.1+deb11u10
netbase@6.3netbase6.3netbase6.3
tzdata@2024a-0+deb11u1tzdata2024atzdata2024a
+
+

coredns

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/golang-jwt/jwt/v4CVE-2024-51744LOWv4.5.04.5.1 + https://access.redhat.com/security/cve/CVE-2024-51744 + https://github.com/golang-jwt/jwt + https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r + https://nvd.nist.gov/vuln/detail/CVE-2024-51744 + https://www.cve.org/CVERecord?id=CVE-2024-51744 +
github.com/quic-go/quic-goCVE-2024-53259MEDIUMv0.44.00.48.2 + https://github.com/quic-go/quic-go + https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 + https://github.com/quic-go/quic-go/pull/4729 + https://github.com/quic-go/quic-go/releases/tag/v0.48.2 + https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr + https://nvd.nist.gov/vuln/detail/CVE-2024-53259 +
stdlibCVE-2024-34156HIGHv1.21.111.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-24791MEDIUMv1.21.111.21.12, 1.22.5 + https://access.redhat.com/errata/RHSA-2024:9135 + https://access.redhat.com/security/cve/CVE-2024-24791 + https://bugzilla.redhat.com/2268017 + https://bugzilla.redhat.com/2268022 + https://bugzilla.redhat.com/2279814 + https://bugzilla.redhat.com/2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://errata.almalinux.org/9/ALSA-2024-9135.html + https://errata.rockylinux.org/RLSA-2024:7349 + https://go.dev/cl/591255 + https://go.dev/issue/67555 + https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ + https://linux.oracle.com/cve/CVE-2024-24791.html + https://linux.oracle.com/errata/ELSA-2024-9115.html + https://nvd.nist.gov/vuln/detail/CVE-2024-24791 + https://pkg.go.dev/vuln/GO-2024-2963 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-24791 +
stdlibCVE-2024-34155MEDIUMv1.21.111.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.111.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
github.com/coredns/coredns
stdlibv1.21.11
cloud.google.com/go/compute/metadatav0.2.3
github.com/Azure/azure-sdk-for-gov68.0.0+incompatible
github.com/Azure/go-autorest/autorestv0.11.29
github.com/Azure/go-autorest/autorest/adalv0.9.22
github.com/Azure/go-autorest/autorest/azure/authv0.5.13
github.com/Azure/go-autorest/autorest/azure/cliv0.4.6
github.com/Azure/go-autorest/autorest/datev0.3.0
github.com/Azure/go-autorest/autorest/tov0.2.0
github.com/Azure/go-autorest/loggerv0.2.1
github.com/Azure/go-autorest/tracingv0.6.0
github.com/DataDog/appsec-internal-gov1.5.0
github.com/DataDog/datadog-agent/pkg/obfuscatev0.48.0
github.com/DataDog/datadog-agent/pkg/remoteconfig/statev0.48.1
github.com/DataDog/datadog-go/v5v5.3.0
github.com/DataDog/go-libddwaf/v2v2.4.2
github.com/DataDog/go-tufv1.0.2-0.5.2
github.com/DataDog/sketches-gov1.4.2
github.com/antonmedv/exprv1.15.5
github.com/apparentlymart/go-cidrv1.1.0
github.com/aws/aws-sdk-gov1.54.11
github.com/beorn7/perksv1.0.1
github.com/cespare/xxhash/v2v2.2.0
github.com/coredns/caddyv1.1.1
github.com/coreos/go-semverv0.3.0
github.com/coreos/go-systemd/v22v22.3.2
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/dimchansky/utfbomv1.1.1
github.com/dnstap/golang-dnstapv0.4.0
github.com/dustin/go-humanizev1.0.1
github.com/emicklei/go-restful/v3v3.11.0
github.com/farsightsec/golang-framestreamv0.3.0
github.com/felixge/httpsnoopv1.0.4
github.com/flynn/go-shlexv0.0.0-20150515145356-3f9db97f8568
github.com/go-logr/logrv1.4.1
github.com/go-logr/stdrv1.2.2
github.com/go-openapi/jsonpointerv0.19.6
github.com/go-openapi/jsonreferencev0.20.2
github.com/go-openapi/swagv0.22.3
github.com/gogo/protobufv1.3.2
github.com/golang-jwt/jwt/v4v4.5.0
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/s2a-gov0.1.7
github.com/google/uuidv1.6.0
github.com/googleapis/enterprise-certificate-proxyv0.3.2
github.com/googleapis/gax-go/v2v2.12.3
github.com/grpc-ecosystem/grpc-opentracingv0.0.0-20180507213350-8e809c8a8645
github.com/hashicorp/errwrapv1.1.0
github.com/hashicorp/go-multierrorv1.1.1
github.com/imdario/mergov0.3.12
github.com/infobloxopen/go-treesv0.0.0-20200715205103-96a057b8dfb9
github.com/jmespath/go-jmespathv0.4.0
github.com/josharian/internv1.0.0
github.com/json-iterator/gov1.1.12
github.com/mailru/easyjsonv0.7.7
github.com/matttproud/golang_protobuf_extensionsv1.0.4
github.com/miekg/dnsv1.1.59
github.com/mitchellh/go-homedirv1.1.0
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/opentracing-contrib/go-observerv0.0.0-20170622124052-a52f23424492
github.com/opentracing/opentracing-gov1.2.0
github.com/openzipkin-contrib/zipkin-go-opentracingv0.5.0
github.com/openzipkin/zipkin-gov0.4.3
github.com/oschwald/geoip2-golangv1.9.0
github.com/oschwald/maxminddb-golangv1.11.0
github.com/outcaste-io/ristrettov0.2.3
github.com/philhofer/fwdv1.1.2
github.com/pkg/errorsv0.9.1
github.com/prometheus/client_golangv1.19.1
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.53.0
github.com/prometheus/procfsv0.12.0
github.com/quic-go/quic-gov0.44.0
github.com/secure-systems-lab/go-securesystemslibv0.7.0
github.com/spf13/pflagv1.0.5
github.com/tinylib/msgpv1.1.8
go.etcd.io/etcd/api/v3v3.5.13
go.etcd.io/etcd/client/pkg/v3v3.5.13
go.etcd.io/etcd/client/v3v3.5.13
go.opencensus.iov0.24.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpv0.49.0
go.opentelemetry.io/otelv1.24.0
go.opentelemetry.io/otel/metricv1.24.0
go.opentelemetry.io/otel/tracev1.24.0
go.uber.org/atomicv1.11.0
go.uber.org/multierrv1.6.0
go.uber.org/zapv1.17.0
golang.org/x/cryptov0.23.0
golang.org/x/expv0.0.0-20240506185415-9bf2ced13842
golang.org/x/netv0.25.0
golang.org/x/oauth2v0.18.0
golang.org/x/sysv0.20.0
golang.org/x/termv0.20.0
golang.org/x/textv0.15.0
golang.org/x/timev0.5.0
golang.org/x/xerrorsv0.0.0-20220907171357-04be3eba64a2
google.golang.org/apiv0.172.0
google.golang.org/genproto/googleapis/apiv0.0.0-20240311132316-a219d84964c2
google.golang.org/genproto/googleapis/rpcv0.0.0-20240415180920-8c6c420018be
google.golang.org/grpcv1.63.2
google.golang.org/protobufv1.33.0
gopkg.in/DataDog/dd-trace-go.v1v1.64.0
gopkg.in/inf.v0v0.9.1
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/apiv0.29.3
k8s.io/apimachineryv0.29.3
k8s.io/client-gov0.29.3
k8s.io/klog/v2v2.120.1
k8s.io/kube-openapiv0.0.0-20231010175941-2dd684a91f00
k8s.io/utilsv0.0.0-20230726121419-3b25d923346b
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.3.0
+
+

usr/local/bin/kube-scheduler

+
+ + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/opencontainers/runcCVE-2024-45310MEDIUMv1.1.131.1.14, 1.2.0-rc.3 + https://access.redhat.com/security/cve/CVE-2024-45310 + https://github.com/opencontainers/runc + https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 + https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e + https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf + https://github.com/opencontainers/runc/pull/4359 + https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv + https://nvd.nist.gov/vuln/detail/CVE-2024-45310 + https://www.cve.org/CVERecord?id=CVE-2024-45310 + https://www.openwall.com/lists/oss-security/2024/09/03/1 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
k8s.io/kubernetes
stdlibv1.22.8
github.com/NYTimes/gziphandlerv1.1.1
github.com/antlr4-go/antlr/v4v4.13.0
github.com/asaskevich/govalidatorv0.0.0-20190424111038-f61b66f89f4a
github.com/beorn7/perksv1.0.1
github.com/blang/semver/v4v4.0.0
github.com/cenkalti/backoff/v4v4.3.0
github.com/cespare/xxhash/v2v2.3.0
github.com/coreos/go-semverv0.3.1
github.com/coreos/go-systemd/v22v22.5.0
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/distribution/referencev0.5.0
github.com/emicklei/go-restful/v3v3.11.0
github.com/felixge/httpsnoopv1.0.4
github.com/fsnotify/fsnotifyv1.7.0
github.com/fxamacker/cbor/v2v2.7.0
github.com/go-logr/logrv1.4.2
github.com/go-logr/stdrv1.2.2
github.com/go-logr/zaprv1.3.0
github.com/go-openapi/jsonpointerv0.19.6
github.com/go-openapi/jsonreferencev0.20.2
github.com/go-openapi/swagv0.22.4
github.com/gogo/protobufv1.3.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/cel-gov0.20.1
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/uuidv1.6.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.20.0
github.com/imdario/mergov0.3.6
github.com/josharian/internv1.0.0
github.com/json-iterator/gov1.1.12
github.com/mailru/easyjsonv0.7.7
github.com/moby/sys/mountinfov0.7.1
github.com/moby/termv0.5.0
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/opencontainers/go-digestv1.0.0
github.com/opencontainers/runcv1.1.13
github.com/opencontainers/selinuxv1.11.0
github.com/pkg/errorsv0.9.1
github.com/prometheus/client_golangv1.19.1
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.55.0
github.com/prometheus/procfsv0.15.1
github.com/spf13/cobrav1.8.1
github.com/spf13/pflagv1.0.5
github.com/stoewer/go-strcasev1.2.0
github.com/x448/float16v0.8.4
go.etcd.io/etcd/api/v3v3.5.14
go.etcd.io/etcd/client/pkg/v3v3.5.14
go.etcd.io/etcd/client/v3v3.5.14
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.53.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpv0.53.0
go.opentelemetry.io/otelv1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.27.0
go.opentelemetry.io/otel/metricv1.28.0
go.opentelemetry.io/otel/sdkv1.28.0
go.opentelemetry.io/otel/tracev1.28.0
go.opentelemetry.io/proto/otlpv1.3.1
go.uber.org/multierrv1.11.0
go.uber.org/zapv1.26.0
golang.org/x/cryptov0.24.0
golang.org/x/expv0.0.0-20230515195305-f3d0a9c9a5cc
golang.org/x/netv0.26.0
golang.org/x/oauth2v0.21.0
golang.org/x/syncv0.7.0
golang.org/x/sysv0.21.0
golang.org/x/termv0.21.0
golang.org/x/textv0.16.0
golang.org/x/timev0.3.0
google.golang.org/genproto/googleapis/apiv0.0.0-20240528184218-531527333157
google.golang.org/genproto/googleapis/rpcv0.0.0-20240701130421-f6361c86f094
google.golang.org/grpcv1.65.0
google.golang.org/protobufv1.34.2
gopkg.in/evanphx/json-patch.v4v4.12.0
gopkg.in/inf.v0v0.9.1
gopkg.in/natefinch/lumberjack.v2v2.2.1
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/api
k8s.io/apiextensions-apiserver
k8s.io/apimachinery
k8s.io/apiserver
k8s.io/client-go
k8s.io/cloud-provider
k8s.io/component-base
k8s.io/component-helpers
k8s.io/controller-manager
k8s.io/csi-translation-lib
k8s.io/dynamic-resource-allocation
k8s.io/klog/v2v2.130.1
k8s.io/kms
k8s.io/kube-openapiv0.0.0-20240228011516-70dd3763d340
k8s.io/kube-scheduler
k8s.io/kubelet
k8s.io/mount-utils
k8s.io/utilsv0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/apiserver-network-proxy/konnectivity-clientv0.30.3
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.4.0
+
+

docker.io/kindest/kindnetd:v20241023-a345ebe4 (debian 12.5)

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
coreutilsCVE-2016-2781LOW9.1-1 + http://seclists.org/oss-sec/2016/q1/452 + http://www.openwall.com/lists/oss-security/2016/02/28/2 + http://www.openwall.com/lists/oss-security/2016/02/28/3 + https://access.redhat.com/security/cve/CVE-2016-2781 + https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E + https://lore.kernel.org/patchwork/patch/793178/ + https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes + https://nvd.nist.gov/vuln/detail/CVE-2016-2781 + https://www.cve.org/CVERecord?id=CVE-2016-2781 +
coreutilsCVE-2017-18018LOW9.1-1 + http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html + https://access.redhat.com/security/cve/CVE-2017-18018 + https://nvd.nist.gov/vuln/detail/CVE-2017-18018 + https://www.cve.org/CVERecord?id=CVE-2017-18018 +
iptablesCVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libc6CVE-2010-4756LOW2.36-9+deb12u7 + http://cxib.net/stuff/glob-0day.c + http://securityreason.com/achievement_securityalert/89 + http://securityreason.com/exploitalert/9223 + https://access.redhat.com/security/cve/CVE-2010-4756 + https://bugzilla.redhat.com/show_bug.cgi?id=681681 + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756 + https://nvd.nist.gov/vuln/detail/CVE-2010-4756 + https://www.cve.org/CVERecord?id=CVE-2010-4756 +
libc6CVE-2018-20796LOW2.36-9+deb12u7 + http://www.securityfocus.com/bid/107160 + https://access.redhat.com/security/cve/CVE-2018-20796 + https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 + https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html + https://nvd.nist.gov/vuln/detail/CVE-2018-20796 + https://security.netapp.com/advisory/ntap-20190315-0002/ + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2018-20796 +
libc6CVE-2019-1010022LOW2.36-9+deb12u7 + https://access.redhat.com/security/cve/CVE-2019-1010022 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010022 + https://security-tracker.debian.org/tracker/CVE-2019-1010022 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3 + https://ubuntu.com/security/CVE-2019-1010022 + https://www.cve.org/CVERecord?id=CVE-2019-1010022 +
libc6CVE-2019-1010023LOW2.36-9+deb12u7 + http://www.securityfocus.com/bid/109167 + https://access.redhat.com/security/cve/CVE-2019-1010023 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010023 + https://security-tracker.debian.org/tracker/CVE-2019-1010023 + https://sourceware.org/bugzilla/show_bug.cgi?id=22851 + https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010023 + https://www.cve.org/CVERecord?id=CVE-2019-1010023 +
libc6CVE-2019-1010024LOW2.36-9+deb12u7 + http://www.securityfocus.com/bid/109162 + https://access.redhat.com/security/cve/CVE-2019-1010024 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010024 + https://security-tracker.debian.org/tracker/CVE-2019-1010024 + https://sourceware.org/bugzilla/show_bug.cgi?id=22852 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010024 + https://www.cve.org/CVERecord?id=CVE-2019-1010024 +
libc6CVE-2019-1010025LOW2.36-9+deb12u7 + https://access.redhat.com/security/cve/CVE-2019-1010025 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010025 + https://security-tracker.debian.org/tracker/CVE-2019-1010025 + https://sourceware.org/bugzilla/show_bug.cgi?id=22853 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010025 + https://www.cve.org/CVERecord?id=CVE-2019-1010025 +
libc6CVE-2019-9192LOW2.36-9+deb12u7 + https://access.redhat.com/security/cve/CVE-2019-9192 + https://nvd.nist.gov/vuln/detail/CVE-2019-9192 + https://sourceware.org/bugzilla/show_bug.cgi?id=24269 + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2019-9192 +
libip4tc2CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libip6tc2CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libjansson4CVE-2020-36325LOW2.14-2 + https://access.redhat.com/security/cve/CVE-2020-36325 + https://github.com/akheron/jansson/issues/548 + https://nvd.nist.gov/vuln/detail/CVE-2020-36325 + https://www.cve.org/CVERecord?id=CVE-2020-36325 +
libssl3CVE-2023-5678MEDIUM3.0.11-1~deb12u23.0.13-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:2447 + https://access.redhat.com/security/cve/CVE-2023-5678 + https://bugzilla.redhat.com/2223016 + https://bugzilla.redhat.com/2224962 + https://bugzilla.redhat.com/2227852 + https://bugzilla.redhat.com/2248616 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://errata.almalinux.org/9/ALSA-2024-2447.html + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 + https://linux.oracle.com/cve/CVE-2023-5678.html + https://linux.oracle.com/errata/ELSA-2024-2447.html + https://nvd.nist.gov/vuln/detail/CVE-2023-5678 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://www.cve.org/CVERecord?id=CVE-2023-5678 + https://www.openssl.org/news/secadv/20231106.txt +
libssl3CVE-2023-6129MEDIUM3.0.11-1~deb12u23.0.13-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:9088 + https://access.redhat.com/security/cve/CVE-2023-6129 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://bugzilla.redhat.com/2284243 + https://errata.almalinux.org/9/ALSA-2024-9088.html + https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 + https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04 + https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015 + https://linux.oracle.com/cve/CVE-2023-6129.html + https://linux.oracle.com/errata/ELSA-2024-9088.html + https://nvd.nist.gov/vuln/detail/CVE-2023-6129 + https://ubuntu.com/security/notices/USN-6622-1 + https://www.cve.org/CVERecord?id=CVE-2023-6129 + https://www.openssl.org/news/secadv/20240109.txt + https://www.openwall.com/lists/oss-security/2024/01/09/1 +
libssl3CVE-2023-6237MEDIUM3.0.11-1~deb12u23.0.13-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:9088 + https://access.redhat.com/security/cve/CVE-2023-6237 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://bugzilla.redhat.com/2284243 + https://errata.almalinux.org/9/ALSA-2024-9088.html + https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d + https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a + https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294 + https://linux.oracle.com/cve/CVE-2023-6237.html + https://linux.oracle.com/errata/ELSA-2024-9088.html + https://nvd.nist.gov/vuln/detail/CVE-2023-6237 + https://ubuntu.com/security/notices/USN-6622-1 + https://www.cve.org/CVERecord?id=CVE-2023-6237 + https://www.openssl.org/news/secadv/20240115.txt + https://www.openwall.com/lists/oss-security/2024/01/15/2 +
libssl3CVE-2024-0727MEDIUM3.0.11-1~deb12u23.0.13-1~deb12u1 + http://www.openwall.com/lists/oss-security/2024/03/11/1 + https://access.redhat.com/errata/RHSA-2024:9088 + https://access.redhat.com/security/cve/CVE-2024-0727 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://bugzilla.redhat.com/2284243 + https://errata.almalinux.org/9/ALSA-2024-9088.html + https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2 + https://github.com/github/advisory-database/pull/3472 + https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2 + https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a + https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c + https://github.com/openssl/openssl/pull/23362 + https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d + https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8 + https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539 + https://linux.oracle.com/cve/CVE-2024-0727.html + https://linux.oracle.com/errata/ELSA-2024-9088.html + https://nvd.nist.gov/vuln/detail/CVE-2024-0727 + https://security.netapp.com/advisory/ntap-20240208-0006 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://ubuntu.com/security/notices/USN-7018-1 + https://www.cve.org/CVERecord?id=CVE-2024-0727 + https://www.openssl.org/news/secadv/20240125.txt +
libssl3CVE-2024-4603MEDIUM3.0.11-1~deb12u23.0.14-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-4603 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397 + https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e + https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d + https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740 + https://linux.oracle.com/cve/CVE-2024-4603.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-4603 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-4603 + https://www.openssl.org/news/secadv/20240516.txt +
libssl3CVE-2024-4741MEDIUM3.0.11-1~deb12u23.0.14-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-4741 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177 + https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d + https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac + https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8 + https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4 + https://linux.oracle.com/cve/CVE-2024-4741.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-4741 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-4741 + https://www.openssl.org/news/secadv/20240528.txt +
libssl3CVE-2024-5535MEDIUM3.0.11-1~deb12u23.0.15-1~deb12u1 + http://www.openwall.com/lists/oss-security/2024/06/27/1 + http://www.openwall.com/lists/oss-security/2024/06/28/4 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-5535 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://bugzilla.redhat.com/show_bug.cgi?id=2294581 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://errata.rockylinux.org/RLSA-2024:7848 + https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37 + https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e + https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c + https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c + https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c + https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87 + https://linux.oracle.com/cve/CVE-2024-5535.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-5535 + https://openssl.org/news/secadv/20240627.txt + https://security.netapp.com/advisory/ntap-20240712-0005/ + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-5535 + https://www.openssl.org/news/secadv/20240627.txt + https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL +
libssl3CVE-2024-6119MEDIUM3.0.11-1~deb12u23.0.14-1~deb12u2 + https://access.redhat.com/errata/RHSA-2024:8935 + https://access.redhat.com/security/cve/CVE-2024-6119 + https://bugzilla.redhat.com/2306158 + https://bugzilla.redhat.com/show_bug.cgi?id=2306158 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119 + https://errata.almalinux.org/9/ALSA-2024-8935.html + https://errata.rockylinux.org/RLSA-2024:6783 + https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f + https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6 + https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2 + https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0 + https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj + https://linux.oracle.com/cve/CVE-2024-6119.html + https://linux.oracle.com/errata/ELSA-2024-8935.html + https://nvd.nist.gov/vuln/detail/CVE-2024-6119 + https://openssl-library.org/news/secadv/20240903.txt + https://ubuntu.com/security/notices/USN-6986-1 + https://www.cve.org/CVERecord?id=CVE-2024-6119 +
libssl3CVE-2024-2511LOW3.0.11-1~deb12u23.0.14-1~deb12u1 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-2511 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce + https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d + https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 + https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640 + https://linux.oracle.com/cve/CVE-2024-2511.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-2511 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-2511 + https://www.openssl.org/news/secadv/20240408.txt + https://www.openssl.org/news/vulnerabilities.html +
libssl3CVE-2024-9143LOW3.0.11-1~deb12u23.0.15-1~deb12u1 + https://access.redhat.com/security/cve/CVE-2024-9143 + https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 + https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700 + https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 + https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154 + https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a + https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41 + https://nvd.nist.gov/vuln/detail/CVE-2024-9143 + https://openssl-library.org/news/secadv/20241016.txt + https://www.cve.org/CVERecord?id=CVE-2024-9143 +
libxtables12CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
base-files@12.4+deb12u5base-files12.4+deb12u5base-files12.4+deb12u5
conntrack@1:1.4.7-1+b2conntrack1.4.7conntrack-tools1.4.7
coreutils@9.1-1coreutils9.1coreutils9.1
ebtables@2.0.11-5ebtables2.0.11ebtables2.0.11
ipset@7.17-1ipset7.17ipset7.17
iptables@1.8.9-2iptables1.8.9iptables1.8.9
kmod@30+20221128-1kmod30+20221128kmod30+20221128
libbsd0@0.11.7-2libbsd00.11.7libbsd0.11.7
libc6@2.36-9+deb12u7libc62.36glibc2.36
libedit2@3.1-20221030-2libedit23.1-20221030libedit3.1-20221030
libgmp10@2:6.2.1+dfsg1-1.1libgmp106.2.1+dfsg1gmp6.2.1+dfsg1
libip4tc2@1.8.9-2libip4tc21.8.9iptables1.8.9
libip6tc2@1.8.9-2libip6tc21.8.9iptables1.8.9
libipset13@7.17-1libipset137.17ipset7.17
libjansson4@2.14-2libjansson42.14jansson2.14
libkmod2@30+20221128-1libkmod230+20221128kmod30+20221128
libmd0@1.0.4-2libmd01.0.4libmd1.0.4
libmnl0@1.0.4-3libmnl01.0.4libmnl1.0.4
libnetfilter-conntrack3@1.0.9-3libnetfilter-conntrack31.0.9libnetfilter-conntrack1.0.9
libnfnetlink0@1.0.2-2libnfnetlink01.0.2libnfnetlink1.0.2
libnftables1@1.0.6-2+deb12u2libnftables11.0.6nftables1.0.6
libnftnl11@1.2.4-2libnftnl111.2.4libnftnl1.2.4
libpcre2-8-0@10.42-1libpcre2-8-010.42pcre210.42
libssl3@3.0.11-1~deb12u2libssl33.0.11openssl3.0.11
libxtables12@1.8.9-2libxtables121.8.9iptables1.8.9
libzstd1@1.5.4+dfsg2-5libzstd11.5.4+dfsg2libzstd1.5.4+dfsg2
netbase@6.4netbase6.4netbase6.4
nftables@1.0.6-2+deb12u2nftables1.0.6nftables1.0.6
tzdata@2024a-0+deb12u1tzdata2024atzdata2024a
+
+

bin/kindnetd

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
stdlibCVE-2024-34156HIGHv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
sigs.k8s.io/kind/images/kindnetd
stdlibv1.22.6
github.com/beorn7/perksv1.0.1
github.com/cespare/xxhash/v2v2.3.0
github.com/coreos/go-iptablesv0.8.0
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/emicklei/go-restful/v3v3.12.1
github.com/florianl/go-nfqueuev1.3.2
github.com/fxamacker/cbor/v2v2.7.0
github.com/go-logr/logrv1.4.2
github.com/go-openapi/jsonpointerv0.21.0
github.com/go-openapi/jsonreferencev0.21.0
github.com/go-openapi/swagv0.23.0
github.com/gogo/protobufv1.3.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/uuidv1.6.0
github.com/josharian/internv1.0.0
github.com/josharian/nativev1.1.0
github.com/json-iterator/gov1.1.12
github.com/mailru/easyjsonv0.7.7
github.com/mdlayher/netlinkv1.7.2
github.com/mdlayher/socketv0.5.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/prometheus/client_golangv1.20.5
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.60.0
github.com/prometheus/procfsv0.15.1
github.com/vishvananda/netlinkv1.3.0
github.com/vishvananda/netnsv0.0.4
github.com/x448/float16v0.8.4
golang.org/x/netv0.30.0
golang.org/x/oauth2v0.23.0
golang.org/x/syncv0.8.0
golang.org/x/sysv0.26.0
golang.org/x/termv0.25.0
golang.org/x/textv0.19.0
golang.org/x/timev0.7.0
google.golang.org/protobufv1.35.1
gopkg.in/inf.v0v0.9.1
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/apiv0.31.1
k8s.io/apimachineryv0.31.1
k8s.io/client-gov0.31.1
k8s.io/klog/v2v2.130.1
k8s.io/kube-openapiv0.0.0-20240903163716-9e1beecbcb38
k8s.io/utilsv0.0.0-20240921022957-49e7df575cb6
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/knftablesv0.0.17
sigs.k8s.io/kube-network-policiesv0.6.1-0.20241023163654-4320aa92e3f0
sigs.k8s.io/network-policy-apiv0.1.5
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.4.0
+
+

go-runner

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
stdlibCVE-2024-34156HIGHv1.22.41.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-24791MEDIUMv1.22.41.21.12, 1.22.5 + https://access.redhat.com/errata/RHSA-2024:9135 + https://access.redhat.com/security/cve/CVE-2024-24791 + https://bugzilla.redhat.com/2268017 + https://bugzilla.redhat.com/2268022 + https://bugzilla.redhat.com/2279814 + https://bugzilla.redhat.com/2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://errata.almalinux.org/9/ALSA-2024-9135.html + https://errata.rockylinux.org/RLSA-2024:7349 + https://go.dev/cl/591255 + https://go.dev/issue/67555 + https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ + https://linux.oracle.com/cve/CVE-2024-24791.html + https://linux.oracle.com/errata/ELSA-2024-9115.html + https://nvd.nist.gov/vuln/detail/CVE-2024-24791 + https://pkg.go.dev/vuln/GO-2024-2963 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-24791 +
stdlibCVE-2024-34155MEDIUMv1.22.41.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.22.41.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
k8s.io/release/images/build/go-runner
stdlibv1.22.4
+
+

registry.k8s.io/kube-proxy:v1.31.2 (debian 12.7)

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
coreutilsCVE-2016-2781LOW9.1-1 + http://seclists.org/oss-sec/2016/q1/452 + http://www.openwall.com/lists/oss-security/2016/02/28/2 + http://www.openwall.com/lists/oss-security/2016/02/28/3 + https://access.redhat.com/security/cve/CVE-2016-2781 + https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E + https://lore.kernel.org/patchwork/patch/793178/ + https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes + https://nvd.nist.gov/vuln/detail/CVE-2016-2781 + https://www.cve.org/CVERecord?id=CVE-2016-2781 +
coreutilsCVE-2017-18018LOW9.1-1 + http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html + https://access.redhat.com/security/cve/CVE-2017-18018 + https://nvd.nist.gov/vuln/detail/CVE-2017-18018 + https://www.cve.org/CVERecord?id=CVE-2017-18018 +
iptablesCVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libc6CVE-2010-4756LOW2.36-9+deb12u8 + http://cxib.net/stuff/glob-0day.c + http://securityreason.com/achievement_securityalert/89 + http://securityreason.com/exploitalert/9223 + https://access.redhat.com/security/cve/CVE-2010-4756 + https://bugzilla.redhat.com/show_bug.cgi?id=681681 + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756 + https://nvd.nist.gov/vuln/detail/CVE-2010-4756 + https://www.cve.org/CVERecord?id=CVE-2010-4756 +
libc6CVE-2018-20796LOW2.36-9+deb12u8 + http://www.securityfocus.com/bid/107160 + https://access.redhat.com/security/cve/CVE-2018-20796 + https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 + https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html + https://nvd.nist.gov/vuln/detail/CVE-2018-20796 + https://security.netapp.com/advisory/ntap-20190315-0002/ + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2018-20796 +
libc6CVE-2019-1010022LOW2.36-9+deb12u8 + https://access.redhat.com/security/cve/CVE-2019-1010022 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010022 + https://security-tracker.debian.org/tracker/CVE-2019-1010022 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3 + https://ubuntu.com/security/CVE-2019-1010022 + https://www.cve.org/CVERecord?id=CVE-2019-1010022 +
libc6CVE-2019-1010023LOW2.36-9+deb12u8 + http://www.securityfocus.com/bid/109167 + https://access.redhat.com/security/cve/CVE-2019-1010023 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010023 + https://security-tracker.debian.org/tracker/CVE-2019-1010023 + https://sourceware.org/bugzilla/show_bug.cgi?id=22851 + https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010023 + https://www.cve.org/CVERecord?id=CVE-2019-1010023 +
libc6CVE-2019-1010024LOW2.36-9+deb12u8 + http://www.securityfocus.com/bid/109162 + https://access.redhat.com/security/cve/CVE-2019-1010024 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010024 + https://security-tracker.debian.org/tracker/CVE-2019-1010024 + https://sourceware.org/bugzilla/show_bug.cgi?id=22852 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010024 + https://www.cve.org/CVERecord?id=CVE-2019-1010024 +
libc6CVE-2019-1010025LOW2.36-9+deb12u8 + https://access.redhat.com/security/cve/CVE-2019-1010025 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010025 + https://security-tracker.debian.org/tracker/CVE-2019-1010025 + https://sourceware.org/bugzilla/show_bug.cgi?id=22853 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010025 + https://www.cve.org/CVERecord?id=CVE-2019-1010025 +
libc6CVE-2019-9192LOW2.36-9+deb12u8 + https://access.redhat.com/security/cve/CVE-2019-9192 + https://nvd.nist.gov/vuln/detail/CVE-2019-9192 + https://sourceware.org/bugzilla/show_bug.cgi?id=24269 + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2019-9192 +
libip4tc2CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libip6tc2CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
libjansson4CVE-2020-36325LOW2.14-2 + https://access.redhat.com/security/cve/CVE-2020-36325 + https://github.com/akheron/jansson/issues/548 + https://nvd.nist.gov/vuln/detail/CVE-2020-36325 + https://www.cve.org/CVERecord?id=CVE-2020-36325 +
libssl3CVE-2024-5535MEDIUM3.0.14-1~deb12u23.0.15-1~deb12u1 + http://www.openwall.com/lists/oss-security/2024/06/27/1 + http://www.openwall.com/lists/oss-security/2024/06/28/4 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-5535 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://bugzilla.redhat.com/show_bug.cgi?id=2294581 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://errata.rockylinux.org/RLSA-2024:7848 + https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37 + https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e + https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c + https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c + https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c + https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87 + https://linux.oracle.com/cve/CVE-2024-5535.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-5535 + https://openssl.org/news/secadv/20240627.txt + https://security.netapp.com/advisory/ntap-20240712-0005/ + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-5535 + https://www.openssl.org/news/secadv/20240627.txt + https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL +
libssl3CVE-2024-9143LOW3.0.14-1~deb12u23.0.15-1~deb12u1 + https://access.redhat.com/security/cve/CVE-2024-9143 + https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 + https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700 + https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 + https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154 + https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a + https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41 + https://nvd.nist.gov/vuln/detail/CVE-2024-9143 + https://openssl-library.org/news/secadv/20241016.txt + https://www.cve.org/CVERecord?id=CVE-2024-9143 +
libxtables12CVE-2012-2663LOW1.8.9-2 + http://www.spinics.net/lists/netfilter-devel/msg21248.html + https://access.redhat.com/security/cve/CVE-2012-2663 + https://bugzilla.redhat.com/show_bug.cgi?id=826702 + https://nvd.nist.gov/vuln/detail/CVE-2012-2663 + https://www.cve.org/CVERecord?id=CVE-2012-2663 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
base-files@12.4+deb12u7base-files12.4+deb12u7base-files12.4+deb12u7
conntrack@1:1.4.7-1+b2conntrack1.4.7conntrack-tools1.4.7
coreutils@9.1-1coreutils9.1coreutils9.1
ebtables@2.0.11-5ebtables2.0.11ebtables2.0.11
ipset@7.17-1ipset7.17ipset7.17
iptables@1.8.9-2iptables1.8.9iptables1.8.9
kmod@30+20221128-1kmod30+20221128kmod30+20221128
libbsd0@0.11.7-2libbsd00.11.7libbsd0.11.7
libc6@2.36-9+deb12u8libc62.36glibc2.36
libedit2@3.1-20221030-2libedit23.1-20221030libedit3.1-20221030
libgmp10@2:6.2.1+dfsg1-1.1libgmp106.2.1+dfsg1gmp6.2.1+dfsg1
libip4tc2@1.8.9-2libip4tc21.8.9iptables1.8.9
libip6tc2@1.8.9-2libip6tc21.8.9iptables1.8.9
libipset13@7.17-1libipset137.17ipset7.17
libjansson4@2.14-2libjansson42.14jansson2.14
libkmod2@30+20221128-1libkmod230+20221128kmod30+20221128
libmd0@1.0.4-2libmd01.0.4libmd1.0.4
libmnl0@1.0.4-3libmnl01.0.4libmnl1.0.4
libnetfilter-conntrack3@1.0.9-3libnetfilter-conntrack31.0.9libnetfilter-conntrack1.0.9
libnfnetlink0@1.0.2-2libnfnetlink01.0.2libnfnetlink1.0.2
libnftables1@1.0.6-2+deb12u2libnftables11.0.6nftables1.0.6
libnftnl11@1.2.4-2libnftnl111.2.4libnftnl1.2.4
libpcre2-8-0@10.42-1libpcre2-8-010.42pcre210.42
libssl3@3.0.14-1~deb12u2libssl33.0.14openssl3.0.14
libxtables12@1.8.9-2libxtables121.8.9iptables1.8.9
libzstd1@1.5.4+dfsg2-5libzstd11.5.4+dfsg2libzstd1.5.4+dfsg2
netbase@6.4netbase6.4netbase6.4
nftables@1.0.6-2+deb12u2nftables1.0.6nftables1.0.6
tzdata@2024a-0+deb12u1tzdata2024atzdata2024a
+
+

usr/local/bin/kube-proxy

+
+ + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/opencontainers/runcCVE-2024-45310MEDIUMv1.1.131.1.14, 1.2.0-rc.3 + https://access.redhat.com/security/cve/CVE-2024-45310 + https://github.com/opencontainers/runc + https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 + https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e + https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf + https://github.com/opencontainers/runc/pull/4359 + https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv + https://nvd.nist.gov/vuln/detail/CVE-2024-45310 + https://www.cve.org/CVERecord?id=CVE-2024-45310 + https://www.openwall.com/lists/oss-security/2024/09/03/1 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
k8s.io/kubernetes
stdlibv1.22.8
github.com/NYTimes/gziphandlerv1.1.1
github.com/antlr4-go/antlr/v4v4.13.0
github.com/asaskevich/govalidatorv0.0.0-20190424111038-f61b66f89f4a
github.com/beorn7/perksv1.0.1
github.com/blang/semver/v4v4.0.0
github.com/cenkalti/backoff/v4v4.3.0
github.com/cespare/xxhash/v2v2.3.0
github.com/coreos/go-semverv0.3.1
github.com/coreos/go-systemd/v22v22.5.0
github.com/cyphar/filepath-securejoinv0.2.4
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/distribution/referencev0.5.0
github.com/emicklei/go-restful/v3v3.11.0
github.com/felixge/httpsnoopv1.0.4
github.com/fsnotify/fsnotifyv1.7.0
github.com/fxamacker/cbor/v2v2.7.0
github.com/go-logr/logrv1.4.2
github.com/go-logr/stdrv1.2.2
github.com/go-logr/zaprv1.3.0
github.com/go-openapi/jsonpointerv0.19.6
github.com/go-openapi/jsonreferencev0.20.2
github.com/go-openapi/swagv0.22.4
github.com/godbus/dbus/v5v5.1.0
github.com/gogo/protobufv1.3.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/cadvisorv0.49.0
github.com/google/cel-gov0.20.1
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/uuidv1.6.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.20.0
github.com/imdario/mergov0.3.6
github.com/josharian/internv1.0.0
github.com/json-iterator/gov1.1.12
github.com/lithammer/dedentv1.1.0
github.com/mailru/easyjsonv0.7.7
github.com/mistifyio/go-zfsv2.1.2-0.20190413222219-f784269be439+incompatible
github.com/moby/ipvsv1.1.0
github.com/moby/sys/mountinfov0.7.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/opencontainers/go-digestv1.0.0
github.com/opencontainers/runcv1.1.13
github.com/opencontainers/runtime-specv1.0.3-0.20220909204839-494a5a6aca78
github.com/pkg/errorsv0.9.1
github.com/prometheus/client_golangv1.19.1
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.55.0
github.com/prometheus/procfsv0.15.1
github.com/sirupsen/logrusv1.9.3
github.com/spf13/cobrav1.8.1
github.com/spf13/pflagv1.0.5
github.com/stoewer/go-strcasev1.2.0
github.com/vishvananda/netlinkv1.1.0
github.com/vishvananda/netnsv0.0.4
github.com/x448/float16v0.8.4
go.etcd.io/etcd/api/v3v3.5.14
go.etcd.io/etcd/client/pkg/v3v3.5.14
go.etcd.io/etcd/client/v3v3.5.14
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.53.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpv0.53.0
go.opentelemetry.io/otelv1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.27.0
go.opentelemetry.io/otel/metricv1.28.0
go.opentelemetry.io/otel/sdkv1.28.0
go.opentelemetry.io/otel/tracev1.28.0
go.opentelemetry.io/proto/otlpv1.3.1
go.uber.org/multierrv1.11.0
go.uber.org/zapv1.26.0
golang.org/x/cryptov0.24.0
golang.org/x/expv0.0.0-20230515195305-f3d0a9c9a5cc
golang.org/x/netv0.26.0
golang.org/x/oauth2v0.21.0
golang.org/x/syncv0.7.0
golang.org/x/sysv0.21.0
golang.org/x/termv0.21.0
golang.org/x/textv0.16.0
golang.org/x/timev0.3.0
google.golang.org/genproto/googleapis/apiv0.0.0-20240528184218-531527333157
google.golang.org/genproto/googleapis/rpcv0.0.0-20240701130421-f6361c86f094
google.golang.org/grpcv1.65.0
google.golang.org/protobufv1.34.2
gopkg.in/evanphx/json-patch.v4v4.12.0
gopkg.in/inf.v0v0.9.1
gopkg.in/natefinch/lumberjack.v2v2.2.1
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/api
k8s.io/apiextensions-apiserver
k8s.io/apimachinery
k8s.io/apiserver
k8s.io/client-go
k8s.io/cloud-provider
k8s.io/component-base
k8s.io/component-helpers
k8s.io/controller-manager
k8s.io/cri-api
k8s.io/cri-client
k8s.io/klog/v2v2.130.1
k8s.io/kms
k8s.io/kube-openapiv0.0.0-20240228011516-70dd3763d340
k8s.io/kube-proxy
k8s.io/kubelet
k8s.io/mount-utils
k8s.io/utilsv0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/apiserver-network-proxy/konnectivity-clientv0.30.3
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/knftablesv0.0.17
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.4.0
+
+

usr/local/bin/kube-apiserver

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/opencontainers/runcCVE-2024-45310MEDIUMv1.1.131.1.14, 1.2.0-rc.3 + https://access.redhat.com/security/cve/CVE-2024-45310 + https://github.com/opencontainers/runc + https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 + https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e + https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf + https://github.com/opencontainers/runc/pull/4359 + https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv + https://nvd.nist.gov/vuln/detail/CVE-2024-45310 + https://www.cve.org/CVERecord?id=CVE-2024-45310 + https://www.openwall.com/lists/oss-security/2024/09/03/1 +
gopkg.in/square/go-jose.v2CVE-2024-28180MEDIUMv2.6.0 + https://access.redhat.com/errata/RHSA-2024:3827 + https://access.redhat.com/security/cve/CVE-2024-28180 + https://bugzilla.redhat.com/2268017 + https://bugzilla.redhat.com/2268820 + https://bugzilla.redhat.com/2268854 + https://bugzilla.redhat.com/show_bug.cgi?id=2268017 + https://bugzilla.redhat.com/show_bug.cgi?id=2268820 + https://bugzilla.redhat.com/show_bug.cgi?id=2268854 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180 + https://errata.almalinux.org/9/ALSA-2024-3827.html + https://errata.rockylinux.org/RLSA-2024:3827 + https://github.com/go-jose/go-jose + https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 + https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a + https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 + https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g + https://linux.oracle.com/cve/CVE-2024-28180.html + https://linux.oracle.com/errata/ELSA-2024-3968.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ + https://nvd.nist.gov/vuln/detail/CVE-2024-28180 + https://www.cve.org/CVERecord?id=CVE-2024-28180 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
k8s.io/kubernetes
stdlibv1.22.8
github.com/NYTimes/gziphandlerv1.1.1
github.com/antlr4-go/antlr/v4v4.13.0
github.com/asaskevich/govalidatorv0.0.0-20190424111038-f61b66f89f4a
github.com/beorn7/perksv1.0.1
github.com/blang/semver/v4v4.0.0
github.com/cenkalti/backoff/v4v4.3.0
github.com/cespare/xxhash/v2v2.3.0
github.com/coreos/go-oidcv2.2.1+incompatible
github.com/coreos/go-semverv0.3.1
github.com/coreos/go-systemd/v22v22.5.0
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/distribution/referencev0.5.0
github.com/emicklei/go-restful/v3v3.11.0
github.com/felixge/httpsnoopv1.0.4
github.com/fsnotify/fsnotifyv1.7.0
github.com/fxamacker/cbor/v2v2.7.0
github.com/go-logr/logrv1.4.2
github.com/go-logr/stdrv1.2.2
github.com/go-logr/zaprv1.3.0
github.com/go-openapi/jsonpointerv0.19.6
github.com/go-openapi/jsonreferencev0.20.2
github.com/go-openapi/swagv0.22.4
github.com/gogo/protobufv1.3.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/cel-gov0.20.1
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/uuidv1.6.0
github.com/gorilla/websocketv1.5.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.20.0
github.com/imdario/mergov0.3.6
github.com/josharian/internv1.0.0
github.com/json-iterator/gov1.1.12
github.com/mailru/easyjsonv0.7.7
github.com/moby/spdystreamv0.4.0
github.com/moby/sys/mountinfov0.7.1
github.com/moby/termv0.5.0
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/mxk/go-flowratev0.0.0-20140419014527-cca7078d478f
github.com/opencontainers/go-digestv1.0.0
github.com/opencontainers/runcv1.1.13
github.com/opencontainers/selinuxv1.11.0
github.com/pkg/errorsv0.9.1
github.com/pquerna/cachecontrolv0.1.0
github.com/prometheus/client_golangv1.19.1
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.55.0
github.com/prometheus/procfsv0.15.1
github.com/robfig/cron/v3v3.0.1
github.com/spf13/cobrav1.8.1
github.com/spf13/pflagv1.0.5
github.com/stoewer/go-strcasev1.2.0
github.com/x448/float16v0.8.4
go.etcd.io/etcd/api/v3v3.5.14
go.etcd.io/etcd/client/pkg/v3v3.5.14
go.etcd.io/etcd/client/v3v3.5.14
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.53.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpv0.53.0
go.opentelemetry.io/otelv1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.27.0
go.opentelemetry.io/otel/metricv1.28.0
go.opentelemetry.io/otel/sdkv1.28.0
go.opentelemetry.io/otel/tracev1.28.0
go.opentelemetry.io/proto/otlpv1.3.1
go.uber.org/multierrv1.11.0
go.uber.org/zapv1.26.0
golang.org/x/cryptov0.24.0
golang.org/x/expv0.0.0-20230515195305-f3d0a9c9a5cc
golang.org/x/netv0.26.0
golang.org/x/oauth2v0.21.0
golang.org/x/syncv0.7.0
golang.org/x/sysv0.21.0
golang.org/x/termv0.21.0
golang.org/x/textv0.16.0
golang.org/x/timev0.3.0
golang.org/x/toolsv0.21.1-0.20240508182429-e35e4ccd0d2d
google.golang.org/genproto/googleapis/apiv0.0.0-20240528184218-531527333157
google.golang.org/genproto/googleapis/rpcv0.0.0-20240701130421-f6361c86f094
google.golang.org/grpcv1.65.0
google.golang.org/protobufv1.34.2
gopkg.in/evanphx/json-patch.v4v4.12.0
gopkg.in/inf.v0v0.9.1
gopkg.in/natefinch/lumberjack.v2v2.2.1
gopkg.in/square/go-jose.v2v2.6.0
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/api
k8s.io/apiextensions-apiserver
k8s.io/apimachinery
k8s.io/apiserver
k8s.io/client-go
k8s.io/cloud-provider
k8s.io/cluster-bootstrap
k8s.io/component-base
k8s.io/component-helpers
k8s.io/controller-manager
k8s.io/dynamic-resource-allocation
k8s.io/klog/v2v2.130.1
k8s.io/kms
k8s.io/kube-aggregator
k8s.io/kube-openapiv0.0.0-20240228011516-70dd3763d340
k8s.io/kubelet
k8s.io/mount-utils
k8s.io/pod-security-admission
k8s.io/utilsv0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/apiserver-network-proxy/konnectivity-clientv0.30.3
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.4.0
+
+

usr/local/bin/kube-controller-manager

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/opencontainers/runcCVE-2024-45310MEDIUMv1.1.131.1.14, 1.2.0-rc.3 + https://access.redhat.com/security/cve/CVE-2024-45310 + https://github.com/opencontainers/runc + https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 + https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e + https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf + https://github.com/opencontainers/runc/pull/4359 + https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv + https://nvd.nist.gov/vuln/detail/CVE-2024-45310 + https://www.cve.org/CVERecord?id=CVE-2024-45310 + https://www.openwall.com/lists/oss-security/2024/09/03/1 +
gopkg.in/square/go-jose.v2CVE-2024-28180MEDIUMv2.6.0 + https://access.redhat.com/errata/RHSA-2024:3827 + https://access.redhat.com/security/cve/CVE-2024-28180 + https://bugzilla.redhat.com/2268017 + https://bugzilla.redhat.com/2268820 + https://bugzilla.redhat.com/2268854 + https://bugzilla.redhat.com/show_bug.cgi?id=2268017 + https://bugzilla.redhat.com/show_bug.cgi?id=2268820 + https://bugzilla.redhat.com/show_bug.cgi?id=2268854 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180 + https://errata.almalinux.org/9/ALSA-2024-3827.html + https://errata.rockylinux.org/RLSA-2024:3827 + https://github.com/go-jose/go-jose + https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 + https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a + https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 + https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g + https://linux.oracle.com/cve/CVE-2024-28180.html + https://linux.oracle.com/errata/ELSA-2024-3968.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ + https://nvd.nist.gov/vuln/detail/CVE-2024-28180 + https://www.cve.org/CVERecord?id=CVE-2024-28180 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
k8s.io/kubernetes
stdlibv1.22.8
github.com/NYTimes/gziphandlerv1.1.1
github.com/antlr4-go/antlr/v4v4.13.0
github.com/asaskevich/govalidatorv0.0.0-20190424111038-f61b66f89f4a
github.com/beorn7/perksv1.0.1
github.com/blang/semver/v4v4.0.0
github.com/cenkalti/backoff/v4v4.3.0
github.com/cespare/xxhash/v2v2.3.0
github.com/checkpoint-restore/go-criu/v5v5.3.0
github.com/cilium/ebpfv0.9.1
github.com/container-storage-interface/specv1.9.0
github.com/containerd/consolev1.0.3
github.com/containerd/ttrpcv1.2.2
github.com/coreos/go-oidcv2.2.1+incompatible
github.com/coreos/go-semverv0.3.1
github.com/coreos/go-systemd/v22v22.5.0
github.com/cyphar/filepath-securejoinv0.2.4
github.com/davecgh/go-spewv1.1.2-0.20180830191138-d8f796af33cc
github.com/distribution/referencev0.5.0
github.com/docker/go-unitsv0.5.0
github.com/emicklei/go-restful/v3v3.11.0
github.com/euank/go-kmsg-parserv2.0.0+incompatible
github.com/felixge/httpsnoopv1.0.4
github.com/fsnotify/fsnotifyv1.7.0
github.com/fxamacker/cbor/v2v2.7.0
github.com/go-logr/logrv1.4.2
github.com/go-logr/stdrv1.2.2
github.com/go-logr/zaprv1.3.0
github.com/go-openapi/jsonpointerv0.19.6
github.com/go-openapi/jsonreferencev0.20.2
github.com/go-openapi/swagv0.22.4
github.com/godbus/dbus/v5v5.1.0
github.com/gogo/protobufv1.3.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/cadvisorv0.49.0
github.com/google/cel-gov0.20.1
github.com/google/gnostic-modelsv0.6.8
github.com/google/go-cmpv0.6.0
github.com/google/gofuzzv1.2.0
github.com/google/uuidv1.6.0
github.com/gorilla/websocketv1.5.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.20.0
github.com/imdario/mergov0.3.6
github.com/josharian/internv1.0.0
github.com/json-iterator/gov1.1.12
github.com/karrick/godirwalkv1.17.0
github.com/libopenstorage/openstoragev1.0.0
github.com/mailru/easyjsonv0.7.7
github.com/mistifyio/go-zfsv2.1.2-0.20190413222219-f784269be439+incompatible
github.com/moby/spdystreamv0.4.0
github.com/moby/sys/mountinfov0.7.1
github.com/moby/termv0.5.0
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/mohae/deepcopyv0.0.0-20170603005431-491d3605edfb
github.com/mrunalp/fileutilsv0.5.1
github.com/munnerz/goautonegv0.0.0-20191010083416-a7dc8b61c822
github.com/mxk/go-flowratev0.0.0-20140419014527-cca7078d478f
github.com/opencontainers/go-digestv1.0.0
github.com/opencontainers/runcv1.1.13
github.com/opencontainers/runtime-specv1.0.3-0.20220909204839-494a5a6aca78
github.com/opencontainers/selinuxv1.11.0
github.com/pkg/errorsv0.9.1
github.com/pquerna/cachecontrolv0.1.0
github.com/prometheus/client_golangv1.19.1
github.com/prometheus/client_modelv0.6.1
github.com/prometheus/commonv0.55.0
github.com/prometheus/procfsv0.15.1
github.com/robfig/cron/v3v3.0.1
github.com/sirupsen/logrusv1.9.3
github.com/spf13/cobrav1.8.1
github.com/spf13/pflagv1.0.5
github.com/stoewer/go-strcasev1.2.0
github.com/syndtr/gocapabilityv0.0.0-20200815063812-42c35b437635
github.com/vishvananda/netlinkv1.1.0
github.com/vishvananda/netnsv0.0.4
github.com/x448/float16v0.8.4
go.etcd.io/etcd/api/v3v3.5.14
go.etcd.io/etcd/client/pkg/v3v3.5.14
go.etcd.io/etcd/client/v3v3.5.14
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.53.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpv0.53.0
go.opentelemetry.io/otelv1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.27.0
go.opentelemetry.io/otel/metricv1.28.0
go.opentelemetry.io/otel/sdkv1.28.0
go.opentelemetry.io/otel/tracev1.28.0
go.opentelemetry.io/proto/otlpv1.3.1
go.uber.org/multierrv1.11.0
go.uber.org/zapv1.26.0
golang.org/x/cryptov0.24.0
golang.org/x/expv0.0.0-20230515195305-f3d0a9c9a5cc
golang.org/x/netv0.26.0
golang.org/x/oauth2v0.21.0
golang.org/x/syncv0.7.0
golang.org/x/sysv0.21.0
golang.org/x/termv0.21.0
golang.org/x/textv0.16.0
golang.org/x/timev0.3.0
golang.org/x/toolsv0.21.1-0.20240508182429-e35e4ccd0d2d
google.golang.org/genproto/googleapis/apiv0.0.0-20240528184218-531527333157
google.golang.org/genproto/googleapis/rpcv0.0.0-20240701130421-f6361c86f094
google.golang.org/grpcv1.65.0
google.golang.org/protobufv1.34.2
gopkg.in/evanphx/json-patch.v4v4.12.0
gopkg.in/inf.v0v0.9.1
gopkg.in/natefinch/lumberjack.v2v2.2.1
gopkg.in/square/go-jose.v2v2.6.0
gopkg.in/yaml.v2v2.4.0
gopkg.in/yaml.v3v3.0.1
k8s.io/api
k8s.io/apiextensions-apiserver
k8s.io/apimachinery
k8s.io/apiserver
k8s.io/client-go
k8s.io/cloud-provider
k8s.io/cluster-bootstrap
k8s.io/component-base
k8s.io/component-helpers
k8s.io/controller-manager
k8s.io/cri-api
k8s.io/cri-client
k8s.io/csi-translation-lib
k8s.io/dynamic-resource-allocation
k8s.io/endpointslice
k8s.io/klog/v2v2.130.1
k8s.io/kms
k8s.io/kube-aggregator
k8s.io/kube-controller-manager
k8s.io/kube-openapiv0.0.0-20240228011516-70dd3763d340
k8s.io/kube-scheduler
k8s.io/kubectl
k8s.io/kubelet
k8s.io/metrics
k8s.io/mount-utils
k8s.io/pod-security-admission
k8s.io/utilsv0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/apiserver-network-proxy/konnectivity-clientv0.30.3
sigs.k8s.io/jsonv0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/structured-merge-diff/v4v4.4.1
sigs.k8s.io/yamlv1.4.0
+
+

usr/local/bin/etcd

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/golang-jwt/jwt/v4CVE-2024-51744LOWv4.4.24.5.1 + https://access.redhat.com/security/cve/CVE-2024-51744 + https://github.com/golang-jwt/jwt + https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r + https://nvd.nist.gov/vuln/detail/CVE-2024-51744 + https://www.cve.org/CVERecord?id=CVE-2024-51744 +
stdlibCVE-2024-34156HIGHv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
go.etcd.io/etcd/server/v3
stdlibv1.21.12
../api
../client/pkg
../client/v2
../client/v3
../pkg
../raft
github.com/beorn7/perksv1.0.1
github.com/cenkalti/backoff/v4v4.2.1
github.com/cespare/xxhash/v2v2.2.0
github.com/coreos/go-semverv0.3.0
github.com/coreos/go-systemd/v22v22.3.2
github.com/dustin/go-humanizev1.0.0
github.com/go-logr/logrv1.3.0
github.com/go-logr/stdrv1.2.2
github.com/gogo/protobufv1.3.2
github.com/golang-jwt/jwt/v4v4.4.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/btreev1.0.1
github.com/gorilla/websocketv1.4.2
github.com/grpc-ecosystem/go-grpc-middlewarev1.3.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gatewayv1.16.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.16.0
github.com/jonboulle/clockworkv0.2.2
github.com/json-iterator/gov1.1.11
github.com/matttproud/golang_protobuf_extensionsv1.0.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.1
github.com/prometheus/client_golangv1.11.1
github.com/prometheus/client_modelv0.2.0
github.com/prometheus/commonv0.26.0
github.com/prometheus/procfsv0.6.0
github.com/sirupsen/logrusv1.9.3
github.com/soheilhy/cmuxv0.1.5
github.com/spf13/cobrav1.1.3
github.com/spf13/pflagv1.0.5
github.com/tmc/grpc-websocket-proxyv0.0.0-20201229170055-e5319fda7802
github.com/xiang90/probingv0.0.0-20190116061207-43a291ad63a2
go.etcd.io/bboltv1.3.10
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.46.0
go.opentelemetry.io/otelv1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.20.0
go.opentelemetry.io/otel/metricv1.20.0
go.opentelemetry.io/otel/sdkv1.20.0
go.opentelemetry.io/otel/tracev1.20.0
go.opentelemetry.io/proto/otlpv1.0.0
go.uber.org/atomicv1.7.0
go.uber.org/multierrv1.6.0
go.uber.org/zapv1.17.0
golang.org/x/cryptov0.21.0
golang.org/x/netv0.23.0
golang.org/x/sysv0.18.0
golang.org/x/textv0.14.0
golang.org/x/timev0.0.0-20210220033141-f8bda1e9f3ba
google.golang.org/genprotov0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/apiv0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/rpcv0.0.0-20230822172742-b8732ec3820d
google.golang.org/grpcv1.59.0
google.golang.org/protobufv1.33.0
gopkg.in/natefinch/lumberjack.v2v2.0.0
gopkg.in/yaml.v2v2.4.0
sigs.k8s.io/yamlv1.2.0
+
+

usr/local/bin/etcd-3.5.15

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/golang-jwt/jwt/v4CVE-2024-51744LOWv4.4.24.5.1 + https://access.redhat.com/security/cve/CVE-2024-51744 + https://github.com/golang-jwt/jwt + https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r + https://nvd.nist.gov/vuln/detail/CVE-2024-51744 + https://www.cve.org/CVERecord?id=CVE-2024-51744 +
stdlibCVE-2024-34156HIGHv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
go.etcd.io/etcd/server/v3
stdlibv1.21.12
../api
../client/pkg
../client/v2
../client/v3
../pkg
../raft
github.com/beorn7/perksv1.0.1
github.com/cenkalti/backoff/v4v4.2.1
github.com/cespare/xxhash/v2v2.2.0
github.com/coreos/go-semverv0.3.0
github.com/coreos/go-systemd/v22v22.3.2
github.com/dustin/go-humanizev1.0.0
github.com/go-logr/logrv1.3.0
github.com/go-logr/stdrv1.2.2
github.com/gogo/protobufv1.3.2
github.com/golang-jwt/jwt/v4v4.4.2
github.com/golang/groupcachev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/protobufv1.5.4
github.com/google/btreev1.0.1
github.com/gorilla/websocketv1.4.2
github.com/grpc-ecosystem/go-grpc-middlewarev1.3.0
github.com/grpc-ecosystem/go-grpc-prometheusv1.2.0
github.com/grpc-ecosystem/grpc-gatewayv1.16.0
github.com/grpc-ecosystem/grpc-gateway/v2v2.16.0
github.com/jonboulle/clockworkv0.2.2
github.com/json-iterator/gov1.1.11
github.com/matttproud/golang_protobuf_extensionsv1.0.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.1
github.com/prometheus/client_golangv1.11.1
github.com/prometheus/client_modelv0.2.0
github.com/prometheus/commonv0.26.0
github.com/prometheus/procfsv0.6.0
github.com/sirupsen/logrusv1.9.3
github.com/soheilhy/cmuxv0.1.5
github.com/spf13/cobrav1.1.3
github.com/spf13/pflagv1.0.5
github.com/tmc/grpc-websocket-proxyv0.0.0-20201229170055-e5319fda7802
github.com/xiang90/probingv0.0.0-20190116061207-43a291ad63a2
go.etcd.io/bboltv1.3.10
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.46.0
go.opentelemetry.io/otelv1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptracev1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpcv1.20.0
go.opentelemetry.io/otel/metricv1.20.0
go.opentelemetry.io/otel/sdkv1.20.0
go.opentelemetry.io/otel/tracev1.20.0
go.opentelemetry.io/proto/otlpv1.0.0
go.uber.org/atomicv1.7.0
go.uber.org/multierrv1.6.0
go.uber.org/zapv1.17.0
golang.org/x/cryptov0.21.0
golang.org/x/netv0.23.0
golang.org/x/sysv0.18.0
golang.org/x/textv0.14.0
golang.org/x/timev0.0.0-20210220033141-f8bda1e9f3ba
google.golang.org/genprotov0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/apiv0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/rpcv0.0.0-20230822172742-b8732ec3820d
google.golang.org/grpcv1.59.0
google.golang.org/protobufv1.33.0
gopkg.in/natefinch/lumberjack.v2v2.0.0
gopkg.in/yaml.v2v2.4.0
sigs.k8s.io/yamlv1.2.0
+
+

usr/local/bin/etcdctl

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/golang-jwt/jwt/v4CVE-2024-51744LOWv4.4.24.5.1 + https://access.redhat.com/security/cve/CVE-2024-51744 + https://github.com/golang-jwt/jwt + https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r + https://nvd.nist.gov/vuln/detail/CVE-2024-51744 + https://www.cve.org/CVERecord?id=CVE-2024-51744 +
stdlibCVE-2024-34156HIGHv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
go.etcd.io/etcd/etcdctl/v3
stdlibv1.21.12
../api
../client/pkg
../client/v2
../client/v3
../etcdutl
../pkg
../raft
../server
github.com/beorn7/perksv1.0.1
github.com/bgentry/speakeasyv0.1.0
github.com/cespare/xxhash/v2v2.2.0
github.com/coreos/go-semverv0.3.0
github.com/coreos/go-systemd/v22v22.3.2
github.com/cpuguy83/go-md2man/v2v2.0.0
github.com/dustin/go-humanizev1.0.0
github.com/go-logr/logrv1.3.0
github.com/go-logr/stdrv1.2.2
github.com/gogo/protobufv1.3.2
github.com/golang-jwt/jwt/v4v4.4.2
github.com/golang/protobufv1.5.4
github.com/google/btreev1.0.1
github.com/jonboulle/clockworkv0.2.2
github.com/json-iterator/gov1.1.11
github.com/mattn/go-runewidthv0.0.9
github.com/matttproud/golang_protobuf_extensionsv1.0.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.1
github.com/olekukonko/tablewriterv0.0.5
github.com/prometheus/client_golangv1.11.1
github.com/prometheus/client_modelv0.2.0
github.com/prometheus/commonv0.26.0
github.com/prometheus/procfsv0.6.0
github.com/russross/blackfriday/v2v2.0.1
github.com/shurcooL/sanitized_anchor_namev1.0.0
github.com/spf13/cobrav1.1.3
github.com/spf13/pflagv1.0.5
github.com/urfave/cliv1.22.4
github.com/xiang90/probingv0.0.0-20190116061207-43a291ad63a2
go.etcd.io/bboltv1.3.10
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.46.0
go.opentelemetry.io/otelv1.20.0
go.opentelemetry.io/otel/metricv1.20.0
go.opentelemetry.io/otel/tracev1.20.0
go.uber.org/atomicv1.7.0
go.uber.org/multierrv1.6.0
go.uber.org/zapv1.17.0
golang.org/x/cryptov0.21.0
golang.org/x/netv0.23.0
golang.org/x/sysv0.18.0
golang.org/x/textv0.14.0
golang.org/x/timev0.0.0-20210220033141-f8bda1e9f3ba
google.golang.org/genproto/googleapis/apiv0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/rpcv0.0.0-20230822172742-b8732ec3820d
google.golang.org/grpcv1.59.0
google.golang.org/protobufv1.33.0
gopkg.in/cheggaaa/pb.v1v1.0.28
+
+

usr/local/bin/etcdctl-3.5.15

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/golang-jwt/jwt/v4CVE-2024-51744LOWv4.4.24.5.1 + https://access.redhat.com/security/cve/CVE-2024-51744 + https://github.com/golang-jwt/jwt + https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r + https://nvd.nist.gov/vuln/detail/CVE-2024-51744 + https://www.cve.org/CVERecord?id=CVE-2024-51744 +
stdlibCVE-2024-34156HIGHv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
go.etcd.io/etcd/etcdctl/v3
stdlibv1.21.12
../api
../client/pkg
../client/v2
../client/v3
../etcdutl
../pkg
../raft
../server
github.com/beorn7/perksv1.0.1
github.com/bgentry/speakeasyv0.1.0
github.com/cespare/xxhash/v2v2.2.0
github.com/coreos/go-semverv0.3.0
github.com/coreos/go-systemd/v22v22.3.2
github.com/cpuguy83/go-md2man/v2v2.0.0
github.com/dustin/go-humanizev1.0.0
github.com/go-logr/logrv1.3.0
github.com/go-logr/stdrv1.2.2
github.com/gogo/protobufv1.3.2
github.com/golang-jwt/jwt/v4v4.4.2
github.com/golang/protobufv1.5.4
github.com/google/btreev1.0.1
github.com/jonboulle/clockworkv0.2.2
github.com/json-iterator/gov1.1.11
github.com/mattn/go-runewidthv0.0.9
github.com/matttproud/golang_protobuf_extensionsv1.0.1
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.1
github.com/olekukonko/tablewriterv0.0.5
github.com/prometheus/client_golangv1.11.1
github.com/prometheus/client_modelv0.2.0
github.com/prometheus/commonv0.26.0
github.com/prometheus/procfsv0.6.0
github.com/russross/blackfriday/v2v2.0.1
github.com/shurcooL/sanitized_anchor_namev1.0.0
github.com/spf13/cobrav1.1.3
github.com/spf13/pflagv1.0.5
github.com/urfave/cliv1.22.4
github.com/xiang90/probingv0.0.0-20190116061207-43a291ad63a2
go.etcd.io/bboltv1.3.10
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.46.0
go.opentelemetry.io/otelv1.20.0
go.opentelemetry.io/otel/metricv1.20.0
go.opentelemetry.io/otel/tracev1.20.0
go.uber.org/atomicv1.7.0
go.uber.org/multierrv1.6.0
go.uber.org/zapv1.17.0
golang.org/x/cryptov0.21.0
golang.org/x/netv0.23.0
golang.org/x/sysv0.18.0
golang.org/x/textv0.14.0
golang.org/x/timev0.0.0-20210220033141-f8bda1e9f3ba
google.golang.org/genproto/googleapis/apiv0.0.0-20230822172742-b8732ec3820d
google.golang.org/genproto/googleapis/rpcv0.0.0-20230822172742-b8732ec3820d
google.golang.org/grpcv1.59.0
google.golang.org/protobufv1.33.0
gopkg.in/cheggaaa/pb.v1v1.0.28
+
+

usr/local/bin/migrate

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
stdlibCVE-2024-34156HIGHv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.21.121.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
stdlibv1.21.12
+
+

docker.io/kindest/local-path-provisioner:v20240813-c6f155d6 (debian 11.10)

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
libc6CVE-2023-4806MEDIUM2.31-13+deb11u10 + https://access.redhat.com/errata/RHSA-2023:5453 + https://access.redhat.com/errata/RHSA-2023:5455 + https://access.redhat.com/errata/RHSA-2023:7409 + https://access.redhat.com/security/cve/CVE-2023-4806 + https://bugzilla.redhat.com/2234712 + https://bugzilla.redhat.com/2237782 + https://bugzilla.redhat.com/2237798 + https://bugzilla.redhat.com/2238352 + https://bugzilla.redhat.com/show_bug.cgi?id=2234712 + https://bugzilla.redhat.com/show_bug.cgi?id=2237782 + https://bugzilla.redhat.com/show_bug.cgi?id=2237798 + https://bugzilla.redhat.com/show_bug.cgi?id=2238352 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911 + https://errata.almalinux.org/9/ALSA-2023-5453.html + https://errata.rockylinux.org/RLSA-2023:5455 + https://linux.oracle.com/cve/CVE-2023-4806.html + https://linux.oracle.com/errata/ELSA-2023-5455.html + https://nvd.nist.gov/vuln/detail/CVE-2023-4806 + https://ubuntu.com/security/notices/USN-6541-1 + https://ubuntu.com/security/notices/USN-6541-2 + https://www.cve.org/CVERecord?id=CVE-2023-4806 +
libc6CVE-2023-4813MEDIUM2.31-13+deb11u10 + https://access.redhat.com/errata/RHSA-2023:5453 + https://access.redhat.com/errata/RHSA-2023:5455 + https://access.redhat.com/errata/RHSA-2023:7409 + https://access.redhat.com/security/cve/CVE-2023-4813 + https://bugzilla.redhat.com/2234712 + https://bugzilla.redhat.com/2237782 + https://bugzilla.redhat.com/2237798 + https://bugzilla.redhat.com/2238352 + https://bugzilla.redhat.com/show_bug.cgi?id=2234712 + https://bugzilla.redhat.com/show_bug.cgi?id=2237782 + https://bugzilla.redhat.com/show_bug.cgi?id=2237798 + https://bugzilla.redhat.com/show_bug.cgi?id=2238352 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911 + https://errata.almalinux.org/9/ALSA-2023-5453.html + https://errata.rockylinux.org/RLSA-2023:5455 + https://linux.oracle.com/cve/CVE-2023-4813.html + https://linux.oracle.com/errata/ELSA-2023-5455.html + https://nvd.nist.gov/vuln/detail/CVE-2023-4813 + https://ubuntu.com/security/notices/USN-6541-1 + https://ubuntu.com/security/notices/USN-6541-2 + https://www.cve.org/CVERecord?id=CVE-2023-4813 +
libc6CVE-2010-4756LOW2.31-13+deb11u10 + http://cxib.net/stuff/glob-0day.c + http://securityreason.com/achievement_securityalert/89 + http://securityreason.com/exploitalert/9223 + https://access.redhat.com/security/cve/CVE-2010-4756 + https://bugzilla.redhat.com/show_bug.cgi?id=681681 + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756 + https://nvd.nist.gov/vuln/detail/CVE-2010-4756 + https://www.cve.org/CVERecord?id=CVE-2010-4756 +
libc6CVE-2018-20796LOW2.31-13+deb11u10 + http://www.securityfocus.com/bid/107160 + https://access.redhat.com/security/cve/CVE-2018-20796 + https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 + https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html + https://nvd.nist.gov/vuln/detail/CVE-2018-20796 + https://security.netapp.com/advisory/ntap-20190315-0002/ + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2018-20796 +
libc6CVE-2019-1010022LOW2.31-13+deb11u10 + https://access.redhat.com/security/cve/CVE-2019-1010022 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010022 + https://security-tracker.debian.org/tracker/CVE-2019-1010022 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850 + https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3 + https://ubuntu.com/security/CVE-2019-1010022 + https://www.cve.org/CVERecord?id=CVE-2019-1010022 +
libc6CVE-2019-1010023LOW2.31-13+deb11u10 + http://www.securityfocus.com/bid/109167 + https://access.redhat.com/security/cve/CVE-2019-1010023 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010023 + https://security-tracker.debian.org/tracker/CVE-2019-1010023 + https://sourceware.org/bugzilla/show_bug.cgi?id=22851 + https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010023 + https://www.cve.org/CVERecord?id=CVE-2019-1010023 +
libc6CVE-2019-1010024LOW2.31-13+deb11u10 + http://www.securityfocus.com/bid/109162 + https://access.redhat.com/security/cve/CVE-2019-1010024 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010024 + https://security-tracker.debian.org/tracker/CVE-2019-1010024 + https://sourceware.org/bugzilla/show_bug.cgi?id=22852 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010024 + https://www.cve.org/CVERecord?id=CVE-2019-1010024 +
libc6CVE-2019-1010025LOW2.31-13+deb11u10 + https://access.redhat.com/security/cve/CVE-2019-1010025 + https://nvd.nist.gov/vuln/detail/CVE-2019-1010025 + https://security-tracker.debian.org/tracker/CVE-2019-1010025 + https://sourceware.org/bugzilla/show_bug.cgi?id=22853 + https://support.f5.com/csp/article/K06046097 + https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS + https://ubuntu.com/security/CVE-2019-1010025 + https://www.cve.org/CVERecord?id=CVE-2019-1010025 +
libc6CVE-2019-9192LOW2.31-13+deb11u10 + https://access.redhat.com/security/cve/CVE-2019-9192 + https://nvd.nist.gov/vuln/detail/CVE-2019-9192 + https://sourceware.org/bugzilla/show_bug.cgi?id=24269 + https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS + https://www.cve.org/CVERecord?id=CVE-2019-9192 +
libssl1.1CVE-2023-5678MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:2447 + https://access.redhat.com/security/cve/CVE-2023-5678 + https://bugzilla.redhat.com/2223016 + https://bugzilla.redhat.com/2224962 + https://bugzilla.redhat.com/2227852 + https://bugzilla.redhat.com/2248616 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://errata.almalinux.org/9/ALSA-2024-2447.html + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 + https://linux.oracle.com/cve/CVE-2023-5678.html + https://linux.oracle.com/errata/ELSA-2024-2447.html + https://nvd.nist.gov/vuln/detail/CVE-2023-5678 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://www.cve.org/CVERecord?id=CVE-2023-5678 + https://www.openssl.org/news/secadv/20231106.txt +
libssl1.1CVE-2024-0727MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + http://www.openwall.com/lists/oss-security/2024/03/11/1 + https://access.redhat.com/errata/RHSA-2024:9088 + https://access.redhat.com/security/cve/CVE-2024-0727 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://bugzilla.redhat.com/2284243 + https://errata.almalinux.org/9/ALSA-2024-9088.html + https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2 + https://github.com/github/advisory-database/pull/3472 + https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2 + https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a + https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c + https://github.com/openssl/openssl/pull/23362 + https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d + https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8 + https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539 + https://linux.oracle.com/cve/CVE-2024-0727.html + https://linux.oracle.com/errata/ELSA-2024-9088.html + https://nvd.nist.gov/vuln/detail/CVE-2024-0727 + https://security.netapp.com/advisory/ntap-20240208-0006 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://ubuntu.com/security/notices/USN-7018-1 + https://www.cve.org/CVERecord?id=CVE-2024-0727 + https://www.openssl.org/news/secadv/20240125.txt +
libssl1.1CVE-2024-4741MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-4741 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177 + https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d + https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac + https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8 + https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4 + https://linux.oracle.com/cve/CVE-2024-4741.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-4741 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-4741 + https://www.openssl.org/news/secadv/20240528.txt +
libssl1.1CVE-2024-5535MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + http://www.openwall.com/lists/oss-security/2024/06/27/1 + http://www.openwall.com/lists/oss-security/2024/06/28/4 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-5535 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://bugzilla.redhat.com/show_bug.cgi?id=2294581 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://errata.rockylinux.org/RLSA-2024:7848 + https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37 + https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e + https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c + https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c + https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c + https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87 + https://linux.oracle.com/cve/CVE-2024-5535.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-5535 + https://openssl.org/news/secadv/20240627.txt + https://security.netapp.com/advisory/ntap-20240712-0005/ + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-5535 + https://www.openssl.org/news/secadv/20240627.txt + https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL +
libssl1.1CVE-2024-2511LOW1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-2511 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce + https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d + https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 + https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640 + https://linux.oracle.com/cve/CVE-2024-2511.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-2511 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-2511 + https://www.openssl.org/news/secadv/20240408.txt + https://www.openssl.org/news/vulnerabilities.html +
libssl1.1CVE-2024-9143LOW1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/security/cve/CVE-2024-9143 + https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 + https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700 + https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 + https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154 + https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a + https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41 + https://nvd.nist.gov/vuln/detail/CVE-2024-9143 + https://openssl-library.org/news/secadv/20241016.txt + https://www.cve.org/CVERecord?id=CVE-2024-9143 +
opensslCVE-2023-5678MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:2447 + https://access.redhat.com/security/cve/CVE-2023-5678 + https://bugzilla.redhat.com/2223016 + https://bugzilla.redhat.com/2224962 + https://bugzilla.redhat.com/2227852 + https://bugzilla.redhat.com/2248616 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://errata.almalinux.org/9/ALSA-2024-2447.html + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 + https://linux.oracle.com/cve/CVE-2023-5678.html + https://linux.oracle.com/errata/ELSA-2024-2447.html + https://nvd.nist.gov/vuln/detail/CVE-2023-5678 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://www.cve.org/CVERecord?id=CVE-2023-5678 + https://www.openssl.org/news/secadv/20231106.txt +
opensslCVE-2024-0727MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + http://www.openwall.com/lists/oss-security/2024/03/11/1 + https://access.redhat.com/errata/RHSA-2024:9088 + https://access.redhat.com/security/cve/CVE-2024-0727 + https://bugzilla.redhat.com/2257571 + https://bugzilla.redhat.com/2258502 + https://bugzilla.redhat.com/2259944 + https://bugzilla.redhat.com/2284243 + https://errata.almalinux.org/9/ALSA-2024-9088.html + https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2 + https://github.com/github/advisory-database/pull/3472 + https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2 + https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a + https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c + https://github.com/openssl/openssl/pull/23362 + https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d + https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8 + https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539 + https://linux.oracle.com/cve/CVE-2024-0727.html + https://linux.oracle.com/errata/ELSA-2024-9088.html + https://nvd.nist.gov/vuln/detail/CVE-2024-0727 + https://security.netapp.com/advisory/ntap-20240208-0006 + https://ubuntu.com/security/notices/USN-6622-1 + https://ubuntu.com/security/notices/USN-6632-1 + https://ubuntu.com/security/notices/USN-6709-1 + https://ubuntu.com/security/notices/USN-7018-1 + https://www.cve.org/CVERecord?id=CVE-2024-0727 + https://www.openssl.org/news/secadv/20240125.txt +
opensslCVE-2024-4741MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-4741 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177 + https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d + https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac + https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8 + https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4 + https://linux.oracle.com/cve/CVE-2024-4741.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-4741 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-4741 + https://www.openssl.org/news/secadv/20240528.txt +
opensslCVE-2024-5535MEDIUM1.1.1w-0+deb11u11.1.1w-0+deb11u2 + http://www.openwall.com/lists/oss-security/2024/06/27/1 + http://www.openwall.com/lists/oss-security/2024/06/28/4 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-5535 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://bugzilla.redhat.com/show_bug.cgi?id=2294581 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://errata.rockylinux.org/RLSA-2024:7848 + https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37 + https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e + https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c + https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c + https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c + https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87 + https://linux.oracle.com/cve/CVE-2024-5535.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-5535 + https://openssl.org/news/secadv/20240627.txt + https://security.netapp.com/advisory/ntap-20240712-0005/ + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-5535 + https://www.openssl.org/news/secadv/20240627.txt + https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL +
opensslCVE-2024-2511LOW1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/errata/RHSA-2024:9333 + https://access.redhat.com/security/cve/CVE-2024-2511 + https://bugzilla.redhat.com/2274020 + https://bugzilla.redhat.com/2281029 + https://bugzilla.redhat.com/2283757 + https://bugzilla.redhat.com/2294581 + https://errata.almalinux.org/9/ALSA-2024-9333.html + https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce + https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d + https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 + https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640 + https://linux.oracle.com/cve/CVE-2024-2511.html + https://linux.oracle.com/errata/ELSA-2024-9333.html + https://nvd.nist.gov/vuln/detail/CVE-2024-2511 + https://ubuntu.com/security/notices/USN-6937-1 + https://www.cve.org/CVERecord?id=CVE-2024-2511 + https://www.openssl.org/news/secadv/20240408.txt + https://www.openssl.org/news/vulnerabilities.html +
opensslCVE-2024-9143LOW1.1.1w-0+deb11u11.1.1w-0+deb11u2 + https://access.redhat.com/security/cve/CVE-2024-9143 + https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 + https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700 + https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 + https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154 + https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a + https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41 + https://nvd.nist.gov/vuln/detail/CVE-2024-9143 + https://openssl-library.org/news/secadv/20241016.txt + https://www.cve.org/CVERecord?id=CVE-2024-9143 +
tzdataDLA-3972-1UNKNOWN2024a-0+deb11u12024b-0+deb11u1 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
base-files@11.1+deb11u10base-files11.1+deb11u10base-files11.1+deb11u10
libc6@2.31-13+deb11u10libc62.31glibc2.31
libssl1.1@1.1.1w-0+deb11u1libssl1.11.1.1wopenssl1.1.1w
netbase@6.3netbase6.3netbase6.3
openssl@1.1.1w-0+deb11u1openssl1.1.1wopenssl1.1.1w
tzdata@2024a-0+deb11u1tzdata2024atzdata2024a
+
+

usr/local/bin/local-path-provisioner

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Package + + + + Vulnerability ID + + + + Severity + + + + Installed Version + + + + Fixed Version + + + + Links + + + +
github.com/gogo/protobufCVE-2021-3121HIGHv1.3.11.3.2 + https://access.redhat.com/security/cve/CVE-2021-3121 + https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 + https://github.com/gogo/protobuf + https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc + https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2 + https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E + https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E + https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E + https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E + https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3E + https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E + https://nvd.nist.gov/vuln/detail/CVE-2021-3121 + https://pkg.go.dev/vuln/GO-2021-0053 + https://security.netapp.com/advisory/ntap-20210219-0006 + https://security.netapp.com/advisory/ntap-20210219-0006/ + https://www.cve.org/CVERecord?id=CVE-2021-3121 +
golang.org/x/cryptoCVE-2023-48795MEDIUMv0.7.00.17.0 + http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html + http://seclists.org/fulldisclosure/2024/Mar/21 + http://www.openwall.com/lists/oss-security/2023/12/18/3 + http://www.openwall.com/lists/oss-security/2023/12/19/5 + http://www.openwall.com/lists/oss-security/2023/12/20/3 + http://www.openwall.com/lists/oss-security/2024/03/06/3 + http://www.openwall.com/lists/oss-security/2024/04/17/8 + https://access.redhat.com/errata/RHSA-2024:1150 + https://access.redhat.com/security/cve/CVE-2023-48795 + https://access.redhat.com/security/cve/cve-2023-48795 + https://access.redhat.com/solutions/7071748 + https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack + https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ + https://bugs.gentoo.org/920280 + https://bugzilla.redhat.com/2254210 + https://bugzilla.redhat.com/show_bug.cgi?id=2254210 + https://bugzilla.suse.com/show_bug.cgi?id=1217950 + https://crates.io/crates/thrussh/versions + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 + https://errata.almalinux.org/9/ALSA-2024-1150.html + https://errata.rockylinux.org/RLSA-2024:0628 + https://filezilla-project.org/versions.php + https://forum.netgate.com/topic/184941/terrapin-ssh-attack + https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 + https://github.com/NixOS/nixpkgs/pull/275249 + https://github.com/PowerShell/Win32-OpenSSH/issues/2189 + https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta + https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 + https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 + https://github.com/advisories/GHSA-45x7-px36-x8w8 + https://github.com/apache/mina-sshd/issues/445 + https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab + https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 + https://github.com/cyd01/KiTTY/issues/520 + https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 + https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 + https://github.com/erlang/otp/releases/tag/OTP-26.2.1 + https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d + https://github.com/hierynomus/sshj/issues/916 + https://github.com/janmojzis/tinyssh/issues/81 + https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 + https://github.com/libssh2/libssh2/pull/1291 + https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 + https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 + https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 + https://github.com/mwiede/jsch/issues/457 + https://github.com/mwiede/jsch/pull/461 + https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 + https://github.com/openssh/openssh-portable/commits/master + https://github.com/paramiko/paramiko/issues/2337 + https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773 + https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES + https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES + https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES + https://github.com/proftpd/proftpd/issues/456 + https://github.com/rapier1/hpn-ssh/releases + https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst + https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55 + https://github.com/ronf/asyncssh/tags + https://github.com/ssh-mitm/ssh-mitm/issues/165 + https://github.com/warp-tech/russh + https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951 + https://github.com/warp-tech/russh/releases/tag/v0.40.2 + https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8 + https://gitlab.com/libssh/libssh-mirror/-/tags + https://go.dev/cl/550715 + https://go.dev/issue/64784 + https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ + https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg + https://help.panic.com/releasenotes/transmit5 + https://help.panic.com/releasenotes/transmit5/ + https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795 + https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ + https://linux.oracle.com/cve/CVE-2023-48795.html + https://linux.oracle.com/errata/ELSA-2024-2988.html + https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html + https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html + https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html + https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ + https://matt.ucc.asn.au/dropbear/CHANGES + https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC + https://news.ycombinator.com/item?id=38684904 + https://news.ycombinator.com/item?id=38685286 + https://news.ycombinator.com/item?id=38732005 + https://nova.app/releases/#v11.8 + https://nvd.nist.gov/vuln/detail/CVE-2023-48795 + https://oryx-embedded.com/download/#changelog + https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 + https://roumenpetrov.info/secsh/#news20231220 + https://security-tracker.debian.org/tracker/CVE-2023-48795 + https://security-tracker.debian.org/tracker/source-package/libssh2 + https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg + https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 + https://security.gentoo.org/glsa/202312-16 + https://security.gentoo.org/glsa/202312-17 + https://security.netapp.com/advisory/ntap-20240105-0004 + https://security.netapp.com/advisory/ntap-20240105-0004/ + https://support.apple.com/kb/HT214084 + https://terrapin-attack.com/ + https://thorntech.com/cve-2023-48795-and-sftp-gateway + https://thorntech.com/cve-2023-48795-and-sftp-gateway/ + https://twitter.com/TrueSkrillor/status/1736774389725565005 + https://ubuntu.com/security/CVE-2023-48795 + https://ubuntu.com/security/notices/USN-6560-1 + https://ubuntu.com/security/notices/USN-6560-2 + https://ubuntu.com/security/notices/USN-6561-1 + https://ubuntu.com/security/notices/USN-6585-1 + https://ubuntu.com/security/notices/USN-6589-1 + https://ubuntu.com/security/notices/USN-6598-1 + https://ubuntu.com/security/notices/USN-6738-1 + https://ubuntu.com/security/notices/USN-7051-1 + https://winscp.net/eng/docs/history#6.2.2 + https://www.bitvise.com/ssh-client-version-history#933 + https://www.bitvise.com/ssh-server-version-history + https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html + https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update + https://www.cve.org/CVERecord?id=CVE-2023-48795 + https://www.debian.org/security/2023/dsa-5586 + https://www.debian.org/security/2023/dsa-5588 + https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc + https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 + https://www.netsarang.com/en/xshell-update-history + https://www.netsarang.com/en/xshell-update-history/ + https://www.openssh.com/openbsd.html + https://www.openssh.com/txt/release-9.6 + https://www.openwall.com/lists/oss-security/2023/12/18/2 + https://www.openwall.com/lists/oss-security/2023/12/18/3 + https://www.openwall.com/lists/oss-security/2023/12/20/3 + https://www.paramiko.org/changelog.html + https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed + https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ + https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795 + https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ + https://www.terrapin-attack.com + https://www.theregister.com/2023/12/20/terrapin_attack_ssh + https://www.vandyke.com/products/securecrt/history.txt +
golang.org/x/netCVE-2023-39325HIGHv0.8.00.17.0 + golang.org/x/net + https://access.redhat.com/errata/RHSA-2023:6077 + https://access.redhat.com/security/cve/CVE-2023-39325 + https://access.redhat.com/security/cve/CVE-2023-44487 + https://bugzilla.redhat.com/2242803 + https://bugzilla.redhat.com/2243296 + https://bugzilla.redhat.com/show_bug.cgi?id=2242803 + https://bugzilla.redhat.com/show_bug.cgi?id=2243296 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487 + https://errata.almalinux.org/9/ALSA-2023-6077.html + https://errata.rockylinux.org/RLSA-2023:5863 + https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3 [golang- 1.21] + https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 [golang-1.20] + https://github.com/golang/go/issues/63417 + https://go.dev/cl/534215 + https://go.dev/cl/534235 + https://go.dev/issue/63417 + https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ + https://linux.oracle.com/cve/CVE-2023-39325.html + https://linux.oracle.com/errata/ELSA-2023-5867.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/ + https://nvd.nist.gov/vuln/detail/CVE-2023-39325 + https://pkg.go.dev/vuln/GO-2023-2102 + https://security.gentoo.org/glsa/202311-09 + https://security.netapp.com/advisory/ntap-20231110-0008 + https://security.netapp.com/advisory/ntap-20231110-0008/ + https://ubuntu.com/security/notices/USN-6574-1 + https://ubuntu.com/security/notices/USN-7061-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 + https://www.cve.org/CVERecord?id=CVE-2023-39325 +
golang.org/x/netCVE-2023-3978MEDIUMv0.8.00.13.0 + https://access.redhat.com/errata/RHSA-2023:6474 + https://access.redhat.com/security/cve/CVE-2023-3978 + https://bugzilla.redhat.com/2174485 + https://bugzilla.redhat.com/2178358 + https://bugzilla.redhat.com/2178488 + https://bugzilla.redhat.com/2178492 + https://bugzilla.redhat.com/2184481 + https://bugzilla.redhat.com/2184482 + https://bugzilla.redhat.com/2184483 + https://bugzilla.redhat.com/2184484 + https://bugzilla.redhat.com/2196026 + https://bugzilla.redhat.com/2196027 + https://bugzilla.redhat.com/2196029 + https://bugzilla.redhat.com/2222167 + https://bugzilla.redhat.com/2228689 + https://errata.almalinux.org/9/ALSA-2023-6474.html + https://go.dev/cl/514896 + https://go.dev/issue/61615 + https://linux.oracle.com/cve/CVE-2023-3978.html + https://linux.oracle.com/errata/ELSA-2023-6939.html + https://nvd.nist.gov/vuln/detail/CVE-2023-3978 + https://pkg.go.dev/vuln/GO-2023-1988 + https://www.cve.org/CVERecord?id=CVE-2023-3978 +
golang.org/x/netCVE-2023-44487MEDIUMv0.8.00.17.0 + http://www.openwall.com/lists/oss-security/2023/10/13/4 + http://www.openwall.com/lists/oss-security/2023/10/13/9 + http://www.openwall.com/lists/oss-security/2023/10/18/4 + http://www.openwall.com/lists/oss-security/2023/10/18/8 + http://www.openwall.com/lists/oss-security/2023/10/19/6 + http://www.openwall.com/lists/oss-security/2023/10/20/8 + https://access.redhat.com/errata/RHSA-2023:6746 + https://access.redhat.com/security/cve/CVE-2023-44487 + https://access.redhat.com/security/cve/cve-2023-44487 + https://akka.io/security/akka-http-cve-2023-44487.html + https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size + https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/ + https://aws.amazon.com/security/security-bulletins/AWS-2023-011 + https://aws.amazon.com/security/security-bulletins/AWS-2023-011/ + https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack + https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ + https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack + https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ + https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty + https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/ + https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack + https://blog.vespa.ai/cve-2023-44487 + https://blog.vespa.ai/cve-2023-44487/ + https://bugzilla.proxmox.com/show_bug.cgi?id=4988 + https://bugzilla.redhat.com/2242803 + https://bugzilla.redhat.com/show_bug.cgi?id=2242803 + https://bugzilla.suse.com/show_bug.cgi?id=1216123 + https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 + https://chaos.social/@icing/111210915918780532 + https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps + https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ + https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack + https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487 + https://devblogs.microsoft.com/dotnet/october-2023-updates/ + https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715 + https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve + https://errata.almalinux.org/9/ALSA-2023-6746.html + https://errata.rockylinux.org/RLSA-2023:5928 + https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764 + https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 + https://github.com/Azure/AKS/issues/3947 + https://github.com/Kong/kong/discussions/11741 + https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + https://github.com/advisories/GHSA-vx74-f528-fxqg + https://github.com/advisories/GHSA-xpw8-rcwv-8f8p + https://github.com/akka/akka-http/issues/4323 + https://github.com/akka/akka-http/pull/4324 + https://github.com/akka/akka-http/pull/4325 + https://github.com/alibaba/tengine/issues/1872 + https://github.com/apache/apisix/issues/10320 + https://github.com/apache/httpd-site/pull/10 + https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113 + https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628 + https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2 + https://github.com/apache/trafficserver/pull/10564 + https://github.com/apple/swift-nio-http2 + https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3 + https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487 + https://github.com/bcdannyboy/CVE-2023-44487 + https://github.com/caddyserver/caddy/issues/5877 + https://github.com/caddyserver/caddy/releases/tag/v2.7.5 + https://github.com/dotnet/announcements/issues/277 + https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73 + https://github.com/eclipse/jetty.project/issues/10679 + https://github.com/envoyproxy/envoy/pull/30055 + https://github.com/etcd-io/etcd/issues/16740 + https://github.com/facebook/proxygen/pull/466 + https://github.com/golang/go/issues/63417 + https://github.com/grpc/grpc-go/pull/6703 + https://github.com/grpc/grpc-go/releases + https://github.com/h2o/h2o/pull/3291 + https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf + https://github.com/haproxy/haproxy/issues/2312 + https://github.com/hyperium/hyper/issues/3337 + https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244 + https://github.com/junkurihara/rust-rpxy/issues/97 + https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1 + https://github.com/kazu-yamamoto/http2/issues/93 + https://github.com/kubernetes/kubernetes/pull/121120 + https://github.com/line/armeria/pull/5232 + https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632 + https://github.com/micrictor/http2-rst-stream + https://github.com/microsoft/CBL-Mariner/pull/6381 + https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 + https://github.com/nghttp2/nghttp2/pull/1961 + https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0 + https://github.com/ninenines/cowboy/issues/1615 + https://github.com/nodejs/node/pull/50121 + https://github.com/openresty/openresty/issues/930 + https://github.com/opensearch-project/data-prepper/issues/3474 + https://github.com/oqtane/oqtane.framework/discussions/3367 + https://github.com/projectcontour/contour/pull/5826 + https://github.com/tempesta-tech/tempesta/issues/1986 + https://github.com/varnishcache/varnish-cache/issues/3996 + https://go.dev/cl/534215 + https://go.dev/cl/534235 + https://go.dev/issue/63417 + https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo + https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ + https://istio.io/latest/news/security/istio-security-2023-004 + https://istio.io/latest/news/security/istio-security-2023-004/ + https://linkerd.io/2023/10/12/linkerd-cve-2023-44487 + https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/ + https://linux.oracle.com/cve/CVE-2023-44487.html + https://linux.oracle.com/errata/ELSA-2024-1444.html + https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q + https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html + https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html + https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html + https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html + https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html + https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html + https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/ + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4 + https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4 + https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html + https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html + https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html + https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2 + https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/ + https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487 + https://my.f5.com/manage/s/article/K000137106 + https://netty.io/news/2023/10/10/4-1-100-Final.html + https://news.ycombinator.com/item?id=37830987 + https://news.ycombinator.com/item?id=37830998 + https://news.ycombinator.com/item?id=37831062 + https://news.ycombinator.com/item?id=37837043 + https://nodejs.org/en/blog/vulnerability/october-2023-security-releases + https://nvd.nist.gov/vuln/detail/CVE-2023-44487 + https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response + https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/ + https://pkg.go.dev/vuln/GO-2023-2102 + https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected + https://security.gentoo.org/glsa/202311-09 + https://security.netapp.com/advisory/ntap-20231016-0001 + https://security.netapp.com/advisory/ntap-20231016-0001/ + https://security.netapp.com/advisory/ntap-20240426-0007 + https://security.netapp.com/advisory/ntap-20240426-0007/ + https://security.netapp.com/advisory/ntap-20240621-0006 + https://security.netapp.com/advisory/ntap-20240621-0006/ + https://security.netapp.com/advisory/ntap-20240621-0007 + https://security.netapp.com/advisory/ntap-20240621-0007/ + https://security.paloaltonetworks.com/CVE-2023-44487 + https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14 + https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12 + https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94 + https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81 + https://ubuntu.com/security/CVE-2023-44487 + https://ubuntu.com/security/notices/USN-6427-1 + https://ubuntu.com/security/notices/USN-6427-2 + https://ubuntu.com/security/notices/USN-6438-1 + https://ubuntu.com/security/notices/USN-6505-1 + https://ubuntu.com/security/notices/USN-6574-1 + https://ubuntu.com/security/notices/USN-6754-1 + https://ubuntu.com/security/notices/USN-6994-1 + https://ubuntu.com/security/notices/USN-7067-1 + https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records + https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/ + https://www.cisa.gov/known-exploited-vulnerabilities-catalog + https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 + https://www.cve.org/CVERecord?id=CVE-2023-44487 + https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event + https://www.debian.org/security/2023/dsa-5521 + https://www.debian.org/security/2023/dsa-5522 + https://www.debian.org/security/2023/dsa-5540 + https://www.debian.org/security/2023/dsa-5549 + https://www.debian.org/security/2023/dsa-5558 + https://www.debian.org/security/2023/dsa-5570 + https://www.eclipse.org/lists/jetty-announce/msg00181.html + https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487 + https://www.mail-archive.com/haproxy@formilux.org/msg44134.html + https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487 + https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/ + https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products + https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ + https://www.openwall.com/lists/oss-security/2023/10/10/6 + https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack + https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday + https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ +
golang.org/x/netCVE-2023-45288MEDIUMv0.8.00.23.0 + http://www.openwall.com/lists/oss-security/2024/04/03/16 + http://www.openwall.com/lists/oss-security/2024/04/05/4 + https://access.redhat.com/errata/RHSA-2024:2724 + https://access.redhat.com/security/cve/CVE-2023-45288 + https://bugzilla.redhat.com/2268017 + https://bugzilla.redhat.com/2268018 + https://bugzilla.redhat.com/2268019 + https://bugzilla.redhat.com/2268273 + https://bugzilla.redhat.com/show_bug.cgi?id=2268017 + https://bugzilla.redhat.com/show_bug.cgi?id=2268018 + https://bugzilla.redhat.com/show_bug.cgi?id=2268019 + https://bugzilla.redhat.com/show_bug.cgi?id=2268273 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783 + https://errata.almalinux.org/9/ALSA-2024-2724.html + https://errata.rockylinux.org/RLSA-2024:3346 + https://go.dev/cl/576155 + https://go.dev/issue/65051 + https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M + https://kb.cert.org/vuls/id/421644 + https://linux.oracle.com/cve/CVE-2023-45288.html + https://linux.oracle.com/errata/ELSA-2024-3346.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/ + https://nowotarski.info/http2-continuation-flood-technical-details + https://nowotarski.info/http2-continuation-flood/ + https://nvd.nist.gov/vuln/detail/CVE-2023-45288 + https://pkg.go.dev/vuln/GO-2024-2687 + https://security.netapp.com/advisory/ntap-20240419-0009 + https://security.netapp.com/advisory/ntap-20240419-0009/ + https://ubuntu.com/security/notices/USN-6886-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2023-45288 + https://www.kb.cert.org/vuls/id/421644 +
google.golang.org/protobufCVE-2024-24786MEDIUMv1.30.01.33.0 + http://www.openwall.com/lists/oss-security/2024/03/08/4 + https://access.redhat.com/errata/RHSA-2024:2550 + https://access.redhat.com/security/cve/CVE-2024-24786 + https://bugzilla.redhat.com/2268046 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786 + https://errata.almalinux.org/9/ALSA-2024-2550.html + https://errata.rockylinux.org/RLSA-2024:2550 + https://github.com/protocolbuffers/protobuf-go + https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023 + https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0 + https://go-review.googlesource.com/c/protobuf/+/569356 + https://go.dev/cl/569356 + https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/ + https://linux.oracle.com/cve/CVE-2024-24786.html + https://linux.oracle.com/errata/ELSA-2024-4246.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/ + https://nvd.nist.gov/vuln/detail/CVE-2024-24786 + https://pkg.go.dev/vuln/GO-2024-2611 + https://security.netapp.com/advisory/ntap-20240517-0002 + https://security.netapp.com/advisory/ntap-20240517-0002/ + https://ubuntu.com/security/notices/USN-6746-1 + https://ubuntu.com/security/notices/USN-6746-2 + https://www.cve.org/CVERecord?id=CVE-2024-24786 +
k8s.io/client-goCVE-2020-8565MEDIUMv0.19.10.19.6, 0.20.0-alpha.2, 0.18.14, 0.17.16 + https://access.redhat.com/security/cve/CVE-2020-8565 + https://github.com/kubernetes/client-go + https://github.com/kubernetes/client-go/commit/19875a3d5a2e0d4f51c976a9e0662de3c2c011e3 + https://github.com/kubernetes/client-go/commit/1b8383fc150c9b816b0072032cca75754c2734d0 + https://github.com/kubernetes/client-go/commit/44e1a07f2d513e375c4b6ee6e890040b47befe86 + https://github.com/kubernetes/client-go/commit/e8f871a2e5fadf90fc114565abc0963967f1a373 + https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419 + https://github.com/kubernetes/kubernetes/issues/95623 + https://github.com/kubernetes/kubernetes/pull/95316 + https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ + https://nvd.nist.gov/vuln/detail/CVE-2020-8565 + https://pkg.go.dev/vuln/GO-2021-0064 + https://www.cve.org/CVERecord?id=CVE-2020-8565 + https://www.cve.org/cverecord?id=CVE-2020-8565 +
stdlibCVE-2024-34156HIGHv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9473 + https://access.redhat.com/security/cve/CVE-2024-34156 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2318052 + https://bugzilla.redhat.com/show_bug.cgi?id=2262921 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://errata.almalinux.org/9/ALSA-2024-9473.html + https://errata.rockylinux.org/RLSA-2024:7262 + https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) + https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + https://go.dev/cl/611239 + https://go.dev/issue/69139 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34156.html + https://linux.oracle.com/errata/ELSA-2024-9473.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + https://pkg.go.dev/vuln/GO-2024-3106 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34156 +
stdlibCVE-2024-34155MEDIUMv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34155 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) + https://go.dev/cl/611238 + https://go.dev/issue/69138 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34155.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34155 + https://pkg.go.dev/vuln/GO-2024-3105 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34155 +
stdlibCVE-2024-34158MEDIUMv1.22.61.22.7, 1.23.1 + https://access.redhat.com/errata/RHSA-2024:9459 + https://access.redhat.com/security/cve/CVE-2024-34158 + https://bugzilla.redhat.com/2310527 + https://bugzilla.redhat.com/2310528 + https://bugzilla.redhat.com/2310529 + https://bugzilla.redhat.com/2315691 + https://bugzilla.redhat.com/2315887 + https://bugzilla.redhat.com/2317458 + https://bugzilla.redhat.com/2317467 + https://bugzilla.redhat.com/show_bug.cgi?id=2295310 + https://bugzilla.redhat.com/show_bug.cgi?id=2310527 + https://bugzilla.redhat.com/show_bug.cgi?id=2310528 + https://bugzilla.redhat.com/show_bug.cgi?id=2310529 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158 + https://errata.almalinux.org/9/ALSA-2024-9459.html + https://errata.rockylinux.org/RLSA-2024:6913 + https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) + https://go.dev/cl/611240 + https://go.dev/issue/69141 + https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + https://groups.google.com/g/golang-dev/c/S9POB9NCTdk + https://linux.oracle.com/cve/CVE-2024-34158.html + https://linux.oracle.com/errata/ELSA-2024-9459.html + https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + https://pkg.go.dev/vuln/GO-2024-3107 + https://ubuntu.com/security/notices/USN-7081-1 + https://ubuntu.com/security/notices/USN-7109-1 + https://ubuntu.com/security/notices/USN-7111-1 + https://www.cve.org/CVERecord?id=CVE-2024-34158 +
+
+

Packages

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ID + + + + Name + + + + Version + + + + SrcName + + + + SrcVersion + + + +
github.com/rancher/local-path-provisionerv0.0.24
stdlibv1.22.6
github.com/Sirupsen/logrusv0.11.0
github.com/beorn7/perksv1.0.1
github.com/cespare/xxhash/v2v2.1.2
github.com/davecgh/go-spewv1.1.1
github.com/go-logr/logrv0.2.0
github.com/gogo/protobufv1.3.1
github.com/golang/groupcachev0.0.0-20200121045136-8c9f03a8e57e
github.com/golang/protobufv1.5.3
github.com/google/go-cmpv0.5.8
github.com/google/gofuzzv1.1.0
github.com/google/uuidv1.1.1
github.com/googleapis/gnosticv0.4.1
github.com/hashicorp/golang-lruv0.5.1
github.com/imdario/mergov0.3.5
github.com/json-iterator/gov1.1.12
github.com/matttproud/golang_protobuf_extensionsv1.0.1
github.com/miekg/dnsv1.1.29
github.com/modern-go/concurrentv0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2v1.0.2
github.com/pkg/errorsv0.9.1
github.com/prometheus/client_golangv1.11.1
github.com/prometheus/client_modelv0.3.0
github.com/prometheus/commonv0.32.1
github.com/prometheus/procfsv0.8.0
github.com/spf13/pflagv1.0.5
github.com/urfave/cliv1.19.1
golang.org/x/cryptov0.7.0
golang.org/x/netv0.8.0
golang.org/x/oauth2v0.6.0
golang.org/x/sysv0.6.0
golang.org/x/termv0.6.0
golang.org/x/textv0.8.0
golang.org/x/timev0.3.0
google.golang.org/protobufv1.30.0
gopkg.in/inf.v0v0.9.1
gopkg.in/yaml.v2v2.4.0
k8s.io/apiv0.19.1
k8s.io/apimachineryv0.19.1
k8s.io/client-gov0.19.1
k8s.io/klog/v2v2.3.0
k8s.io/kube-openapiv0.0.0-20200805222855-6aeccd4b50c6
k8s.io/utilsv0.0.0-20200729134348-d5654de09c73
sigs.k8s.io/sig-storage-lib-external-provisioner/v8v8.0.0
sigs.k8s.io/structured-merge-diff/v4v4.0.1
sigs.k8s.io/yamlv1.2.0
+
+ + \ No newline at end of file diff --git a/render/testdata/input/happy-k8s.json b/render/testdata/input/happy-k8s.json new file mode 100644 index 0000000..2a2034c --- /dev/null +++ b/render/testdata/input/happy-k8s.json @@ -0,0 +1,54184 @@ +{ + "ClusterName": "kind-kind", + "Resources": [ + { + "Kind": "ClusterRole", + "Name": "admin", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/admin", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 151, + "Failures": 13 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'admin' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 29, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - services/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services/proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 26, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'admin' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 56, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 56, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 57, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 65, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 118, + "EndLine": 135, + "Code": { + "Lines": [ + { + "Number": 118, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 119, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 120, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 127, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 56, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 56, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 57, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 65, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 80, + "EndLine": 96, + "Code": { + "Lines": [ + { + "Number": 80, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 81, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - replicasets/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets/scale", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 89, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 107, + "EndLine": 117, + "Code": { + "Lines": [ + { + "Number": 107, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 108, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 109, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " - cronjobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cronjobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 111, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 112, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 116, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 36, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 36, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 37, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 45, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'admin' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 56, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 56, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 57, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 65, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV050", + "AVDID": "AVD-KSV-0050", + "Title": "Manage Kubernetes RBAC resources", + "Description": "An effective level of access equivalent to cluster-admin should not be provided.", + "Message": "ClusterRole 'admin' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV050", + "Query": "data.builtin.kubernetes.KSV050.deny", + "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv050", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv050" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 302, + "EndLine": 315, + "Code": { + "Lines": [ + { + "Number": 302, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 303, + "Content": " - rbac.authorization.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rbac.authorization.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 304, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 305, + "Content": " - rolebindings", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rolebindings", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 306, + "Content": " - roles", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - roles", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 307, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 308, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 309, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 310, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 311, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'admin' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 36, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 36, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 37, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 45, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'admin' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 56, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 56, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 57, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 65, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'admin' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 118, + "EndLine": 135, + "Code": { + "Lines": [ + { + "Number": 118, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 119, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 120, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 127, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'admin' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 146, + "EndLine": 156, + "Code": { + "Lines": [ + { + "Number": 146, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 147, + "Content": " - networking.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networking.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 148, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 149, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 150, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 155, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "cluster-admin", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/cluster-admin", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 155, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV044", + "AVDID": "AVD-KSV-0044", + "Title": "No wildcard verb and resource roles", + "Description": "Check whether role permits wildcard verb on wildcard resource", + "Message": "Role permits wildcard verb on wildcard resource", + "Namespace": "builtin.kubernetes.KSV044", + "Query": "data.builtin.kubernetes.KSV044.deny", + "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv044" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 18, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'cluster-admin' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 18, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "edit", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/edit", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 152, + "Failures": 12 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'edit' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 30, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - services/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services/proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'edit' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 74, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 58, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 66, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 50, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 46, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 74, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 58, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 66, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 97, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - replicasets/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets/scale", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 90, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 108, + "EndLine": 118, + "Code": { + "Lines": [ + { + "Number": 108, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 109, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 111, + "Content": " - cronjobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cronjobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 112, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 119, + "EndLine": 136, + "Code": { + "Lines": [ + { + "Number": 119, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 120, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 128, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'edit' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 74, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 58, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 66, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'edit' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 50, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 46, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 74, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 58, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 66, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 119, + "EndLine": 136, + "Code": { + "Lines": [ + { + "Number": 119, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 120, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 128, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 147, + "EndLine": 157, + "Code": { + "Lines": [ + { + "Number": 147, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 148, + "Content": " - networking.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networking.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 149, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 150, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 156, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "kindnet", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/kindnet", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "kubeadm:get-nodes", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/kubeadm:get-nodes", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "local-path-provisioner-role", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/local-path-provisioner-role", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 154, + "Failures": 3 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV045", + "AVDID": "AVD-KSV-0045", + "Title": "No wildcard verb roles", + "Description": "Check whether role permits wildcard verb on specific resources", + "Message": "Role permits wildcard verb on specific resources", + "Namespace": "builtin.kubernetes.KSV045", + "Query": "data.builtin.kubernetes.KSV045.deny", + "Resolution": "Create a role which does not permit wildcard verb on specific resources", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv045", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv045" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 24, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - persistentvolumes", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumes", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'local-path-provisioner-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 24, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - persistentvolumes", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumes", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'local-path-provisioner-role' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 24, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - persistentvolumes", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumes", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'\u001b[0m", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:aggregate-to-admin", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:aggregate-to-admin", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV050", + "AVDID": "AVD-KSV-0050", + "Title": "Manage Kubernetes RBAC resources", + "Description": "An effective level of access equivalent to cluster-admin should not be provided.", + "Message": "ClusterRole 'system:aggregate-to-admin' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV050", + "Query": "data.builtin.kubernetes.KSV050.deny", + "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv050", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv050" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 33, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - rbac.authorization.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rbac.authorization.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - rolebindings", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rolebindings", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - roles", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - roles", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 29, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:aggregate-to-edit", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:aggregate-to-edit", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 152, + "Failures": 12 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:aggregate-to-edit' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 14, + "EndLine": 26, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 15, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - services/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services/proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 23, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:aggregate-to-edit' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 33, + "EndLine": 46, + "Code": { + "Lines": [ + { + "Number": 33, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 34, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 42, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 77, + "EndLine": 93, + "Code": { + "Lines": [ + { + "Number": 77, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 78, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " - replicasets/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets/scale", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 86, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 104, + "EndLine": 114, + "Code": { + "Lines": [ + { + "Number": 104, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 105, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 106, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 107, + "Content": " - cronjobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cronjobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 108, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 109, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 111, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 112, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 113, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 115, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 115, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 116, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 120, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 124, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 33, + "EndLine": 46, + "Code": { + "Lines": [ + { + "Number": 33, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 34, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - pods/attach", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/attach", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods/portforward", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/portforward", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 42, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - persistentvolumeclaims", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - persistentvolumeclaims", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - replicationcontrollers/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 115, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 115, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 116, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": " - daemonsets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - daemonsets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 120, + "Content": " - deployments/rollback", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/rollback", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 121, + "Content": " - deployments/scale", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments/scale", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 122, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 123, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 124, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:aggregate-to-edit' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 143, + "EndLine": 153, + "Code": { + "Lines": [ + { + "Number": 143, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 144, + "Content": " - networking.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networking.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - ingresses", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - ingresses", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 147, + "Content": " - networkpolicies", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - networkpolicies", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 148, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 149, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 150, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 152, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:aggregate-to-view", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:aggregate-to-view", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:auth-delegator", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:auth-delegator", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:basic-user", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:basic-user", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:certificatesigningrequests:nodeclient", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:kube-apiserver-client-approver", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-approver", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:kube-apiserver-client-kubelet-approver", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:kube-apiserver-client-kubelet-approver", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:kubelet-serving-approver", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:kubelet-serving-approver", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:certificates.k8s.io:legacy-unknown-approver", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:certificates.k8s.io:legacy-unknown-approver", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:attachdetach-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:attachdetach-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:certificate-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:certificate-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:clusterrole-aggregation-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:clusterrole-aggregation-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:cronjob-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:cronjob-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 3 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:cronjob-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - cronjobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cronjobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:cronjob-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 22, + "EndLine": 33, + "Code": { + "Lines": [ + { + "Number": 22, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 23, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 31, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:cronjob-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 46, + "EndLine": 52, + "Code": { + "Lines": [ + { + "Number": 46, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 47, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:daemon-set-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:daemon-set-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:daemon-set-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 43, + "EndLine": 52, + "Code": { + "Lines": [ + { + "Number": 43, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 44, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:deployment-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:deployment-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 3 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:deployment-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:deployment-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 46, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:deployment-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 50, + "EndLine": 58, + "Code": { + "Lines": [ + { + "Number": 50, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 51, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:disruption-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:disruption-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:endpoint-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:endpoint-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:controller:endpoint-controller' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 22, + "EndLine": 31, + "Code": { + "Lines": [ + { + "Number": 22, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 23, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:endpointslice-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:endpointslice-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:controller:endpointslice-controller' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 29, + "EndLine": 38, + "Code": { + "Lines": [ + { + "Number": 29, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 30, + "Content": " - discovery.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - discovery.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - endpointslices", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpointslices", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:endpointslicemirroring-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:endpointslicemirroring-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:controller:endpointslicemirroring-controller' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 34, + "EndLine": 43, + "Code": { + "Lines": [ + { + "Number": 34, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 35, + "Content": " - discovery.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - discovery.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - endpointslices", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpointslices", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:ephemeral-volume-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:ephemeral-volume-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:expand-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:expand-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:controller:expand-controller' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 58, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:generic-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:generic-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:controller:generic-garbage-collector' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 23, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 22, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:horizontal-pod-autoscaler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:horizontal-pod-autoscaler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:controller:horizontal-pod-autoscaler' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 46, + "EndLine": 52, + "Code": { + "Lines": [ + { + "Number": 46, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 47, + "Content": " - custom.metrics.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - custom.metrics.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:controller:horizontal-pod-autoscaler' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 59, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " - external.metrics.k8s.io", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - external.metrics.k8s.io", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:job-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:job-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:job-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:job-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 35, + "EndLine": 44, + "Code": { + "Lines": [ + { + "Number": 35, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 36, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:legacy-service-account-token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:legacy-service-account-token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:controller:legacy-service-account-token-cleaner' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 21, + "EndLine": 27, + "Code": { + "Lines": [ + { + "Number": 21, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 22, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:namespace-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:namespace-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:controller:namespace-controller' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 29, + "EndLine": 37, + "Code": { + "Lines": [ + { + "Number": 29, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 30, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - deletecollection", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deletecollection", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:node-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:node-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:node-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 44, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:persistent-volume-binder", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:persistent-volume-binder", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 154, + "Failures": 4 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:controller:persistent-volume-binder' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 80, + "EndLine": 85, + "Code": { + "Lines": [ + { + "Number": 80, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 81, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 54, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 63, + "EndLine": 71, + "Code": { + "Lines": [ + { + "Number": 63, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 64, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 67, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 72, + "EndLine": 79, + "Code": { + "Lines": [ + { + "Number": 72, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 73, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:pod-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:pod-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:pod-garbage-collector' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 20, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:pv-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:pv-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:pvc-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:pvc-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:replicaset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:replicaset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:replicaset-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - extensions", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - extensions", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:replicaset-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 46, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:replication-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:replication-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:replication-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - replicationcontrollers", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicationcontrollers", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:replication-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 34, + "EndLine": 43, + "Code": { + "Lines": [ + { + "Number": 34, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 35, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:resourcequota-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:resourcequota-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:controller:resourcequota-controller' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 19, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:root-ca-cert-publisher", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:root-ca-cert-publisher", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'system:controller:root-ca-cert-publisher' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 19, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:route-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:route-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:service-account-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:service-account-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:service-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:service-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:statefulset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:statefulset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:statefulset-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 40, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 40, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 41, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 44, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:ttl-after-finished-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:ttl-after-finished-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:controller:ttl-after-finished-controller' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 13, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 14, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:ttl-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:ttl-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:controller:validatingadmissionpolicy-status-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:controller:validatingadmissionpolicy-status-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:coredns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:coredns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:discovery", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:discovery", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:heapster", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:heapster", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:kube-aggregator", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:kube-aggregator", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:kube-controller-manager", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:kube-controller-manager", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 155, + "Failures": 5 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 43, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 38, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 44, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 44, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 45, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 50, + "EndLine": 58, + "Code": { + "Lines": [ + { + "Number": 50, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 51, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - namespaces", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - namespaces", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:kube-controller-manager' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 59, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 59, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 60, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'system:kube-controller-manager' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 78, + "EndLine": 84, + "Code": { + "Lines": [ + { + "Number": 78, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 79, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:kube-dns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:kube-dns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:kube-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:kube-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:kube-scheduler' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 60, + "EndLine": 68, + "Code": { + "Lines": [ + { + "Number": 60, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 61, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 67, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:kubelet-api-admin", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:kubelet-api-admin", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:monitoring", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:monitoring", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:node", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:node", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 155, + "Failures": 2 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'system:node' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 93, + "EndLine": 101, + "Code": { + "Lines": [ + { + "Number": 93, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 94, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 95, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 96, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 97, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 98, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 99, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 100, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 101, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'system:node' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 79, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:node-bootstrapper", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:node-bootstrapper", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:node-problem-detector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:node-problem-detector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:node-proxier", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:node-proxier", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:persistent-volume-provisioner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:persistent-volume-provisioner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:public-info-viewer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:public-info-viewer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:service-account-issuer-discovery", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:service-account-issuer-discovery", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "system:volume-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/system:volume-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRole", + "Name": "view", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRole/view", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "cluster-admin", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/cluster-admin", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV111", + "AVDID": "AVD-KSV-0111", + "Title": "User with admin access", + "Description": "Either cluster-admin or those granted powerful permissions.", + "Message": "ClusterRoleBinding 'cluster-admin' should not bind to roles [\"cluster-admin\", \"admin\", \"edit\"]", + "Namespace": "builtin.kubernetes.KSV111", + "Query": "data.builtin.kubernetes.KSV111.deny", + "Resolution": "Remove binding for clusterrole 'cluster-admin', 'admin' or 'edit'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv111", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv111" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 4, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 4, + "Content": " annotations:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mannotations\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 5, + "Content": " rbac.authorization.kubernetes.io/autoupdate: \"true\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrbac.authorization.kubernetes.io/autoupdate\u001b[0m: \u001b[38;5;37m\"true\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 6, + "Content": " creationTimestamp: \"2024-12-03T06:17:02Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;37m\"2024-12-03T06:17:02Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 8, + "Content": " kubernetes.io/bootstrapping: rbac-defaults", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkubernetes.io/bootstrapping\u001b[0m: rbac-defaults", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 9, + "Content": " name: cluster-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: cluster-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": " resourceVersion: \"136\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresourceVersion\u001b[0m: \u001b[38;5;37m\"136\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " uid: 247ec126-fefa-4562-bd87-d6f8faa439d5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33muid\u001b[0m: 247ec126-fefa-4562-bd87-d6f8faa439d5", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kindnet", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kindnet", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:cluster-admins", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:cluster-admins", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV111", + "AVDID": "AVD-KSV-0111", + "Title": "User with admin access", + "Description": "Either cluster-admin or those granted powerful permissions.", + "Message": "ClusterRoleBinding 'kubeadm:cluster-admins' should not bind to roles [\"cluster-admin\", \"admin\", \"edit\"]", + "Namespace": "builtin.kubernetes.KSV111", + "Query": "data.builtin.kubernetes.KSV111.deny", + "Resolution": "Remove binding for clusterrole 'cluster-admin', 'admin' or 'edit'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv111", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv111" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 4, + "EndLine": 7, + "Code": { + "Lines": [ + { + "Number": 4, + "Content": " creationTimestamp: \"2024-12-03T06:17:02Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;37m\"2024-12-03T06:17:02Z\"", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 5, + "Content": " name: kubeadm:cluster-admins", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: kubeadm:cluster-admins", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 6, + "Content": " resourceVersion: \"200\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresourceVersion\u001b[0m: \u001b[38;5;37m\"200\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " uid: 901a355f-8c15-4c6c-8795-80c2b0de0eec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33muid\u001b[0m: 901a355f-8c15-4c6c-8795-80c2b0de0eec", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:get-nodes", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:get-nodes", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:kubelet-bootstrap", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:kubelet-bootstrap", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:node-autoapprove-bootstrap", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-bootstrap", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:node-autoapprove-certificate-rotation", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:node-autoapprove-certificate-rotation", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "kubeadm:node-proxier", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/kubeadm:node-proxier", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "local-path-provisioner-bind", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/local-path-provisioner-bind", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:basic-user", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:basic-user", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:attachdetach-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:attachdetach-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:certificate-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:certificate-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:clusterrole-aggregation-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:cronjob-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:cronjob-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:daemon-set-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:daemon-set-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:deployment-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:deployment-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:disruption-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:disruption-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:endpoint-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:endpoint-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:endpointslice-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:endpointslice-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:endpointslicemirroring-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:endpointslicemirroring-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:ephemeral-volume-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:ephemeral-volume-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:expand-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:expand-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:generic-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:generic-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:horizontal-pod-autoscaler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:horizontal-pod-autoscaler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:job-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:job-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:legacy-service-account-token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:namespace-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:namespace-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:node-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:node-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:persistent-volume-binder", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:persistent-volume-binder", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:pod-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:pod-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:pv-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:pv-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:pvc-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:pvc-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:replicaset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:replicaset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:replication-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:replication-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:resourcequota-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:resourcequota-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:root-ca-cert-publisher", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:root-ca-cert-publisher", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:route-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:route-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:service-account-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:service-account-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:service-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:service-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:statefulset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:statefulset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:ttl-after-finished-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:ttl-after-finished-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:ttl-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:ttl-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:controller:validatingadmissionpolicy-status-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:controller:validatingadmissionpolicy-status-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:coredns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:coredns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:discovery", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:discovery", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:kube-controller-manager", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:kube-controller-manager", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:kube-dns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:kube-dns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:kube-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:kube-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:monitoring", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:monitoring", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:node", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:node", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:node-proxier", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:node-proxier", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:public-info-viewer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:public-info-viewer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:service-account-issuer-discovery", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:service-account-issuer-discovery", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "ClusterRoleBinding", + "Name": "system:volume-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ClusterRoleBinding/system:volume-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "Node", + "Name": "kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Node/kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Kind": "NodeInfo", + "Name": "kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "NodeInfo/kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 152, + "Failures": 5 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KCV0056", + "AVDID": "AVD-KCV-0056", + "Title": "Ensure that the container network interface file permissions are set to 600 or more restrictive", + "Description": "Ensure that the container network interface file has permissions of 600 or more restrictive.", + "Message": "Ensure that the Container Network Interface specification file permissions is set to 600 or more restrictive", + "Namespace": "builtin.kubernetes.KCV0056", + "Query": "data.builtin.kubernetes.KCV0056.deny", + "Resolution": "Change the container network interface file path/to/cni/files permissions of 600 or more restrictive ", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0056", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0059", + "AVDID": "AVD-KCV-0059", + "Title": "Ensure that the etcd data directory ownership is set to etcd:etcd", + "Description": "Ensure that the etcd data directory ownership is set to etcd:etcd.", + "Message": "Ensure that the etcd data directory ownership is set to etcd:etcd", + "Namespace": "builtin.kubernetes.KCV0059", + "Query": "data.builtin.kubernetes.KCV0059.deny", + "Resolution": "Change the etcd data directory /var/lib/etcd ownership to etcd:etcd", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0059", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0059" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0069", + "AVDID": "AVD-KCV-0069", + "Title": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", + "Description": "Ensure that the kubelet service file has permissions of 600 or more restrictive.", + "Message": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", + "Namespace": "builtin.kubernetes.KCV0069", + "Query": "data.builtin.kubernetes.KCV0069.deny", + "Resolution": "Change the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf permissions of 600 or more restrictive ", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0069", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0069" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0075", + "AVDID": "AVD-KCV-0075", + "Title": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive", + "Description": "Ensure that the certificate authorities file has permissions of 600 or more restrictive.", + "Message": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive", + "Namespace": "builtin.kubernetes.KCV0075", + "Query": "data.builtin.kubernetes.KCV0075.deny", + "Resolution": "Change the certificate authorities file permissions to 600 or more restrictive if exist", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0075", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0075" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0077", + "AVDID": "AVD-KCV-0077", + "Title": "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive", + "Description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.", + "Message": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.", + "Namespace": "builtin.kubernetes.KCV0077", + "Query": "data.builtin.kubernetes.KCV0077.deny", + "Resolution": "Change the kubelet config yaml permissions to 600 or more restrictive if exist", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0077", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0077" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + } + ] + }, + { + "Namespace": "default", + "Kind": "ConfigMap", + "Name": "kube-root-ca.crt", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-root-ca.crt", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "default", + "Kind": "Service", + "Name": "kubernetes", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Service/kubernetes", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "default", + "Kind": "ServiceAccount", + "Name": "default", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/default", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-node-lease", + "Kind": "ConfigMap", + "Name": "kube-root-ca.crt", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-root-ca.crt", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-node-lease", + "Kind": "ServiceAccount", + "Name": "default", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/default", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "ConfigMap", + "Name": "cluster-info", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/cluster-info", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "ConfigMap", + "Name": "kube-root-ca.crt", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-root-ca.crt", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "Role", + "Name": "kubeadm:bootstrap-signer-clusterinfo", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/kubeadm:bootstrap-signer-clusterinfo", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "Role", + "Name": "system:controller:bootstrap-signer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system:controller:bootstrap-signer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'system:controller:bootstrap-signer' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 22, + "EndLine": 29, + "Code": { + "Lines": [ + { + "Number": 22, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 23, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " resourceNames:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresourceNames\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - cluster-info", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cluster-info", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "RoleBinding", + "Name": "kubeadm:bootstrap-signer-clusterinfo", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/kubeadm:bootstrap-signer-clusterinfo", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV122", + "AVDID": "AVD-KSV-0122", + "Title": "Anonymous user access binding", + "Description": "Binding to anonymous user to any clusterrole or role is a security risk.", + "Message": "RoleBinding 'kubeadm:bootstrap-signer-clusterinfo' should not bind to roles [\"system:unauthenticated\", \"system:anonymous\"]", + "Namespace": "appshield.kubernetes.KSV122", + "Query": "data.appshield.kubernetes.KSV122.deny", + "Resolution": "Remove anonymous user binding from clusterrolebinding or rolebinding.", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv122", + "References": [ + "https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster", + "https://avd.aquasec.com/misconfig/ksv122" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 4, + "EndLine": 8, + "Code": { + "Lines": [ + { + "Number": 4, + "Content": " creationTimestamp: \"2024-12-03T06:17:03Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;37m\"2024-12-03T06:17:03Z\"", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 5, + "Content": " name: kubeadm:bootstrap-signer-clusterinfo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: kubeadm:bootstrap-signer-clusterinfo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 6, + "Content": " namespace: kube-public", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mnamespace\u001b[0m: kube-public", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " resourceVersion: \"254\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresourceVersion\u001b[0m: \u001b[38;5;37m\"254\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 8, + "Content": " uid: 5ac30a31-14b7-4112-8105-5d551cc1c39f", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33muid\u001b[0m: 5ac30a31-14b7-4112-8105-5d551cc1c39f", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "RoleBinding", + "Name": "system:controller:bootstrap-signer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system:controller:bootstrap-signer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-public", + "Kind": "ServiceAccount", + "Name": "default", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/default", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "coredns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/coredns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "extension-apiserver-authentication", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/extension-apiserver-authentication", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'extension-apiserver-authentication' in 'kube-system' namespace stores sensitive contents in key(s) or value(s) '{\"requestheader-username-headers\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "kube-apiserver-legacy-service-account-token-tracking", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-apiserver-legacy-service-account-token-tracking", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "kube-proxy", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-proxy", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "kube-root-ca.crt", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-root-ca.crt", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "kubeadm-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kubeadm-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ConfigMap", + "Name": "kubelet-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kubelet-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "DaemonSet", + "Name": "kindnet", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "DaemonSet/kindnet", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 143, + "Failures": 14 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "DaemonSet 'kindnet' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 26, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV022", + "AVDID": "AVD-KSV-0022", + "Title": "Specific capabilities added", + "Description": "According to pod security standard 'Capabilities', capabilities beyond the default set must not be added.", + "Message": "Container 'kindnet-cni' of DaemonSet 'kindnet' should not set 'securityContext.capabilities.add'", + "Namespace": "builtin.kubernetes.KSV022", + "Query": "data.builtin.kubernetes.KSV022.deny", + "Resolution": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv022", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv022" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "DaemonSet 'kindnet' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 26, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV037", + "AVDID": "AVD-KSV-0037", + "Title": "User Pods should not be placed in kube-system namespace", + "Description": "ensure that User pods are not placed in kube-system namespace", + "Message": "DaemonSet 'kindnet' should not be set with 'kube-system' namespace", + "Namespace": "builtin.kubernetes.KSV037", + "Query": "data.builtin.kubernetes.KSV037.deny", + "Resolution": "Deploy the use pods into a designated namespace which is not kube-system.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv037", + "References": [ + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/", + "https://avd.aquasec.com/misconfig/ksv037" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " app: kindnet", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: kindnet", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 26, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kindnet-cni\" of daemonset \"kindnet\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 30, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 30, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: HOST_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: HOST_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " fieldPath: status.hostIP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldPath\u001b[0m: status.hostIP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " - name: POD_IP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_IP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 39, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV119", + "AVDID": "AVD-KSV-0119", + "Title": "NET_RAW capability added", + "Description": "The NET_RAW capability grants attackers the ability to eavesdrop on network traffic or generate IP traffic with falsified source addresses, posing serious security risks.", + "Message": "container kindnet-cni of daemonset kindnet in kube-system namespace should not include 'NET_RAW' in securityContext.capabilities.add", + "Namespace": "builtin.kubernetes.KSV119", + "Query": "data.builtin.kubernetes.KSV119.deny", + "Resolution": "To mitigate potential security risks, it is strongly recommended to remove the NET_RAW capability from 'containers[].securityContext.capabilities.add'. It is advisable to follow the practice of dropping all capabilities and only adding the necessary ones.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv119", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv119" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "DaemonSet", + "Name": "kube-proxy", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "DaemonSet/kube-proxy", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 140, + "Failures": 17 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "DaemonSet 'kube-proxy' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 15, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 16, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 24, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV017", + "AVDID": "AVD-KSV-0017", + "Title": "Privileged", + "Description": "Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.privileged' to false", + "Namespace": "builtin.kubernetes.KSV017", + "Query": "data.builtin.kubernetes.KSV017.deny", + "Resolution": "Change 'containers[].securityContext.privileged' to 'false'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv017", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "DaemonSet 'kube-proxy' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 15, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 16, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 24, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV037", + "AVDID": "AVD-KSV-0037", + "Title": "User Pods should not be placed in kube-system namespace", + "Description": "ensure that User pods are not placed in kube-system namespace", + "Message": "DaemonSet 'kube-proxy' should not be set with 'kube-system' namespace", + "Namespace": "builtin.kubernetes.KSV037", + "Query": "data.builtin.kubernetes.KSV037.deny", + "Resolution": "Deploy the use pods into a designated namespace which is not kube-system.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv037", + "References": [ + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/", + "https://avd.aquasec.com/misconfig/ksv037" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 15, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 16, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " template:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " metadata:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " creationTimestamp: null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcreationTimestamp\u001b[0m: \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " k8s-app: kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-proxy", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 24, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kube-proxy\" of daemonset \"kube-proxy\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - /usr/local/bin/kube-proxy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /usr/local/bin/kube-proxy", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --config=/var/lib/kube-proxy/config.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config=/var/lib/kube-proxy/config.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --hostname-override=$(NODE_NAME)", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --hostname-override=$(NODE_NAME)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: NODE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NODE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " apiVersion: v1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapiVersion\u001b[0m: v1", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Deployment", + "Name": "coredns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Deployment/coredns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 148, + "Failures": 9 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'coredns' of Deployment 'coredns' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV022", + "AVDID": "AVD-KSV-0022", + "Title": "Specific capabilities added", + "Description": "According to pod security standard 'Capabilities', capabilities beyond the default set must not be added.", + "Message": "Container 'coredns' of Deployment 'coredns' should not set 'securityContext.capabilities.add'", + "Namespace": "builtin.kubernetes.KSV022", + "Query": "data.builtin.kubernetes.KSV022.deny", + "Resolution": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv022", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv022" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 99, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 46, + "Content": " - -conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 47, + "Content": " - /etc/coredns/Corefile", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/coredns/Corefile", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: registry.k8s.io/coredns/coredns:v1.11.3", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/coredns/coredns:v1.11.3", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " livenessProbe:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlivenessProbe\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " failureThreshold: 5", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfailureThreshold\u001b[0m: \u001b[38;5;37m5", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " httpGet:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mhttpGet\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " path: /health", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpath\u001b[0m: /health", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 54, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV037", + "AVDID": "AVD-KSV-0037", + "Title": "User Pods should not be placed in kube-system namespace", + "Description": "ensure that User pods are not placed in kube-system namespace", + "Message": "Deployment 'coredns' should not be set with 'kube-system' namespace", + "Namespace": "builtin.kubernetes.KSV037", + "Query": "data.builtin.kubernetes.KSV037.deny", + "Resolution": "Deploy the use pods into a designated namespace which is not kube-system.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv037", + "References": [ + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/", + "https://avd.aquasec.com/misconfig/ksv037" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 15, + "EndLine": 122, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": " progressDeadlineSeconds: 600", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprogressDeadlineSeconds\u001b[0m: \u001b[38;5;37m600", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 16, + "Content": " replicas: 2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " revisionHistoryLimit: 10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrevisionHistoryLimit\u001b[0m: \u001b[38;5;37m10", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " selector:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " matchLabels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " k8s-app: kube-dns", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mk8s-app\u001b[0m: kube-dns", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " strategy:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mstrategy\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " rollingUpdate:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrollingUpdate\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " maxSurge: 25%", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmaxSurge\u001b[0m: \u001b[38;5;37m25\u001b[0m%", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 24, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"coredns\" of deployment \"coredns\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment coredns in kube-system namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://www.stigviewer.com/stig/kubernetes/2022-12-02/finding/V-242414", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "etcd-kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Pod/etcd-kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 145, + "Failures": 12 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "Pod 'etcd-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 117, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "Pod 'etcd-kind-control-plane' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 117, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"etcd\" of pod \"etcd-kind-control-plane\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 92, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-client-urls=https://172.18.0.2:2379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-client-urls=https://172.18.0.2:2379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cert-file=/etc/kubernetes/pki/etcd/server.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --client-cert-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-cert-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --data-dir=/var/lib/etcd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --data-dir=/var/lib/etcd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --experimental-initial-corrupt-check=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-initial-corrupt-check=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --experimental-watch-progress-notify-interval=5s", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --experimental-watch-progress-notify-interval=5s", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --initial-advertise-peer-urls=https://172.18.0.2:2380", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-apiserver-kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Pod/kube-apiserver-kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 134, + "Failures": 23 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KCV0001", + "AVDID": "AVD-KCV-0001", + "Title": "Ensure that the --anonymous-auth argument is set to false", + "Description": "Disable anonymous requests to the API server.", + "Message": "Ensure that the --anonymous-auth argument is set to false", + "Namespace": "builtin.kubernetes.KCV0001", + "Query": "data.builtin.kubernetes.KCV0001.deny", + "Resolution": "Set '--anonymous-auth' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0001", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0006", + "AVDID": "AVD-KCV-0006", + "Title": "Ensure that the --kubelet-certificate-authority argument is set as appropriate", + "Description": "Verify kubelet's certificate before establishing connection.", + "Message": "Ensure that the --kubelet-certificate-authority argument is set as appropriate", + "Namespace": "builtin.kubernetes.KCV0006", + "Query": "data.builtin.kubernetes.KCV0006.deny", + "Resolution": "Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. ", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0006", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0006" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0010", + "AVDID": "AVD-KCV-0010", + "Title": "Ensure that the admission control plugin EventRateLimit is set", + "Description": "Limit the rate at which the API server accepts requests.", + "Message": "Ensure that the admission control plugin EventRateLimit is set", + "Namespace": "builtin.kubernetes.KCV0010", + "Query": "data.builtin.kubernetes.KCV0010.deny", + "Resolution": "Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0010", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV0012", + "AVDID": "AVD-KCV-0012", + "Title": "Ensure that the admission control plugin AlwaysPullImages is set", + "Description": "Always pull images.", + "Message": "Ensure that the admission control plugin AlwaysPullImages is set", + "Namespace": "builtin.kubernetes.KCV0012", + "Query": "data.builtin.kubernetes.KCV0012.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv0012", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/ksv0012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0018", + "AVDID": "AVD-KCV-0018", + "Title": "Ensure that the --profiling argument is set to false", + "Description": "Disable profiling, if not needed.", + "Message": "Ensure that the --profiling argument is set to false", + "Namespace": "builtin.kubernetes.KCV0018", + "Query": "data.builtin.kubernetes.KCV0018.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0018", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0019", + "AVDID": "AVD-KCV-0019", + "Title": "Ensure that the --audit-log-path argument is set", + "Description": "Enable auditing on the Kubernetes API Server and set the desired audit log path.", + "Message": "Ensure that the --audit-log-path argument is set", + "Namespace": "builtin.kubernetes.KCV0019", + "Query": "data.builtin.kubernetes.KCV0019.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-path parameter.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0019", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0019" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0020", + "AVDID": "AVD-KCV-0020", + "Title": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate", + "Description": "Retain the logs for at least 30 days or as appropriate.", + "Message": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate", + "Namespace": "builtin.kubernetes.KCV0020", + "Query": "data.builtin.kubernetes.KCV0020.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0020", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0021", + "AVDID": "AVD-KCV-0021", + "Title": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate", + "Description": "Retain 10 or an appropriate number of old log files.", + "Message": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate", + "Namespace": "builtin.kubernetes.KCV0021", + "Query": "data.builtin.kubernetes.KCV0021.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0021", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0022", + "AVDID": "AVD-KCV-0022", + "Title": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate", + "Description": "Rotate log files on reaching 100 MB or as appropriate.", + "Message": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate", + "Namespace": "builtin.kubernetes.KCV0022", + "Query": "data.builtin.kubernetes.KCV0022.deny", + "Resolution": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxsize parameter to an appropriate size in MB", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0022", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0022" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0030", + "AVDID": "AVD-KCV-0030", + "Title": "Ensure that the --encryption-provider-config argument is set as appropriate", + "Description": "Encrypt etcd key-value store.", + "Message": "Ensure that the --encryption-provider-config argument is set as appropriate", + "Namespace": "builtin.kubernetes.KCV0030", + "Query": "data.builtin.kubernetes.KCV0030.deny", + "Resolution": "Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0030", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kube-apiserver\" of pod \"kube-apiserver-kind-control-plane\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 26, + "EndLine": 111, + "Code": { + "Lines": [ + { + "Number": 26, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 27, + "Content": " - kube-apiserver", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-apiserver", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --advertise-address=172.18.0.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --advertise-address=172.18.0.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --allow-privileged=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allow-privileged=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --authorization-mode=Node,RBAC", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-mode=Node,RBAC", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --enable-admission-plugins=NodeRestriction", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-admission-plugins=NodeRestriction", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --enable-bootstrap-token-auth=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --enable-bootstrap-token-auth=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 35, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-controller-manager-kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Pod/kube-controller-manager-kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 141, + "Failures": 16 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KCV0033", + "AVDID": "AVD-KCV-0033", + "Title": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate", + "Description": "Activate garbage collector on pod termination, as appropriate.", + "Message": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate", + "Namespace": "builtin.kubernetes.KCV0033", + "Query": "data.builtin.kubernetes.KCV0033.deny", + "Resolution": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --terminated-pod-gc-threshold to an appropriate threshold.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0033", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0033" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0034", + "AVDID": "AVD-KCV-0034", + "Title": "Ensure that the --profiling argument is set to false", + "Description": "Disable profiling, if not needed.", + "Message": "Ensure that the --profiling argument is set to false", + "Namespace": "builtin.kubernetes.KCV0034", + "Query": "data.builtin.kubernetes.KCV0034.deny", + "Resolution": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the below parameter.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0034", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0034" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KCV0038", + "AVDID": "AVD-KCV-0038", + "Title": "Ensure that the RotateKubeletServerCertificate argument is set to true", + "Description": "Enable kubelet server certificate rotation on controller-manager.", + "Message": "Ensure that the RotateKubeletServerCertificate argument is set to true", + "Namespace": "builtin.kubernetes.KCV0038", + "Query": "data.builtin.kubernetes.KCV0038.deny", + "Resolution": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true .", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0038", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0038" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 140, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 140, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kube-controller-manager\" of pod \"kube-controller-manager-kind-control-plane\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --allocate-node-cidrs=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --allocate-node-cidrs=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --client-ca-file=/etc/kubernetes/pki/ca.crt", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " - --cluster-cidr=10.244.0.0/16", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-cidr=10.244.0.0/16", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " - --cluster-name=kind", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --cluster-name=kind", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-scheduler-kind-control-plane", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Pod/kube-scheduler-kind-control-plane", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 143, + "Failures": 14 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KCV0040", + "AVDID": "AVD-KCV-0040", + "Title": "Ensure that the --profiling argument is set to false", + "Description": "Disable profiling, if not needed.", + "Message": "Ensure that the --profiling argument is set to false", + "Namespace": "builtin.kubernetes.KCV0040", + "Query": "data.builtin.kubernetes.KCV0040.deny", + "Resolution": "Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the Control Plane node and set the below parameter.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/kcv0040", + "References": [ + "https://www.cisecurity.org/benchmark/kubernetes", + "https://avd.aquasec.com/misconfig/kcv0040" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV009", + "AVDID": "AVD-KSV-0009", + "Title": "Access to host network", + "Description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", + "Message": "Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true", + "Namespace": "builtin.kubernetes.KSV009", + "Query": "data.builtin.kubernetes.KSV009.deny", + "Resolution": "Do not set 'spec.template.spec.hostNetwork' to true.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv009", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV023", + "AVDID": "AVD-KSV-0023", + "Title": "hostPath volumes mounted", + "Description": "According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden.", + "Message": "Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.volumes.hostPath'", + "Namespace": "builtin.kubernetes.KSV023", + "Query": "data.builtin.kubernetes.KSV023.deny", + "Resolution": "Do not set 'spec.volumes[*].hostPath'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv023", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv023" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " containers:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kube-scheduler\" of pod \"kube-scheduler-kind-control-plane\" in \"kube-system\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 25, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 26, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " - --bind-address=127.0.0.1", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --bind-address=127.0.0.1", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --kubeconfig=/etc/kubernetes/scheduler.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - --leader-elect=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --leader-elect=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " image: registry.k8s.io/kube-scheduler:v1.31.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: registry.k8s.io/kube-scheduler:v1.31.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 34, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "extension-apiserver-authentication-reader", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/extension-apiserver-authentication-reader", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "kube-proxy", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/kube-proxy", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "kubeadm:kubelet-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/kubeadm:kubelet-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "kubeadm:nodes-kubeadm-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/kubeadm:nodes-kubeadm-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "system::leader-locking-kube-controller-manager", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system::leader-locking-kube-controller-manager", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'system::leader-locking-kube-controller-manager' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 28, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resourceNames:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresourceNames\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - kube-controller-manager", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-controller-manager", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "system::leader-locking-kube-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system::leader-locking-kube-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'system::leader-locking-kube-scheduler' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 28, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resourceNames:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresourceNames\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - kube-scheduler", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - kube-scheduler", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "system:controller:bootstrap-signer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system:controller:bootstrap-signer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'system:controller:bootstrap-signer' shouldn't have access to manage secrets in namespace 'kube-system'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 14, + "EndLine": 21, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 15, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "system:controller:cloud-provider", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system:controller:cloud-provider", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'system:controller:cloud-provider' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 14, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 15, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Role", + "Name": "system:controller:token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Role/system:controller:token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'system:controller:token-cleaner' shouldn't have access to manage secrets in namespace 'kube-system'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 14, + "EndLine": 22, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 15, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "kube-proxy", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/kube-proxy", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "kubeadm:kubelet-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/kubeadm:kubelet-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "kubeadm:nodes-kubeadm-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/kubeadm:nodes-kubeadm-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system::extension-apiserver-authentication-reader", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system::extension-apiserver-authentication-reader", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system::leader-locking-kube-controller-manager", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system::leader-locking-kube-controller-manager", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system::leader-locking-kube-scheduler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system::leader-locking-kube-scheduler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system:controller:bootstrap-signer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system:controller:bootstrap-signer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system:controller:cloud-provider", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system:controller:cloud-provider", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "RoleBinding", + "Name": "system:controller:token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "RoleBinding/system:controller:token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Service", + "Name": "kube-dns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Service/kube-dns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 156, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV037", + "AVDID": "AVD-KSV-0037", + "Title": "User Pods should not be placed in kube-system namespace", + "Description": "ensure that User pods are not placed in kube-system namespace", + "Message": "Service 'kube-dns' should not be set with 'kube-system' namespace", + "Namespace": "builtin.kubernetes.KSV037", + "Query": "data.builtin.kubernetes.KSV037.deny", + "Resolution": "Deploy the use pods into a designated namespace which is not kube-system.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv037", + "References": [ + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/", + "https://avd.aquasec.com/misconfig/ksv037" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 17, + "EndLine": 40, + "Code": { + "Lines": [ + { + "Number": 17, + "Content": " clusterIP: 10.96.0.10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mclusterIP\u001b[0m: \u001b[38;5;37m10.96.0.10", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 18, + "Content": " clusterIPs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mclusterIPs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " - 10.96.0.10", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m10.96.0.10", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " internalTrafficPolicy: Cluster", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33minternalTrafficPolicy\u001b[0m: Cluster", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " ipFamilies:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mipFamilies\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - IPv4", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - IPv4", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " ipFamilyPolicy: SingleStack", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mipFamilyPolicy\u001b[0m: SingleStack", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - name: dns", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dns", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 26, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "attachdetach-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/attachdetach-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "bootstrap-signer", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/bootstrap-signer", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "certificate-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/certificate-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "clusterrole-aggregation-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/clusterrole-aggregation-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "coredns", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/coredns", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "cronjob-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/cronjob-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "daemon-set-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/daemon-set-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "default", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/default", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "deployment-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/deployment-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "disruption-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/disruption-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "endpoint-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/endpoint-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "endpointslice-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/endpointslice-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "endpointslicemirroring-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/endpointslicemirroring-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "ephemeral-volume-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/ephemeral-volume-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "expand-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/expand-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "generic-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/generic-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "horizontal-pod-autoscaler", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/horizontal-pod-autoscaler", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "job-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/job-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "kindnet", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/kindnet", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "kube-proxy", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/kube-proxy", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "legacy-service-account-token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/legacy-service-account-token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "namespace-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/namespace-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "node-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/node-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "persistent-volume-binder", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/persistent-volume-binder", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "pod-garbage-collector", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/pod-garbage-collector", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "pv-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/pv-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "pvc-protection-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/pvc-protection-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "replicaset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/replicaset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "replication-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/replication-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "resourcequota-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/resourcequota-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "root-ca-cert-publisher", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/root-ca-cert-publisher", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "service-account-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/service-account-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "service-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/service-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "statefulset-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/statefulset-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "token-cleaner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/token-cleaner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "ttl-after-finished-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/ttl-after-finished-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "ttl-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/ttl-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "ServiceAccount", + "Name": "validatingadmissionpolicy-status-controller", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/validatingadmissionpolicy-status-controller", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "ConfigMap", + "Name": "kube-root-ca.crt", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/kube-root-ca.crt", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "ConfigMap", + "Name": "local-path-config", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ConfigMap/local-path-config", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "Deployment", + "Name": "local-path-provisioner", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "Deployment/local-path-provisioner", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 144, + "Failures": 13 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"local-path-provisioner\" of deployment \"local-path-provisioner\" in \"local-path-storage\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 18, + "EndLine": 36, + "Code": { + "Lines": [ + { + "Number": 18, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 19, + "Content": " - local-path-provisioner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - local-path-provisioner", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " - --debug", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --debug", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " - start", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - start", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " - --helper-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --helper-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - docker.io/kindest/local-path-helper:v20230510-486859a6", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " - --config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - /etc/config/config.json", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/config/config.json", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 27, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "ServiceAccount", + "Name": "default", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/default", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "ServiceAccount", + "Name": "local-path-provisioner-service-account", + "Metadata": [ + { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + } + ], + "Results": [ + { + "Target": "ServiceAccount/local-path-provisioner-service-account", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 157, + "Failures": 0 + } + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Deployment", + "Name": "coredns", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "11.10" + }, + "ImageID": "sha256:c69fa2e9cbf5f42dc48af631e956d3f95724c13f91596bc567591790e5e36db6", + "DiffIDs": [ + "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c", + "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660", + "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:c048279a7d9f8e94b4c022b699ad8e8a0cb08b717b014ce4af15afaf375a6ac2", + "sha256:2388d21e8e2b74e055216652e6af384768e97513ad568e10c27bacec389b7f0a", + "sha256:06be1466c7d3000b828baff3e9f5ca8e7f123f72576619b7ff103db0c3153be1", + "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + ], + "RepoTags": [ + "registry.k8s.io/coredns/coredns:v1.11.3" + ], + "RepoDigests": [ + "registry.k8s.io/coredns/coredns@sha256:9caabbf6238b189a65d0d6e6ac138de60d6a1c419e5a341fbbb7c78382559c6e" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-07-29T17:30:01.577787486Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-07-29T17:30:01.437291722Z", + "created_by": "COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-07-29T17:30:01.577787486Z", + "created_by": "COPY /coredns /coredns # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-07-29T17:30:01.577787486Z", + "created_by": "USER nonroot:nonroot", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-07-29T17:30:01.577787486Z", + "created_by": "EXPOSE map[53/tcp:{} 53/udp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-07-29T17:30:01.577787486Z", + "created_by": "ENTRYPOINT [\"/coredns\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c", + "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660", + "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:c048279a7d9f8e94b4c022b699ad8e8a0cb08b717b014ce4af15afaf375a6ac2", + "sha256:2388d21e8e2b74e055216652e6af384768e97513ad568e10c27bacec389b7f0a", + "sha256:06be1466c7d3000b828baff3e9f5ca8e7f123f72576619b7ff103db0c3153be1", + "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + ] + }, + "config": { + "Entrypoint": [ + "/coredns" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "User": "nonroot:nonroot", + "WorkingDir": "/home/nonroot", + "ExposedPorts": { + "53/tcp": {}, + "53/udp": {} + } + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/coredns/coredns:v1.11.3 (debian 11.10)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@11.1+deb11u10", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@11.1%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "2b3478f30510db86" + }, + "Version": "11.1+deb11u10", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "11.1+deb11u10", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:804c8aba2cc61168600515a6831474978d0ea8faddd8a66f99cc9f2bbd576105", + "DiffID": "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c" + } + }, + { + "ID": "netbase@6.3", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.3?arch=all\u0026distro=debian-11.10", + "UID": "2aded3474d1b415c" + }, + "Version": "6.3", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.3", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:2ae710cd8bfef4545fa3a6dc274d6b7a991ca379cdaa3cdf460d5cb5840a3c88", + "DiffID": "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660" + } + }, + { + "ID": "tzdata@2024a-0+deb11u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb11u1?arch=all\u0026distro=debian-11.10", + "UID": "bf6813efdcb4c716" + }, + "Version": "2024a", + "Release": "0+deb11u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb11u1", + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:d462aa3453675bb1f9a271a72cc72a53e628521a7d0e94b720bd07f9ca4962dc", + "DiffID": "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "DLA-3972-1", + "VendorIDs": [ + "DLA-3972-1" + ], + "PkgID": "tzdata@2024a-0+deb11u1", + "PkgName": "tzdata", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb11u1?arch=all\u0026distro=debian-11.10", + "UID": "bf6813efdcb4c716" + }, + "InstalledVersion": "2024a-0+deb11u1", + "FixedVersion": "2024b-0+deb11u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d462aa3453675bb1f9a271a72cc72a53e628521a7d0e94b720bd07f9ca4962dc", + "DiffID": "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2" + }, + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "tzdata - new timezone database", + "Severity": "UNKNOWN" + } + ] + }, + { + "Target": "coredns", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "github.com/coredns/coredns", + "Identifier": { + "PURL": "pkg:golang/github.com/coredns/coredns", + "UID": "f42588c719c363a6" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.11", + "UID": "d89e0fcc3c63a2a1" + }, + "Version": "v1.21.11", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "cloud.google.com/go/compute/metadata", + "Identifier": { + "PURL": "pkg:golang/cloud.google.com/go/compute/metadata@v0.2.3", + "UID": "455da4debd76c570" + }, + "Version": "v0.2.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/azure-sdk-for-go", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/azure-sdk-for-go@v68.0.0%2Bincompatible", + "UID": "3234e44d5868c4b7" + }, + "Version": "v68.0.0+incompatible", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest@v0.11.29", + "UID": "8f9595ce4c765114" + }, + "Version": "v0.11.29", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest/adal", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest/adal@v0.9.22", + "UID": "d0307ff6f22c4549" + }, + "Version": "v0.9.22", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest/azure/auth", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest/azure/auth@v0.5.13", + "UID": "b801dcb71b831dc4" + }, + "Version": "v0.5.13", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest/azure/cli", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest/azure/cli@v0.4.6", + "UID": "454c5422f240f0e5" + }, + "Version": "v0.4.6", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest/date", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest/date@v0.3.0", + "UID": "9e99e13686a0099d" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/autorest/to", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/autorest/to@v0.2.0", + "UID": "a4842f105731b8b" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/logger", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/logger@v0.2.1", + "UID": "cf9cced4b81bc522" + }, + "Version": "v0.2.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/Azure/go-autorest/tracing", + "Identifier": { + "PURL": "pkg:golang/github.com/azure/go-autorest/tracing@v0.6.0", + "UID": "e4fc1ca593fcf30b" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/appsec-internal-go", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/appsec-internal-go@v1.5.0", + "UID": "486691689a988f34" + }, + "Version": "v1.5.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/datadog-agent/pkg/obfuscate", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/datadog-agent/pkg/obfuscate@v0.48.0", + "UID": "13d4a3356bb7be44" + }, + "Version": "v0.48.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/datadog-agent/pkg/remoteconfig/state", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/datadog-agent/pkg/remoteconfig/state@v0.48.1", + "UID": "4f326f386ebe41e1" + }, + "Version": "v0.48.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/datadog-go/v5", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/datadog-go/v5@v5.3.0", + "UID": "e519549f92c4cae1" + }, + "Version": "v5.3.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/go-libddwaf/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/go-libddwaf/v2@v2.4.2", + "UID": "66b030fc8ada6502" + }, + "Version": "v2.4.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/go-tuf", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/go-tuf@v1.0.2-0.5.2", + "UID": "f90b968f999958a8" + }, + "Version": "v1.0.2-0.5.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/DataDog/sketches-go", + "Identifier": { + "PURL": "pkg:golang/github.com/datadog/sketches-go@v1.4.2", + "UID": "4301f79038c569e3" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/antonmedv/expr", + "Identifier": { + "PURL": "pkg:golang/github.com/antonmedv/expr@v1.15.5", + "UID": "a91efd35a65b995" + }, + "Version": "v1.15.5", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/apparentlymart/go-cidr", + "Identifier": { + "PURL": "pkg:golang/github.com/apparentlymart/go-cidr@v1.1.0", + "UID": "5e6a7ab6f06849c8" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/aws/aws-sdk-go", + "Identifier": { + "PURL": "pkg:golang/github.com/aws/aws-sdk-go@v1.54.11", + "UID": "6c4b133202dc8b41" + }, + "Version": "v1.54.11", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "ecca423e4f49b2d6" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.2.0", + "UID": "9ba1fe7904d0a8e7" + }, + "Version": "v2.2.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/coredns/caddy", + "Identifier": { + "PURL": "pkg:golang/github.com/coredns/caddy@v1.1.1", + "UID": "265a581611162114" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.0", + "UID": "e2d0cbed97d240d9" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.3.2", + "UID": "640d4739653ac86d" + }, + "Version": "v22.3.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "5e041a57f27c4f7d" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/dimchansky/utfbom", + "Identifier": { + "PURL": "pkg:golang/github.com/dimchansky/utfbom@v1.1.1", + "UID": "c6b5ef4b0440c9c6" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/dnstap/golang-dnstap", + "Identifier": { + "PURL": "pkg:golang/github.com/dnstap/golang-dnstap@v0.4.0", + "UID": "8bb5dc41ab1ecf3c" + }, + "Version": "v0.4.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/dustin/go-humanize", + "Identifier": { + "PURL": "pkg:golang/github.com/dustin/go-humanize@v1.0.1", + "UID": "a22cbeb2eec92fba" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.11.0", + "UID": "cc4fac23283bd88d" + }, + "Version": "v3.11.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/farsightsec/golang-framestream", + "Identifier": { + "PURL": "pkg:golang/github.com/farsightsec/golang-framestream@v0.3.0", + "UID": "812d87bed6bf3b2" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/felixge/httpsnoop", + "Identifier": { + "PURL": "pkg:golang/github.com/felixge/httpsnoop@v1.0.4", + "UID": "6d1cca8c1f71a68c" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/flynn/go-shlex", + "Identifier": { + "PURL": "pkg:golang/github.com/flynn/go-shlex@v0.0.0-20150515145356-3f9db97f8568", + "UID": "5c11717a06447e57" + }, + "Version": "v0.0.0-20150515145356-3f9db97f8568", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.1", + "UID": "87a406b47229d41d" + }, + "Version": "v1.4.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "32934626cc0c7bf" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.19.6", + "UID": "83947f567aba7670" + }, + "Version": "v0.19.6", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.20.2", + "UID": "bb0753a32727bb86" + }, + "Version": "v0.20.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.22.3", + "UID": "94f1a056434d713c" + }, + "Version": "v0.22.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "28e0c4083b792bd" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/golang-jwt/jwt/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.5.0", + "UID": "f620aa64a0804650" + }, + "Version": "v4.5.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "77feb5048d60d83c" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "34b9e8845fb53dfb" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "5817cdc8a901fe1" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "5760b470cf88e1e6" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "98a6c7d4269b4959" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/google/s2a-go", + "Identifier": { + "PURL": "pkg:golang/github.com/google/s2a-go@v0.1.7", + "UID": "5ac7addc2b245fc" + }, + "Version": "v0.1.7", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "2ae018f66b3805ea" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/googleapis/enterprise-certificate-proxy", + "Identifier": { + "PURL": "pkg:golang/github.com/googleapis/enterprise-certificate-proxy@v0.3.2", + "UID": "3acea159a42dc8f2" + }, + "Version": "v0.3.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/googleapis/gax-go/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/googleapis/gax-go/v2@v2.12.3", + "UID": "c8f62208c9d741b1" + }, + "Version": "v2.12.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-opentracing", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645", + "UID": "191d2f8b0bc08eef" + }, + "Version": "v0.0.0-20180507213350-8e809c8a8645", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/hashicorp/errwrap", + "Identifier": { + "PURL": "pkg:golang/github.com/hashicorp/errwrap@v1.1.0", + "UID": "f126895a9e0a5980" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/hashicorp/go-multierror", + "Identifier": { + "PURL": "pkg:golang/github.com/hashicorp/go-multierror@v1.1.1", + "UID": "8b128846dc5bbfe1" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.12", + "UID": "b6b8323d6aede76c" + }, + "Version": "v0.3.12", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/infobloxopen/go-trees", + "Identifier": { + "PURL": "pkg:golang/github.com/infobloxopen/go-trees@v0.0.0-20200715205103-96a057b8dfb9", + "UID": "3ba679f0721a8c36" + }, + "Version": "v0.0.0-20200715205103-96a057b8dfb9", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/jmespath/go-jmespath", + "Identifier": { + "PURL": "pkg:golang/github.com/jmespath/go-jmespath@v0.4.0", + "UID": "34c788a0177a6e49" + }, + "Version": "v0.4.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "1f3a313a643c53a7" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "fde9f108c3961dc3" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "587de5fc80059a4d" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.4", + "UID": "8d26a938d765ec4" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/miekg/dns", + "Identifier": { + "PURL": "pkg:golang/github.com/miekg/dns@v1.1.59", + "UID": "78036c4bab1b77c" + }, + "Version": "v1.1.59", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/mitchellh/go-homedir", + "Identifier": { + "PURL": "pkg:golang/github.com/mitchellh/go-homedir@v1.1.0", + "UID": "ac4070465f95f7a5" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "4555ba4c224f9771" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "67eb41c1672e9b76" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "a1d1b0bab78ee318" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/opentracing-contrib/go-observer", + "Identifier": { + "PURL": "pkg:golang/github.com/opentracing-contrib/go-observer@v0.0.0-20170622124052-a52f23424492", + "UID": "212b0356a2295ec" + }, + "Version": "v0.0.0-20170622124052-a52f23424492", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/opentracing/opentracing-go", + "Identifier": { + "PURL": "pkg:golang/github.com/opentracing/opentracing-go@v1.2.0", + "UID": "5dd7a29e0b99c7f9" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/openzipkin-contrib/zipkin-go-opentracing", + "Identifier": { + "PURL": "pkg:golang/github.com/openzipkin-contrib/zipkin-go-opentracing@v0.5.0", + "UID": "5cb49e21bc06908b" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/openzipkin/zipkin-go", + "Identifier": { + "PURL": "pkg:golang/github.com/openzipkin/zipkin-go@v0.4.3", + "UID": "f90487e802b0f531" + }, + "Version": "v0.4.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/oschwald/geoip2-golang", + "Identifier": { + "PURL": "pkg:golang/github.com/oschwald/geoip2-golang@v1.9.0", + "UID": "9d57a95fa73f2b74" + }, + "Version": "v1.9.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/oschwald/maxminddb-golang", + "Identifier": { + "PURL": "pkg:golang/github.com/oschwald/maxminddb-golang@v1.11.0", + "UID": "72c4461eda97d443" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/outcaste-io/ristretto", + "Identifier": { + "PURL": "pkg:golang/github.com/outcaste-io/ristretto@v0.2.3", + "UID": "3c0cda70de6299d5" + }, + "Version": "v0.2.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/philhofer/fwd", + "Identifier": { + "PURL": "pkg:golang/github.com/philhofer/fwd@v1.1.2", + "UID": "3d88b7a099289207" + }, + "Version": "v1.1.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "a2e194d8fa52748c" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.19.1", + "UID": "c26fe56f4e6be43b" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "5727b303d35151d" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.53.0", + "UID": "6dde0918f994bcae" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.12.0", + "UID": "d998eaf5c66aca80" + }, + "Version": "v0.12.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/quic-go/quic-go", + "Identifier": { + "PURL": "pkg:golang/github.com/quic-go/quic-go@v0.44.0", + "UID": "a8824baf3bc10d1d" + }, + "Version": "v0.44.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/secure-systems-lab/go-securesystemslib", + "Identifier": { + "PURL": "pkg:golang/github.com/secure-systems-lab/go-securesystemslib@v0.7.0", + "UID": "c2f02f695cc49a16" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "1d5957527792ddfc" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "github.com/tinylib/msgp", + "Identifier": { + "PURL": "pkg:golang/github.com/tinylib/msgp@v1.1.8", + "UID": "f2f0d733578d7863" + }, + "Version": "v1.1.8", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.etcd.io/etcd/api/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/api/v3@v3.5.13", + "UID": "8b0bb593915606d8" + }, + "Version": "v3.5.13", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.etcd.io/etcd/client/pkg/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/pkg/v3@v3.5.13", + "UID": "42c551ffca79532" + }, + "Version": "v3.5.13", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.etcd.io/etcd/client/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/v3@v3.5.13", + "UID": "e8d3dee19c78223b" + }, + "Version": "v3.5.13", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.opencensus.io", + "Identifier": { + "PURL": "pkg:golang/go.opencensus.io@v0.24.0", + "UID": "c06b362cdfa896f0" + }, + "Version": "v0.24.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0", + "UID": "29b162c3d89edd10" + }, + "Version": "v0.49.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.24.0", + "UID": "1e43bc80f5c8b1de" + }, + "Version": "v1.24.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.24.0", + "UID": "8778d79728323c71" + }, + "Version": "v1.24.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.24.0", + "UID": "e90547f958034ea0" + }, + "Version": "v1.24.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.uber.org/atomic", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/atomic@v1.11.0", + "UID": "1caf30f10e997ebf" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.6.0", + "UID": "4306192f5bb4c3bd" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.17.0", + "UID": "3948098ef1c1e5b6" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.23.0", + "UID": "78d72dbddb7bc68f" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/exp", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/exp@v0.0.0-20240506185415-9bf2ced13842", + "UID": "137e6e350d919c98" + }, + "Version": "v0.0.0-20240506185415-9bf2ced13842", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.25.0", + "UID": "abe2a33cc3021a79" + }, + "Version": "v0.25.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.18.0", + "UID": "3b4c4e4e26f69965" + }, + "Version": "v0.18.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.20.0", + "UID": "37b3f717fc4d9efd" + }, + "Version": "v0.20.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.20.0", + "UID": "2ef5f946aa7fbe93" + }, + "Version": "v0.20.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.15.0", + "UID": "eb998a36836d568e" + }, + "Version": "v0.15.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.5.0", + "UID": "d10061ab36e14437" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "golang.org/x/xerrors", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/xerrors@v0.0.0-20220907171357-04be3eba64a2", + "UID": "43aaa43f6b66e70c" + }, + "Version": "v0.0.0-20220907171357-04be3eba64a2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "google.golang.org/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/api@v0.172.0", + "UID": "e74560dbd3b7089" + }, + "Version": "v0.172.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240311132316-a219d84964c2", + "UID": "5ee7b50b544def5a" + }, + "Version": "v0.0.0-20240311132316-a219d84964c2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20240415180920-8c6c420018be", + "UID": "b0ef727c6bd63813" + }, + "Version": "v0.0.0-20240415180920-8c6c420018be", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.63.2", + "UID": "f0bb59d3fa61d50f" + }, + "Version": "v1.63.2", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.33.0", + "UID": "c1fde844a066778b" + }, + "Version": "v1.33.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "gopkg.in/DataDog/dd-trace-go.v1", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/datadog/dd-trace-go.v1@v1.64.0", + "UID": "dcff9f6dbfffc55b" + }, + "Version": "v1.64.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "717ad100b3dc91b7" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "236def136c01e6b2" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "4cadc5beea6a7dc6" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api@v0.29.3", + "UID": "991183d978169890" + }, + "Version": "v0.29.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery@v0.29.3", + "UID": "be9c215f422f56d7" + }, + "Version": "v0.29.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go@v0.29.3", + "UID": "3f53da98d3b686fc" + }, + "Version": "v0.29.3", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.120.1", + "UID": "828de5089e9f92cb" + }, + "Version": "v2.120.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20231010175941-2dd684a91f00", + "UID": "68a77a9799e4b3aa" + }, + "Version": "v0.0.0-20231010175941-2dd684a91f00", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20230726121419-3b25d923346b", + "UID": "6a8bc10f35771151" + }, + "Version": "v0.0.0-20230726121419-3b25d923346b", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "c04d36bb933d7ec3" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "2b7fe5bac00d9d48" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.3.0", + "UID": "c867223bb7c2c060" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-51744", + "PkgName": "github.com/golang-jwt/jwt/v4", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.5.0", + "UID": "f620aa64a0804650" + }, + "InstalledVersion": "v4.5.0", + "FixedVersion": "4.5.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", + "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", + "Severity": "LOW", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-51744", + "https://github.com/golang-jwt/jwt", + "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", + "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", + "https://www.cve.org/CVERecord?id=CVE-2024-51744" + ], + "PublishedDate": "2024-11-04T22:15:03.997Z", + "LastModifiedDate": "2024-11-05T16:04:26.053Z" + }, + { + "VulnerabilityID": "CVE-2024-53259", + "PkgName": "github.com/quic-go/quic-go", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/quic-go/quic-go@v0.44.0", + "UID": "a8824baf3bc10d1d" + }, + "InstalledVersion": "v0.44.0", + "FixedVersion": "0.48.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-53259", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "quic-go is an implementation of the QUIC protocol in Go. An off-path a ...", + "Description": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-345" + ], + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://github.com/quic-go/quic-go", + "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50", + "https://github.com/quic-go/quic-go/pull/4729", + "https://github.com/quic-go/quic-go/releases/tag/v0.48.2", + "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr", + "https://nvd.nist.gov/vuln/detail/CVE-2024-53259" + ], + "PublishedDate": "2024-12-02T17:15:12.767Z", + "LastModifiedDate": "2024-12-02T17:15:12.767Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.11", + "UID": "d89e0fcc3c63a2a1" + }, + "InstalledVersion": "v1.21.11", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-24791", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.11", + "UID": "d89e0fcc3c63a2a1" + }, + "InstalledVersion": "v1.21.11", + "FixedVersion": "1.21.12, 1.22.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "net/http: Denial of service due to improper 100-continue handling in net/http", + "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9135", + "https://access.redhat.com/security/cve/CVE-2024-24791", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268022", + "https://bugzilla.redhat.com/2279814", + "https://bugzilla.redhat.com/2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://errata.almalinux.org/9/ALSA-2024-9135.html", + "https://errata.rockylinux.org/RLSA-2024:7349", + "https://go.dev/cl/591255", + "https://go.dev/issue/67555", + "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", + "https://linux.oracle.com/cve/CVE-2024-24791.html", + "https://linux.oracle.com/errata/ELSA-2024-9115.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", + "https://pkg.go.dev/vuln/GO-2024-2963", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-24791" + ], + "PublishedDate": "2024-07-02T22:15:04.833Z", + "LastModifiedDate": "2024-07-08T14:17:39.083Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.11", + "UID": "d89e0fcc3c63a2a1" + }, + "InstalledVersion": "v1.21.11", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.11", + "UID": "d89e0fcc3c63a2a1" + }, + "InstalledVersion": "v1.21.11", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d095569ed07d46f67b8d67f2fd1456c4ab693f33c70d3d31e8ad0148cd1052ee", + "DiffID": "sha256:21c2962c204299c738896a757fbcc4190df6d7992af7b31457fb71bbac86df7c" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-scheduler-kind-control-plane", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.7" + }, + "ImageID": "sha256:847c7bc1a541865e150af08318f49d02d0e0cff4a0530fd4ffe369e294dd2856", + "DiffIDs": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + ], + "RepoTags": [ + "registry.k8s.io/kube-scheduler:v1.31.2" + ], + "RepoDigests": [ + "registry.k8s.io/kube-scheduler@sha256:0f78992e985d0dbe65f3e7598943d34b725cd61a21ba92edf5ac29f0f2b61282" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-10-22T20:45:57.065979737Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL maintainers=Kubernetes Authors", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL description=go based runner for distroless scenarios", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "WORKDIR /", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "COPY /workspace/go-runner . # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "ENTRYPOINT [\"/go-runner\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-22T20:45:57.065979737Z", + "created_by": "COPY /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + ] + }, + "config": { + "Entrypoint": [ + "/go-runner" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Labels": { + "description": "go based runner for distroless scenarios", + "maintainers": "Kubernetes Authors" + }, + "User": "0", + "WorkingDir": "/" + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/kube-scheduler:v1.31.2 (debian 12.7)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u7", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u7?arch=amd64\u0026distro=debian-12.7", + "UID": "392b0a2ef700f88e" + }, + "Version": "12.4+deb12u7", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u7", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:0674a6f58b64d0431620993268b1a1b0ef8618ee3cffd96d4662c2759ec43894", + "DiffID": "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.7", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:2e4cf50eeb92ac3a7afe75e15d96a26dee99449f86b46c75b5d95f4418a5bca0", + "DiffID": "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.7", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:6f4cfee9177b9f884e8d86b48261a25094b2fcea1a7920919f47ea00712dbee8", + "DiffID": "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c" + } + } + ] + }, + { + "Target": "go-runner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/release/images/build/go-runner", + "Identifier": { + "PURL": "pkg:golang/k8s.io/release/images/build/go-runner", + "UID": "de04e9e6653a54e4" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "fcb415220c9b00d9" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + } + ] + }, + { + "Target": "usr/local/bin/kube-scheduler", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/kubernetes", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubernetes", + "UID": "1ba74a486105d31e" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "e13e4a5a643ab974" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/NYTimes/gziphandler", + "Identifier": { + "PURL": "pkg:golang/github.com/nytimes/gziphandler@v1.1.1", + "UID": "4ff05063a7972993" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/antlr4-go/antlr/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/antlr4-go/antlr/v4@v4.13.0", + "UID": "9525b082bdf08c9b" + }, + "Version": "v4.13.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/asaskevich/govalidator", + "Identifier": { + "PURL": "pkg:golang/github.com/asaskevich/govalidator@v0.0.0-20190424111038-f61b66f89f4a", + "UID": "259b17939f398eb9" + }, + "Version": "v0.0.0-20190424111038-f61b66f89f4a", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "45a482c73efb35a0" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/blang/semver/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/blang/semver/v4@v4.0.0", + "UID": "3e3ab88f09e6ebf9" + }, + "Version": "v4.0.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.3.0", + "UID": "7a00a03be344e088" + }, + "Version": "v4.3.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.3.0", + "UID": "5804d1167827fe10" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.1", + "UID": "1c4af8d3501fca7c" + }, + "Version": "v0.3.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.5.0", + "UID": "18beca9277b6caf9" + }, + "Version": "v22.5.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "a2e62cd75a0dd303" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/distribution/reference", + "Identifier": { + "PURL": "pkg:golang/github.com/distribution/reference@v0.5.0", + "UID": "f23cf9d468da7551" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.11.0", + "UID": "681d692425c9a0c7" + }, + "Version": "v3.11.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/felixge/httpsnoop", + "Identifier": { + "PURL": "pkg:golang/github.com/felixge/httpsnoop@v1.0.4", + "UID": "cffb4e6fe1bbbbb6" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/fsnotify/fsnotify", + "Identifier": { + "PURL": "pkg:golang/github.com/fsnotify/fsnotify@v1.7.0", + "UID": "b0d5fab35e115f05" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/fxamacker/cbor/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/fxamacker/cbor/v2@v2.7.0", + "UID": "e4bd011df98de49c" + }, + "Version": "v2.7.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.2", + "UID": "4cd2603f1bd836a" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "ee6e7c8e21c0b559" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-logr/zapr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/zapr@v1.3.0", + "UID": "dabdca62b7229bed" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.19.6", + "UID": "1aefa58d8c4324da" + }, + "Version": "v0.19.6", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.20.2", + "UID": "b54511b682b71c78" + }, + "Version": "v0.20.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.22.4", + "UID": "1f3ed9c5d6c1abc2" + }, + "Version": "v0.22.4", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "738effca803d0603" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "f3a98e2e8b15042" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "9c69db3da8a6d119" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/google/cel-go", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cel-go@v0.20.1", + "UID": "f3b5b49bdb8b491f" + }, + "Version": "v0.20.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "d95909f6b58354cb" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "2e5cab1030204de0" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "d896ba6db5d686c3" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "46c908fce3cfdda0" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "702b4666026b12a9" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.20.0", + "UID": "1e3ac047da7066d0" + }, + "Version": "v2.20.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.6", + "UID": "d2cc5fb1ca78301a" + }, + "Version": "v0.3.6", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "5f0ae6a90bfe2c61" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "1e153d52a60c8309" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "4b9b5e49f146574f" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/moby/sys/mountinfo", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/sys/mountinfo@v0.7.1", + "UID": "f6520339aefa42a4" + }, + "Version": "v0.7.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/moby/term", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/term@v0.5.0", + "UID": "4e17405fdec998c3" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "116275c30944973b" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "d890d8b1a6a1f300" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "5203f6e197dfce36" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/opencontainers/go-digest", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/go-digest@v1.0.0", + "UID": "e3c7a5cb9d2b9b03" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/opencontainers/runc", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "1133d0af48e414f6" + }, + "Version": "v1.1.13", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/opencontainers/selinux", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/selinux@v1.11.0", + "UID": "3669d8c45a28efd2" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "f16a4f218d4d84aa" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.19.1", + "UID": "108244425e90e7ad" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "107497bc80042cbb" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.55.0", + "UID": "3c29bcd0bab669c6" + }, + "Version": "v0.55.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.15.1", + "UID": "6ef7c536934ca455" + }, + "Version": "v0.15.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.8.1", + "UID": "dab42a53fe228033" + }, + "Version": "v1.8.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "f525f447a46afbd2" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/stoewer/go-strcase", + "Identifier": { + "PURL": "pkg:golang/github.com/stoewer/go-strcase@v1.2.0", + "UID": "51ff5845bc962024" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "github.com/x448/float16", + "Identifier": { + "PURL": "pkg:golang/github.com/x448/float16@v0.8.4", + "UID": "3c3637b34355c4cf" + }, + "Version": "v0.8.4", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.etcd.io/etcd/api/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/api/v3@v3.5.14", + "UID": "1da4e98d248bc491" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.etcd.io/etcd/client/pkg/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/pkg/v3@v3.5.14", + "UID": "e444c103b4cc6927" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.etcd.io/etcd/client/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/v3@v3.5.14", + "UID": "70003725cf08f228" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.53.0", + "UID": "9fc2f38e1a3b9e0e" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.53.0", + "UID": "964775b5e57953ad" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.28.0", + "UID": "22945afa60a2ecde" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.28.0", + "UID": "d8d5b2ae409c94e8" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.27.0", + "UID": "b5fa0554a36fbd31" + }, + "Version": "v1.27.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.28.0", + "UID": "89128f101848b703" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.28.0", + "UID": "65dd31542c820b92" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.28.0", + "UID": "3e7da708df5b7812" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.3.1", + "UID": "9ef90e38dc56d0e5" + }, + "Version": "v1.3.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.11.0", + "UID": "c6f15e18f6fb23" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.26.0", + "UID": "dda663f89caa31bc" + }, + "Version": "v1.26.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.24.0", + "UID": "4dea75debcbb8f5f" + }, + "Version": "v0.24.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/exp", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/exp@v0.0.0-20230515195305-f3d0a9c9a5cc", + "UID": "20193a402f306e84" + }, + "Version": "v0.0.0-20230515195305-f3d0a9c9a5cc", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.26.0", + "UID": "713828a4d99bd13a" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.21.0", + "UID": "2b9337eb15c9addd" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/sync", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sync@v0.7.0", + "UID": "6eecb055f24e7192" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.21.0", + "UID": "47362b893b8b3871" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.21.0", + "UID": "4ba1b53aecc02e3a" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.16.0", + "UID": "e95ce7b93c5f18a3" + }, + "Version": "v0.16.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.3.0", + "UID": "830359e7043b300e" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240528184218-531527333157", + "UID": "811117da77d793cc" + }, + "Version": "v0.0.0-20240528184218-531527333157", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20240701130421-f6361c86f094", + "UID": "b900cd222700d0ff" + }, + "Version": "v0.0.0-20240701130421-f6361c86f094", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.65.0", + "UID": "9648362d1bd65b72" + }, + "Version": "v1.65.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.34.2", + "UID": "52dd0d54f9ec0e7b" + }, + "Version": "v1.34.2", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "gopkg.in/evanphx/json-patch.v4", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/evanphx/json-patch.v4@v4.12.0", + "UID": "c66baedcd2c3e51d" + }, + "Version": "v4.12.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "33905e84917f0f1d" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.2.1", + "UID": "ec0a8c024c974709" + }, + "Version": "v2.2.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "f7099b4f7c9efcec" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "b9208d4cf1d9524c" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api", + "UID": "30642b2816bfb567" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/apiextensions-apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiextensions-apiserver", + "UID": "393e085d0f5de252" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery", + "UID": "b2248b2e95251296" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiserver", + "UID": "f6b67a62d3ea0e99" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go", + "UID": "eca04e10be95c282" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/cloud-provider", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cloud-provider", + "UID": "a41e1f835325d768" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/component-base", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-base", + "UID": "3655a1629ef35d4" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/component-helpers", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-helpers", + "UID": "214794655a8ebced" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/controller-manager", + "Identifier": { + "PURL": "pkg:golang/k8s.io/controller-manager", + "UID": "e6c8f26913613af0" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/csi-translation-lib", + "Identifier": { + "PURL": "pkg:golang/k8s.io/csi-translation-lib", + "UID": "4acdd369b5148df4" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/dynamic-resource-allocation", + "Identifier": { + "PURL": "pkg:golang/k8s.io/dynamic-resource-allocation", + "UID": "fd3dfa06c083f401" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.130.1", + "UID": "138ab661ffe026d0" + }, + "Version": "v2.130.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/kms", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kms", + "UID": "737d1a0e4b18f8b4" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20240228011516-70dd3763d340", + "UID": "a532b88130376e8f" + }, + "Version": "v0.0.0-20240228011516-70dd3763d340", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/kube-scheduler", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-scheduler", + "UID": "5c2e6c506c9c07d7" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/kubelet", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubelet", + "UID": "b98f259f70e21e93" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/mount-utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/mount-utils", + "UID": "7cd18346c7e0d515" + }, + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20240711033017-18e509b52bc8", + "UID": "487ef8119b672cb0" + }, + "Version": "v0.0.0-20240711033017-18e509b52bc8", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "sigs.k8s.io/apiserver-network-proxy/konnectivity-client", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/apiserver-network-proxy/konnectivity-client@v0.30.3", + "UID": "ad5e515b4e5e46ac" + }, + "Version": "v0.30.3", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "7b05412ad3299c3d" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "e49e970390899a52" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.4.0", + "UID": "e870ee606cc0a5e5" + }, + "Version": "v1.4.0", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45310", + "PkgName": "github.com/opencontainers/runc", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "1133d0af48e414f6" + }, + "InstalledVersion": "v1.1.13", + "FixedVersion": "1.1.14, 1.2.0-rc.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:f550e27e8841905f851e32f4f748c1538d6898a97bfca869f5615cd1d794d24b", + "DiffID": "sha256:c23f607019cdb903dc43508224077f462eb938ecfb303c892fef0f8643bc1ed5" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45310", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "runc: runc can be tricked into creating empty files/directories on host", + "Description": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-363", + "CWE-61" + ], + "VendorSeverity": { + "amazon": 1, + "ghsa": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45310", + "https://github.com/opencontainers/runc", + "https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7", + "https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e", + "https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf", + "https://github.com/opencontainers/runc/pull/4359", + "https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45310", + "https://www.cve.org/CVERecord?id=CVE-2024-45310", + "https://www.openwall.com/lists/oss-security/2024/09/03/1" + ], + "PublishedDate": "2024-09-03T19:15:15.243Z", + "LastModifiedDate": "2024-09-03T19:40:46.783Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "DaemonSet", + "Name": "kindnet", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.5" + }, + "ImageID": "sha256:9ca7e41918271bb074bb20850743fd9455129b071204789f09fa2b7304d7fad5", + "DiffIDs": [ + "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f", + "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8", + "sha256:23165b4f173919d986b92e445fa79bc11227d8b5ecf1cef694f349cb0062ea96", + "sha256:ac9b64dc2b02b1ed84ef9fe7df52952399e39c61b08062069997dfc2dee009a2" + ], + "RepoTags": [ + "kindest/kindnetd:v20241023-a345ebe4" + ], + "RepoDigests": [ + "kindest/kindnetd@sha256:cddd34f7d74bf898f14080ed61e322a492689043dae46e93106c013373d68d16" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-10-23T16:45:22.296308331Z", + "history": [ + { + "created": "2024-06-06T13:32:42.602003644Z", + "created_by": "COPY / / # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-23T16:45:21.155448185Z", + "created_by": "COPY --chown=root:root ./go/src/kindnetd /bin/kindnetd # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-23T16:45:22.265473573Z", + "created_by": "COPY /_LICENSES/* /LICENSES/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-23T16:45:22.296308331Z", + "created_by": "COPY --chmod=0644 files/LICENSES/* /LICENSES/* # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-23T16:45:22.296308331Z", + "created_by": "CMD [\"/bin/kindnetd\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f", + "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8", + "sha256:23165b4f173919d986b92e445fa79bc11227d8b5ecf1cef694f349cb0062ea96", + "sha256:ac9b64dc2b02b1ed84ef9fe7df52952399e39c61b08062069997dfc2dee009a2" + ] + }, + "config": { + "Cmd": [ + "/bin/kindnetd" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "WorkingDir": "/", + "ArgsEscaped": true + } + } + } + ], + "Results": [ + { + "Target": "docker.io/kindest/kindnetd:v20241023-a345ebe4 (debian 12.5)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u5", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5", + "UID": "e80ec74ce792b7" + }, + "Version": "12.4+deb12u5", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u5", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "conntrack@1:1.4.7-1+b2", + "Name": "conntrack", + "Identifier": { + "PURL": "pkg:deb/debian/conntrack@1.4.7-1%2Bb2?arch=amd64\u0026distro=debian-12.5\u0026epoch=1", + "UID": "db91cde6364ad724" + }, + "Version": "1.4.7", + "Release": "1+b2", + "Epoch": 1, + "Arch": "amd64", + "SrcName": "conntrack-tools", + "SrcVersion": "1.4.7", + "SrcRelease": "1", + "SrcEpoch": 1, + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "coreutils@9.1-1", + "Name": "coreutils", + "Identifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.5", + "UID": "bed513a0ab732758" + }, + "Version": "9.1", + "Release": "1", + "Arch": "amd64", + "SrcName": "coreutils", + "SrcVersion": "9.1", + "SrcRelease": "1", + "Licenses": [ + "GPL-3.0-or-later", + "BSD-4-Clause-UC", + "GPL-3.0-only", + "ISC", + "FSFULLR", + "GFDL-1.3-no-invariants-only", + "GFDL-1.3-only" + ], + "Maintainer": "Michael Stone \u003cmstone@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "ebtables@2.0.11-5", + "Name": "ebtables", + "Identifier": { + "PURL": "pkg:deb/debian/ebtables@2.0.11-5?arch=amd64\u0026distro=debian-12.5", + "UID": "c8245b68726cf8ab" + }, + "Version": "2.0.11", + "Release": "5", + "Arch": "amd64", + "SrcName": "ebtables", + "SrcVersion": "2.0.11", + "SrcRelease": "5", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "ipset@7.17-1", + "Name": "ipset", + "Identifier": { + "PURL": "pkg:deb/debian/ipset@7.17-1?arch=amd64\u0026distro=debian-12.5", + "UID": "8a87e0674caedf4a" + }, + "Version": "7.17", + "Release": "1", + "Arch": "amd64", + "SrcName": "ipset", + "SrcVersion": "7.17", + "SrcRelease": "1", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only", + "FSFULLR", + "LGPL-2.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Autoconf-data exception", + "MIT", + "FSFAP", + "FSFUL", + "public-domain", + "LGPL-2.0-only", + "GPL-3.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "iptables@1.8.9-2", + "Name": "iptables", + "Identifier": { + "PURL": "pkg:deb/debian/iptables@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "60542952c5093316" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "kmod@30+20221128-1", + "Name": "kmod", + "Identifier": { + "PURL": "pkg:deb/debian/kmod@30%2B20221128-1?arch=amd64\u0026distro=debian-12.5", + "UID": "f33d5cf3e82238aa" + }, + "Version": "30+20221128", + "Release": "1", + "Arch": "amd64", + "SrcName": "kmod", + "SrcVersion": "30+20221128", + "SrcRelease": "1", + "Licenses": [ + "LGPL-2.1-or-later", + "GPL-2.0-or-later", + "GPL-2.0-only", + "LGPL-2.1-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libbsd0@0.11.7-2", + "Name": "libbsd0", + "Identifier": { + "PURL": "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64\u0026distro=debian-12.5", + "UID": "3cf1baecf93c3b76" + }, + "Version": "0.11.7", + "Release": "2", + "Arch": "amd64", + "SrcName": "libbsd", + "SrcVersion": "0.11.7", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause", + "BSD-4-clause-Niels-Provos", + "BSD-3-clause-Regents", + "BSD-2-Clause-NetBSD", + "BSD-3-clause-author", + "BSD-3-clause-John-Birrell", + "libutil-David-Nugent", + "BSD-2-Clause", + "BSD-2-clause-verbatim", + "BSD-2-clause-author", + "ISC", + "ISC-Original", + "MIT", + "public-domain", + "Beerware" + ], + "Maintainer": "Guillem Jover \u003cguillem@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libc6@2.36-9+deb12u7", + "Name": "libc6", + "Identifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "Version": "2.36", + "Release": "9+deb12u7", + "Arch": "amd64", + "SrcName": "glibc", + "SrcVersion": "2.36", + "SrcRelease": "9+deb12u7", + "Licenses": [ + "LGPL-2.1-only", + "GPL-2.0-only" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libedit2@3.1-20221030-2", + "Name": "libedit2", + "Identifier": { + "PURL": "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64\u0026distro=debian-12.5", + "UID": "43cd5327f81c53ca" + }, + "Version": "3.1-20221030", + "Release": "2", + "Arch": "amd64", + "SrcName": "libedit", + "SrcVersion": "3.1-20221030", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause" + ], + "Maintainer": "LLVM Packaging Team \u003cpkg-llvm-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libgmp10@2:6.2.1+dfsg1-1.1", + "Name": "libgmp10", + "Identifier": { + "PURL": "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64\u0026distro=debian-12.5\u0026epoch=2", + "UID": "13e222521d46613" + }, + "Version": "6.2.1+dfsg1", + "Release": "1.1", + "Epoch": 2, + "Arch": "amd64", + "SrcName": "gmp", + "SrcVersion": "6.2.1+dfsg1", + "SrcRelease": "1.1", + "SrcEpoch": 2, + "Licenses": [ + "GPL-2.0-or-later", + "LGPL-3.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Bison exception", + "GPL-2.0-only", + "GPL-3.0-only", + "LGPL-3.0-only" + ], + "Maintainer": "Debian Science Team \u003cdebian-science-maintainers@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libip4tc2@1.8.9-2", + "Name": "libip4tc2", + "Identifier": { + "PURL": "pkg:deb/debian/libip4tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "707fdf2f66e18cc8" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libip6tc2@1.8.9-2", + "Name": "libip6tc2", + "Identifier": { + "PURL": "pkg:deb/debian/libip6tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "b3d44a6e48a2933d" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libipset13@7.17-1", + "Name": "libipset13", + "Identifier": { + "PURL": "pkg:deb/debian/libipset13@7.17-1?arch=amd64\u0026distro=debian-12.5", + "UID": "fb18ba7aac268fe9" + }, + "Version": "7.17", + "Release": "1", + "Arch": "amd64", + "SrcName": "ipset", + "SrcVersion": "7.17", + "SrcRelease": "1", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only", + "FSFULLR", + "LGPL-2.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Autoconf-data exception", + "MIT", + "FSFAP", + "FSFUL", + "public-domain", + "LGPL-2.0-only", + "GPL-3.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libjansson4@2.14-2", + "Name": "libjansson4", + "Identifier": { + "PURL": "pkg:deb/debian/libjansson4@2.14-2?arch=amd64\u0026distro=debian-12.5", + "UID": "e4f002a8d030bc6c" + }, + "Version": "2.14", + "Release": "2", + "Arch": "amd64", + "SrcName": "jansson", + "SrcVersion": "2.14", + "SrcRelease": "2", + "Licenses": [ + "MIT" + ], + "Maintainer": "Alessandro Ghedini \u003cghedo@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libkmod2@30+20221128-1", + "Name": "libkmod2", + "Identifier": { + "PURL": "pkg:deb/debian/libkmod2@30%2B20221128-1?arch=amd64\u0026distro=debian-12.5", + "UID": "8d173a007099e61d" + }, + "Version": "30+20221128", + "Release": "1", + "Arch": "amd64", + "SrcName": "kmod", + "SrcVersion": "30+20221128", + "SrcRelease": "1", + "Licenses": [ + "LGPL-2.1-or-later", + "GPL-2.0-or-later", + "GPL-2.0-only", + "LGPL-2.1-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libmd0@1.0.4-2", + "Name": "libmd0", + "Identifier": { + "PURL": "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64\u0026distro=debian-12.5", + "UID": "64dbde3af8f03a21" + }, + "Version": "1.0.4", + "Release": "2", + "Arch": "amd64", + "SrcName": "libmd", + "SrcVersion": "1.0.4", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause", + "BSD-3-clause-Aaron-D-Gifford", + "BSD-2-Clause", + "BSD-2-Clause-NetBSD", + "ISC", + "Beerware", + "public-domain-md4", + "public-domain-md5", + "public-domain-sha1" + ], + "Maintainer": "Guillem Jover \u003cguillem@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libmnl0@1.0.4-3", + "Name": "libmnl0", + "Identifier": { + "PURL": "pkg:deb/debian/libmnl0@1.0.4-3?arch=amd64\u0026distro=debian-12.5", + "UID": "4467f1faa45bb5e4" + }, + "Version": "1.0.4", + "Release": "3", + "Arch": "amd64", + "SrcName": "libmnl", + "SrcVersion": "1.0.4", + "SrcRelease": "3", + "Licenses": [ + "LGPL-2.1-only", + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libnetfilter-conntrack3@1.0.9-3", + "Name": "libnetfilter-conntrack3", + "Identifier": { + "PURL": "pkg:deb/debian/libnetfilter-conntrack3@1.0.9-3?arch=amd64\u0026distro=debian-12.5", + "UID": "5a1c6bc047154238" + }, + "Version": "1.0.9", + "Release": "3", + "Arch": "amd64", + "SrcName": "libnetfilter-conntrack", + "SrcVersion": "1.0.9", + "SrcRelease": "3", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libnfnetlink0@1.0.2-2", + "Name": "libnfnetlink0", + "Identifier": { + "PURL": "pkg:deb/debian/libnfnetlink0@1.0.2-2?arch=amd64\u0026distro=debian-12.5", + "UID": "5b78c7b6a5249ed5" + }, + "Version": "1.0.2", + "Release": "2", + "Arch": "amd64", + "SrcName": "libnfnetlink", + "SrcVersion": "1.0.2", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libnftables1@1.0.6-2+deb12u2", + "Name": "libnftables1", + "Identifier": { + "PURL": "pkg:deb/debian/libnftables1@1.0.6-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "4bf04dc5e99159ff" + }, + "Version": "1.0.6", + "Release": "2+deb12u2", + "Arch": "amd64", + "SrcName": "nftables", + "SrcVersion": "1.0.6", + "SrcRelease": "2+deb12u2", + "Licenses": [ + "GPL-2.0-only", + "GPL-2.0-or-later", + "CC-BY-SA-4.0" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libnftnl11@1.2.4-2", + "Name": "libnftnl11", + "Identifier": { + "PURL": "pkg:deb/debian/libnftnl11@1.2.4-2?arch=amd64\u0026distro=debian-12.5", + "UID": "af7a16a821fcd6df" + }, + "Version": "1.2.4", + "Release": "2", + "Arch": "amd64", + "SrcName": "libnftnl", + "SrcVersion": "1.2.4", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libpcre2-8-0@10.42-1", + "Name": "libpcre2-8-0", + "Identifier": { + "PURL": "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64\u0026distro=debian-12.5", + "UID": "c4ab7ab802fd12cd" + }, + "Version": "10.42", + "Release": "1", + "Arch": "amd64", + "SrcName": "pcre2", + "SrcVersion": "10.42", + "SrcRelease": "1", + "Licenses": [ + "BSD-3-clause-Cambridge with BINARY LIBRARY-LIKE PACKAGES exception", + "BSD-3-Clause", + "X11", + "BSD-2-Clause", + "public-domain" + ], + "Maintainer": "Matthew Vernon \u003cmatthew@debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libssl3@3.0.11-1~deb12u2", + "Name": "libssl3", + "Identifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "Version": "3.0.11", + "Release": "1~deb12u2", + "Arch": "amd64", + "SrcName": "openssl", + "SrcVersion": "3.0.11", + "SrcRelease": "1~deb12u2", + "Licenses": [ + "Apache-2.0", + "Artistic-2.0", + "GPL-1.0-or-later", + "GPL-1.0-only" + ], + "Maintainer": "Debian OpenSSL Team \u003cpkg-openssl-devel@alioth-lists.debian.net\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libxtables12@1.8.9-2", + "Name": "libxtables12", + "Identifier": { + "PURL": "pkg:deb/debian/libxtables12@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "f97bafbffe5aa1a9" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "libzstd1@1.5.4+dfsg2-5", + "Name": "libzstd1", + "Identifier": { + "PURL": "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64\u0026distro=debian-12.5", + "UID": "6cdb102794e79bc1" + }, + "Version": "1.5.4+dfsg2", + "Release": "5", + "Arch": "amd64", + "SrcName": "libzstd", + "SrcVersion": "1.5.4+dfsg2", + "SrcRelease": "5", + "Licenses": [ + "BSD-3-Clause", + "GPL-2.0-only", + "Zlib", + "MIT" + ], + "Maintainer": "RPM packaging team \u003cteam+pkg-rpm@tracker.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.5", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "nftables@1.0.6-2+deb12u2", + "Name": "nftables", + "Identifier": { + "PURL": "pkg:deb/debian/nftables@1.0.6-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "2974f0aebd8fb743" + }, + "Version": "1.0.6", + "Release": "2+deb12u2", + "Arch": "amd64", + "SrcName": "nftables", + "SrcVersion": "1.0.6", + "SrcRelease": "2+deb12u2", + "Licenses": [ + "GPL-2.0-only", + "GPL-2.0-or-later", + "CC-BY-SA-4.0" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.5", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2016-2781", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.5", + "UID": "bed513a0ab732758" + }, + "InstalledVersion": "9.1-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "LOW", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "V2Score": 2.1, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 6.2, + "V3Score": 8.6 + } + }, + "References": [ + "http://seclists.org/oss-sec/2016/q1/452", + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3", + "https://access.redhat.com/security/cve/CVE-2016-2781", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://lore.kernel.org/patchwork/patch/793178/", + "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes", + "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", + "https://www.cve.org/CVERecord?id=CVE-2016-2781" + ], + "PublishedDate": "2017-02-07T15:59:00.333Z", + "LastModifiedDate": "2023-11-07T02:32:03.347Z" + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.5", + "UID": "bed513a0ab732758" + }, + "InstalledVersion": "9.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18018", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "LOW", + "CweIDs": [ + "CWE-362" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 1.9, + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 4.2 + } + }, + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html", + "https://access.redhat.com/security/cve/CVE-2017-18018", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18018", + "https://www.cve.org/CVERecord?id=CVE-2017-18018" + ], + "PublishedDate": "2018-01-04T04:29:00.19Z", + "LastModifiedDate": "2018-01-19T15:46:46.05Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "iptables@1.8.9-2", + "PkgName": "iptables", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/iptables@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "60542952c5093316" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2021-09-01T12:15:07.193Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2023-11-07T02:56:20.983Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-08-05T03:15:25.083Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-08-05T03:15:25.183Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-08-05T03:15:25.26Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-08-05T03:15:25.333Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc6@2.36-9+deb12u7", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u7?arch=amd64\u0026distro=debian-12.5", + "UID": "ad13c685eb74eb28" + }, + "InstalledVersion": "2.36-9+deb12u7", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-08-04T22:15:34.74Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libip4tc2@1.8.9-2", + "PkgName": "libip4tc2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libip4tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "707fdf2f66e18cc8" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libip6tc2@1.8.9-2", + "PkgName": "libip6tc2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libip6tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "b3d44a6e48a2933d" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2020-36325", + "PkgID": "libjansson4@2.14-2", + "PkgName": "libjansson4", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libjansson4@2.14-2?arch=amd64\u0026distro=debian-12.5", + "UID": "e4f002a8d030bc6c" + }, + "InstalledVersion": "2.14-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36325", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "jansson: out-of-bounds read in json_loads() due to a parsing error", + "Description": "An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-36325", + "https://github.com/akheron/jansson/issues/548", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36325", + "https://www.cve.org/CVERecord?id=CVE-2020-36325" + ], + "PublishedDate": "2021-04-26T18:15:07.493Z", + "LastModifiedDate": "2024-08-04T18:15:43.647Z" + }, + { + "VulnerabilityID": "CVE-2023-5678", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.13-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", + "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-754", + "CWE-606" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:2447", + "https://access.redhat.com/security/cve/CVE-2023-5678", + "https://bugzilla.redhat.com/2223016", + "https://bugzilla.redhat.com/2224962", + "https://bugzilla.redhat.com/2227852", + "https://bugzilla.redhat.com/2248616", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://errata.almalinux.org/9/ALSA-2024-2447.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://linux.oracle.com/cve/CVE-2023-5678.html", + "https://linux.oracle.com/errata/ELSA-2024-2447.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5678", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "PublishedDate": "2023-11-06T16:15:42.67Z", + "LastModifiedDate": "2024-10-14T15:15:12.603Z" + }, + { + "VulnerabilityID": "CVE-2023-6129", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.13-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6129", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC", + "Description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787", + "CWE-440" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9088", + "https://access.redhat.com/security/cve/CVE-2023-6129", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://bugzilla.redhat.com/2284243", + "https://errata.almalinux.org/9/ALSA-2024-9088.html", + "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "https://linux.oracle.com/cve/CVE-2023-6129.html", + "https://linux.oracle.com/errata/ELSA-2024-9088.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6129", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6129", + "https://www.openssl.org/news/secadv/20240109.txt", + "https://www.openwall.com/lists/oss-security/2024/01/09/1" + ], + "PublishedDate": "2024-01-09T17:15:12.147Z", + "LastModifiedDate": "2024-10-14T15:15:12.8Z" + }, + { + "VulnerabilityID": "CVE-2023-6237", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.13-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6237", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Excessive time spent checking invalid RSA public keys", + "Description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-606" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "oracle-oval": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9088", + "https://access.redhat.com/security/cve/CVE-2023-6237", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://bugzilla.redhat.com/2284243", + "https://errata.almalinux.org/9/ALSA-2024-9088.html", + "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "https://linux.oracle.com/cve/CVE-2023-6237.html", + "https://linux.oracle.com/errata/ELSA-2024-9088.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6237", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6237", + "https://www.openssl.org/news/secadv/20240115.txt", + "https://www.openwall.com/lists/oss-security/2024/01/15/2" + ], + "PublishedDate": "2024-04-25T07:15:45.27Z", + "LastModifiedDate": "2024-11-01T15:35:06.92Z" + }, + { + "VulnerabilityID": "CVE-2024-0727", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.13-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: denial of service via null dereference", + "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://access.redhat.com/errata/RHSA-2024:9088", + "https://access.redhat.com/security/cve/CVE-2024-0727", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://bugzilla.redhat.com/2284243", + "https://errata.almalinux.org/9/ALSA-2024-9088.html", + "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "https://github.com/github/advisory-database/pull/3472", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.com/openssl/openssl/pull/23362", + "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://linux.oracle.com/cve/CVE-2024-0727.html", + "https://linux.oracle.com/errata/ELSA-2024-9088.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "https://security.netapp.com/advisory/ntap-20240208-0006", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2024-0727", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "PublishedDate": "2024-01-26T09:15:07.637Z", + "LastModifiedDate": "2024-10-14T15:15:13.1Z" + }, + { + "VulnerabilityID": "CVE-2024-4603", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.14-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4603", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Excessive time spent checking DSA keys and parameters", + "Description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-606", + "CWE-834" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "oracle-oval": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-4603", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", + "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", + "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", + "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", + "https://linux.oracle.com/cve/CVE-2024-4603.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4603", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-4603", + "https://www.openssl.org/news/secadv/20240516.txt" + ], + "PublishedDate": "2024-05-16T16:15:10.643Z", + "LastModifiedDate": "2024-10-14T15:15:14.21Z" + }, + { + "VulnerabilityID": "CVE-2024-4741", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.14-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4741", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Use After Free with SSL_free_buffers", + "Description": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "cbl-mariner": 3, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-4741", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177", + "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d", + "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac", + "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8", + "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4", + "https://linux.oracle.com/cve/CVE-2024-4741.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4741", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-4741", + "https://www.openssl.org/news/secadv/20240528.txt" + ], + "PublishedDate": "2024-11-13T11:15:04.48Z", + "LastModifiedDate": "2024-11-13T17:01:16.85Z" + }, + { + "VulnerabilityID": "CVE-2024-5535", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.15-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-5535", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: SSL_select_next_proto buffer overread", + "Description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 4, + "cbl-mariner": 4, + "oracle-oval": 1, + "photon": 4, + "redhat": 1, + "rocky": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-5535", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://bugzilla.redhat.com/show_bug.cgi?id=2294581", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://errata.rockylinux.org/RLSA-2024:7848", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://linux.oracle.com/cve/CVE-2024-5535.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "https://openssl.org/news/secadv/20240627.txt", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-5535", + "https://www.openssl.org/news/secadv/20240627.txt", + "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL" + ], + "PublishedDate": "2024-06-27T11:15:24.447Z", + "LastModifiedDate": "2024-07-12T14:15:16.79Z" + }, + { + "VulnerabilityID": "CVE-2024-6119", + "VendorIDs": [ + "DSA-5764-1" + ], + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.14-1~deb12u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-6119", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Possible denial of service in X.509 name checks", + "Description": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-843" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "cbl-mariner": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:8935", + "https://access.redhat.com/security/cve/CVE-2024-6119", + "https://bugzilla.redhat.com/2306158", + "https://bugzilla.redhat.com/show_bug.cgi?id=2306158", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119", + "https://errata.almalinux.org/9/ALSA-2024-8935.html", + "https://errata.rockylinux.org/RLSA-2024:6783", + "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f", + "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6", + "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2", + "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0", + "https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj", + "https://linux.oracle.com/cve/CVE-2024-6119.html", + "https://linux.oracle.com/errata/ELSA-2024-8935.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-6119", + "https://openssl-library.org/news/secadv/20240903.txt", + "https://ubuntu.com/security/notices/USN-6986-1", + "https://www.cve.org/CVERecord?id=CVE-2024-6119" + ], + "PublishedDate": "2024-09-03T16:15:07.177Z", + "LastModifiedDate": "2024-09-03T21:35:12.987Z" + }, + { + "VulnerabilityID": "CVE-2024-2511", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.14-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2511", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Unbounded memory growth with session handling in TLSv1.3", + "Description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1325" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 1, + "cbl-mariner": 1, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-2511", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://linux.oracle.com/cve/CVE-2024-2511.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.openssl.org/news/vulnerabilities.html" + ], + "PublishedDate": "2024-04-08T14:15:07.66Z", + "LastModifiedDate": "2024-10-14T15:15:13.27Z" + }, + { + "VulnerabilityID": "CVE-2024-9143", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5", + "UID": "ede1d6b1af8a227f" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "FixedVersion": "3.0.15-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access", + "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-9143", + "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712", + "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700", + "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4", + "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154", + "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a", + "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41", + "https://nvd.nist.gov/vuln/detail/CVE-2024-9143", + "https://openssl-library.org/news/secadv/20241016.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-9143" + ], + "PublishedDate": "2024-10-16T17:15:18.13Z", + "LastModifiedDate": "2024-11-08T16:35:21.58Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libxtables12@1.8.9-2", + "PkgName": "libxtables12", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxtables12@1.8.9-2?arch=amd64\u0026distro=debian-12.5", + "UID": "f97bafbffe5aa1a9" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + } + ] + }, + { + "Target": "bin/kindnetd", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "sigs.k8s.io/kind/images/kindnetd", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/kind/images/kindnetd", + "UID": "92ffcc6c74d03aa0" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "efbdf1f359a00e5" + }, + "Version": "v1.22.6", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "581b4955215aa50" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.3.0", + "UID": "f252ba2b8d4a8994" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/coreos/go-iptables", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-iptables@v0.8.0", + "UID": "4f67c718d2de3ec5" + }, + "Version": "v0.8.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "e7ccf9947161e733" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.12.1", + "UID": "957825f16263e969" + }, + "Version": "v3.12.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/florianl/go-nfqueue", + "Identifier": { + "PURL": "pkg:golang/github.com/florianl/go-nfqueue@v1.3.2", + "UID": "3bfa25e9a9939864" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/fxamacker/cbor/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/fxamacker/cbor/v2@v2.7.0", + "UID": "35ab2e1cb5a6d88c" + }, + "Version": "v2.7.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.2", + "UID": "f4da3625df47994e" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.21.0", + "UID": "ddf105cd57fc675b" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.21.0", + "UID": "35ae205853a2bd27" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.23.0", + "UID": "145c29bccbbbea5f" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "bb71d0e103ca1dc7" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "610c3d4a80002eb6" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "f42e3534975cd311" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "8ea67cbaa85ced23" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "fd421c6ed6ab4188" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "2481dc995112f0f7" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "4023b84a32f0fa88" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "a6298c6b6223ce75" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/josharian/native", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/native@v1.1.0", + "UID": "19a223dbefd7f53c" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "ca9556e1d889bb4d" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "6e7dc975d0a069af" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/mdlayher/netlink", + "Identifier": { + "PURL": "pkg:golang/github.com/mdlayher/netlink@v1.7.2", + "UID": "c2d8ce14c21ae95e" + }, + "Version": "v1.7.2", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/mdlayher/socket", + "Identifier": { + "PURL": "pkg:golang/github.com/mdlayher/socket@v0.5.1", + "UID": "d9af9e97f45abf54" + }, + "Version": "v0.5.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "c53f286d20c532a7" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "e1778d1e84edfa34" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "e5e5b8b2cc8a456e" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.20.5", + "UID": "f7a8efdc68e1f895" + }, + "Version": "v1.20.5", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "ff2f3d757d3392ff" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.60.0", + "UID": "2cc9ae746b9fec49" + }, + "Version": "v0.60.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.15.1", + "UID": "e19f05aec6189015" + }, + "Version": "v0.15.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/vishvananda/netlink", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netlink@v1.3.0", + "UID": "4897ef922709b921" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/vishvananda/netns", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netns@v0.0.4", + "UID": "8532db959b0c77b9" + }, + "Version": "v0.0.4", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "github.com/x448/float16", + "Identifier": { + "PURL": "pkg:golang/github.com/x448/float16@v0.8.4", + "UID": "80766c68b7046ff" + }, + "Version": "v0.8.4", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.30.0", + "UID": "1d70c176293a4df1" + }, + "Version": "v0.30.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.23.0", + "UID": "2b12e900711ac977" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/sync", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sync@v0.8.0", + "UID": "62edb7f8fb901b7d" + }, + "Version": "v0.8.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.26.0", + "UID": "d1db8fd008f8d97e" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.25.0", + "UID": "3285137ddae7ae72" + }, + "Version": "v0.25.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.19.0", + "UID": "6d6e0c4cc5ca81fe" + }, + "Version": "v0.19.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.7.0", + "UID": "fd53b664e269036c" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.35.1", + "UID": "91f49d93a49d233" + }, + "Version": "v1.35.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "f03f248fa21f4a5" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "a68be971d3a5d8f0" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "32691f3dea55f330" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api@v0.31.1", + "UID": "58a28f81c8b0f71" + }, + "Version": "v0.31.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery@v0.31.1", + "UID": "9ba72f0e13fad8cb" + }, + "Version": "v0.31.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go@v0.31.1", + "UID": "fcc33a4159df12a" + }, + "Version": "v0.31.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.130.1", + "UID": "bcdeab991a9fc88" + }, + "Version": "v2.130.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20240903163716-9e1beecbcb38", + "UID": "f23afb9f503d7c72" + }, + "Version": "v0.0.0-20240903163716-9e1beecbcb38", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20240921022957-49e7df575cb6", + "UID": "b4cc7e722be56f7e" + }, + "Version": "v0.0.0-20240921022957-49e7df575cb6", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "1df14c7405deb8e1" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/knftables", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/knftables@v0.0.17", + "UID": "8727d479f95e7c2a" + }, + "Version": "v0.0.17", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/kube-network-policies", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/kube-network-policies@v0.6.1-0.20241023163654-4320aa92e3f0", + "UID": "6f2b1790fb5ef16e" + }, + "Version": "v0.6.1-0.20241023163654-4320aa92e3f0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/network-policy-api", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/network-policy-api@v0.1.5", + "UID": "58a9409d86bd7706" + }, + "Version": "v0.1.5", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "8d24acea2eebc262" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.4.0", + "UID": "25eb8b5db552e5f1" + }, + "Version": "v1.4.0", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "efbdf1f359a00e5" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "efbdf1f359a00e5" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "efbdf1f359a00e5" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:5cf479e0dd3109d2d1b41df1c412a6f733b5bf9a67a96c3d4e223ce7c5e56891", + "DiffID": "sha256:e31108f5d67239512db9cbc2132dc9080101e9a8bd37bcd2ff440fc3b2f22ae8" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + }, + { + "Target": "go-runner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/release/images/build/go-runner", + "Identifier": { + "PURL": "pkg:golang/k8s.io/release/images/build/go-runner", + "UID": "de04e9e6653a54e4" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.4", + "UID": "b38d07f69d0c25bd" + }, + "Version": "v1.22.4", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.4", + "UID": "b38d07f69d0c25bd" + }, + "InstalledVersion": "v1.22.4", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-24791", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.4", + "UID": "b38d07f69d0c25bd" + }, + "InstalledVersion": "v1.22.4", + "FixedVersion": "1.21.12, 1.22.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "net/http: Denial of service due to improper 100-continue handling in net/http", + "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9135", + "https://access.redhat.com/security/cve/CVE-2024-24791", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268022", + "https://bugzilla.redhat.com/2279814", + "https://bugzilla.redhat.com/2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://errata.almalinux.org/9/ALSA-2024-9135.html", + "https://errata.rockylinux.org/RLSA-2024:7349", + "https://go.dev/cl/591255", + "https://go.dev/issue/67555", + "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", + "https://linux.oracle.com/cve/CVE-2024-24791.html", + "https://linux.oracle.com/errata/ELSA-2024-9115.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", + "https://pkg.go.dev/vuln/GO-2024-2963", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-24791" + ], + "PublishedDate": "2024-07-02T22:15:04.833Z", + "LastModifiedDate": "2024-07-08T14:17:39.083Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.4", + "UID": "b38d07f69d0c25bd" + }, + "InstalledVersion": "v1.22.4", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.4", + "UID": "b38d07f69d0c25bd" + }, + "InstalledVersion": "v1.22.4", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:529cf6e0a17387061836a737b20c5c53be64036bd05ef123b1bad79ffa5898ff", + "DiffID": "sha256:7d3dbd1fd0f39cd07cd1888184ef73e6bee0320504d45517df79eec28128ce0f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "DaemonSet", + "Name": "kube-proxy", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.7" + }, + "ImageID": "sha256:505d571f5fd56726488d27af0d9a8e02c6db58f5d62ea51dd10d47de7a0c2d38", + "DiffIDs": [ + "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20", + "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + ], + "RepoTags": [ + "registry.k8s.io/kube-proxy:v1.31.2" + ], + "RepoDigests": [ + "registry.k8s.io/kube-proxy@sha256:62128d752eb4a9162074697aba46adea4abb8aab2a53c992f20881365b61a4fe" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-10-22T20:45:56.445962597Z", + "history": [ + { + "created": "2024-10-15T19:38:30.598579667Z", + "created_by": "COPY / / # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-22T20:45:56.445962597Z", + "created_by": "COPY /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20", + "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + ] + }, + "config": { + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "WorkingDir": "/" + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/kube-proxy:v1.31.2 (debian 12.7)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u7", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u7?arch=amd64\u0026distro=debian-12.7", + "UID": "392b0a2ef700f88e" + }, + "Version": "12.4+deb12u7", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u7", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "conntrack@1:1.4.7-1+b2", + "Name": "conntrack", + "Identifier": { + "PURL": "pkg:deb/debian/conntrack@1.4.7-1%2Bb2?arch=amd64\u0026distro=debian-12.7\u0026epoch=1", + "UID": "db91cde6364ad724" + }, + "Version": "1.4.7", + "Release": "1+b2", + "Epoch": 1, + "Arch": "amd64", + "SrcName": "conntrack-tools", + "SrcVersion": "1.4.7", + "SrcRelease": "1", + "SrcEpoch": 1, + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "coreutils@9.1-1", + "Name": "coreutils", + "Identifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.7", + "UID": "bed513a0ab732758" + }, + "Version": "9.1", + "Release": "1", + "Arch": "amd64", + "SrcName": "coreutils", + "SrcVersion": "9.1", + "SrcRelease": "1", + "Licenses": [ + "GPL-3.0-or-later", + "BSD-4-Clause-UC", + "GPL-3.0-only", + "ISC", + "FSFULLR", + "GFDL-1.3-no-invariants-only", + "GFDL-1.3-only" + ], + "Maintainer": "Michael Stone \u003cmstone@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "ebtables@2.0.11-5", + "Name": "ebtables", + "Identifier": { + "PURL": "pkg:deb/debian/ebtables@2.0.11-5?arch=amd64\u0026distro=debian-12.7", + "UID": "c8245b68726cf8ab" + }, + "Version": "2.0.11", + "Release": "5", + "Arch": "amd64", + "SrcName": "ebtables", + "SrcVersion": "2.0.11", + "SrcRelease": "5", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "ipset@7.17-1", + "Name": "ipset", + "Identifier": { + "PURL": "pkg:deb/debian/ipset@7.17-1?arch=amd64\u0026distro=debian-12.7", + "UID": "8a87e0674caedf4a" + }, + "Version": "7.17", + "Release": "1", + "Arch": "amd64", + "SrcName": "ipset", + "SrcVersion": "7.17", + "SrcRelease": "1", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only", + "FSFULLR", + "LGPL-2.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Autoconf-data exception", + "MIT", + "FSFAP", + "FSFUL", + "public-domain", + "LGPL-2.0-only", + "GPL-3.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "iptables@1.8.9-2", + "Name": "iptables", + "Identifier": { + "PURL": "pkg:deb/debian/iptables@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "60542952c5093316" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "kmod@30+20221128-1", + "Name": "kmod", + "Identifier": { + "PURL": "pkg:deb/debian/kmod@30%2B20221128-1?arch=amd64\u0026distro=debian-12.7", + "UID": "f33d5cf3e82238aa" + }, + "Version": "30+20221128", + "Release": "1", + "Arch": "amd64", + "SrcName": "kmod", + "SrcVersion": "30+20221128", + "SrcRelease": "1", + "Licenses": [ + "LGPL-2.1-or-later", + "GPL-2.0-or-later", + "GPL-2.0-only", + "LGPL-2.1-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libbsd0@0.11.7-2", + "Name": "libbsd0", + "Identifier": { + "PURL": "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64\u0026distro=debian-12.7", + "UID": "3cf1baecf93c3b76" + }, + "Version": "0.11.7", + "Release": "2", + "Arch": "amd64", + "SrcName": "libbsd", + "SrcVersion": "0.11.7", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause", + "BSD-4-clause-Niels-Provos", + "BSD-3-clause-Regents", + "BSD-2-Clause-NetBSD", + "BSD-3-clause-author", + "BSD-3-clause-John-Birrell", + "libutil-David-Nugent", + "BSD-2-Clause", + "BSD-2-clause-verbatim", + "BSD-2-clause-author", + "ISC", + "ISC-Original", + "MIT", + "public-domain", + "Beerware" + ], + "Maintainer": "Guillem Jover \u003cguillem@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libc6@2.36-9+deb12u8", + "Name": "libc6", + "Identifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "Version": "2.36", + "Release": "9+deb12u8", + "Arch": "amd64", + "SrcName": "glibc", + "SrcVersion": "2.36", + "SrcRelease": "9+deb12u8", + "Licenses": [ + "LGPL-2.1-only", + "GPL-2.0-only" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libedit2@3.1-20221030-2", + "Name": "libedit2", + "Identifier": { + "PURL": "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64\u0026distro=debian-12.7", + "UID": "43cd5327f81c53ca" + }, + "Version": "3.1-20221030", + "Release": "2", + "Arch": "amd64", + "SrcName": "libedit", + "SrcVersion": "3.1-20221030", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause" + ], + "Maintainer": "LLVM Packaging Team \u003cpkg-llvm-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libgmp10@2:6.2.1+dfsg1-1.1", + "Name": "libgmp10", + "Identifier": { + "PURL": "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64\u0026distro=debian-12.7\u0026epoch=2", + "UID": "13e222521d46613" + }, + "Version": "6.2.1+dfsg1", + "Release": "1.1", + "Epoch": 2, + "Arch": "amd64", + "SrcName": "gmp", + "SrcVersion": "6.2.1+dfsg1", + "SrcRelease": "1.1", + "SrcEpoch": 2, + "Licenses": [ + "GPL-2.0-or-later", + "LGPL-3.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Bison exception", + "GPL-2.0-only", + "GPL-3.0-only", + "LGPL-3.0-only" + ], + "Maintainer": "Debian Science Team \u003cdebian-science-maintainers@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libip4tc2@1.8.9-2", + "Name": "libip4tc2", + "Identifier": { + "PURL": "pkg:deb/debian/libip4tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "707fdf2f66e18cc8" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libip6tc2@1.8.9-2", + "Name": "libip6tc2", + "Identifier": { + "PURL": "pkg:deb/debian/libip6tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "b3d44a6e48a2933d" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libipset13@7.17-1", + "Name": "libipset13", + "Identifier": { + "PURL": "pkg:deb/debian/libipset13@7.17-1?arch=amd64\u0026distro=debian-12.7", + "UID": "fb18ba7aac268fe9" + }, + "Version": "7.17", + "Release": "1", + "Arch": "amd64", + "SrcName": "ipset", + "SrcVersion": "7.17", + "SrcRelease": "1", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only", + "FSFULLR", + "LGPL-2.0-or-later", + "GPL-3.0-or-later", + "GPL-3+ with Autoconf-data exception", + "MIT", + "FSFAP", + "FSFUL", + "public-domain", + "LGPL-2.0-only", + "GPL-3.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libjansson4@2.14-2", + "Name": "libjansson4", + "Identifier": { + "PURL": "pkg:deb/debian/libjansson4@2.14-2?arch=amd64\u0026distro=debian-12.7", + "UID": "e4f002a8d030bc6c" + }, + "Version": "2.14", + "Release": "2", + "Arch": "amd64", + "SrcName": "jansson", + "SrcVersion": "2.14", + "SrcRelease": "2", + "Licenses": [ + "MIT" + ], + "Maintainer": "Alessandro Ghedini \u003cghedo@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libkmod2@30+20221128-1", + "Name": "libkmod2", + "Identifier": { + "PURL": "pkg:deb/debian/libkmod2@30%2B20221128-1?arch=amd64\u0026distro=debian-12.7", + "UID": "8d173a007099e61d" + }, + "Version": "30+20221128", + "Release": "1", + "Arch": "amd64", + "SrcName": "kmod", + "SrcVersion": "30+20221128", + "SrcRelease": "1", + "Licenses": [ + "LGPL-2.1-or-later", + "GPL-2.0-or-later", + "GPL-2.0-only", + "LGPL-2.1-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libmd0@1.0.4-2", + "Name": "libmd0", + "Identifier": { + "PURL": "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64\u0026distro=debian-12.7", + "UID": "64dbde3af8f03a21" + }, + "Version": "1.0.4", + "Release": "2", + "Arch": "amd64", + "SrcName": "libmd", + "SrcVersion": "1.0.4", + "SrcRelease": "2", + "Licenses": [ + "BSD-3-Clause", + "BSD-3-clause-Aaron-D-Gifford", + "BSD-2-Clause", + "BSD-2-Clause-NetBSD", + "ISC", + "Beerware", + "public-domain-md4", + "public-domain-md5", + "public-domain-sha1" + ], + "Maintainer": "Guillem Jover \u003cguillem@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libmnl0@1.0.4-3", + "Name": "libmnl0", + "Identifier": { + "PURL": "pkg:deb/debian/libmnl0@1.0.4-3?arch=amd64\u0026distro=debian-12.7", + "UID": "4467f1faa45bb5e4" + }, + "Version": "1.0.4", + "Release": "3", + "Arch": "amd64", + "SrcName": "libmnl", + "SrcVersion": "1.0.4", + "SrcRelease": "3", + "Licenses": [ + "LGPL-2.1-only", + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libnetfilter-conntrack3@1.0.9-3", + "Name": "libnetfilter-conntrack3", + "Identifier": { + "PURL": "pkg:deb/debian/libnetfilter-conntrack3@1.0.9-3?arch=amd64\u0026distro=debian-12.7", + "UID": "5a1c6bc047154238" + }, + "Version": "1.0.9", + "Release": "3", + "Arch": "amd64", + "SrcName": "libnetfilter-conntrack", + "SrcVersion": "1.0.9", + "SrcRelease": "3", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libnfnetlink0@1.0.2-2", + "Name": "libnfnetlink0", + "Identifier": { + "PURL": "pkg:deb/debian/libnfnetlink0@1.0.2-2?arch=amd64\u0026distro=debian-12.7", + "UID": "5b78c7b6a5249ed5" + }, + "Version": "1.0.2", + "Release": "2", + "Arch": "amd64", + "SrcName": "libnfnetlink", + "SrcVersion": "1.0.2", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libnftables1@1.0.6-2+deb12u2", + "Name": "libnftables1", + "Identifier": { + "PURL": "pkg:deb/debian/libnftables1@1.0.6-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.7", + "UID": "4bf04dc5e99159ff" + }, + "Version": "1.0.6", + "Release": "2+deb12u2", + "Arch": "amd64", + "SrcName": "nftables", + "SrcVersion": "1.0.6", + "SrcRelease": "2+deb12u2", + "Licenses": [ + "GPL-2.0-only", + "GPL-2.0-or-later", + "CC-BY-SA-4.0" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libnftnl11@1.2.4-2", + "Name": "libnftnl11", + "Identifier": { + "PURL": "pkg:deb/debian/libnftnl11@1.2.4-2?arch=amd64\u0026distro=debian-12.7", + "UID": "af7a16a821fcd6df" + }, + "Version": "1.2.4", + "Release": "2", + "Arch": "amd64", + "SrcName": "libnftnl", + "SrcVersion": "1.2.4", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-2.0-only" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libpcre2-8-0@10.42-1", + "Name": "libpcre2-8-0", + "Identifier": { + "PURL": "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64\u0026distro=debian-12.7", + "UID": "c4ab7ab802fd12cd" + }, + "Version": "10.42", + "Release": "1", + "Arch": "amd64", + "SrcName": "pcre2", + "SrcVersion": "10.42", + "SrcRelease": "1", + "Licenses": [ + "BSD-3-clause-Cambridge with BINARY LIBRARY-LIKE PACKAGES exception", + "BSD-3-Clause", + "X11", + "BSD-2-Clause", + "public-domain" + ], + "Maintainer": "Matthew Vernon \u003cmatthew@debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libssl3@3.0.14-1~deb12u2", + "Name": "libssl3", + "Identifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.14-1~deb12u2?arch=amd64\u0026distro=debian-12.7", + "UID": "aaf438583e728488" + }, + "Version": "3.0.14", + "Release": "1~deb12u2", + "Arch": "amd64", + "SrcName": "openssl", + "SrcVersion": "3.0.14", + "SrcRelease": "1~deb12u2", + "Licenses": [ + "Apache-2.0", + "Artistic-2.0", + "GPL-1.0-or-later", + "GPL-1.0-only" + ], + "Maintainer": "Debian OpenSSL Team \u003cpkg-openssl-devel@alioth-lists.debian.net\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libxtables12@1.8.9-2", + "Name": "libxtables12", + "Identifier": { + "PURL": "pkg:deb/debian/libxtables12@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "f97bafbffe5aa1a9" + }, + "Version": "1.8.9", + "Release": "2", + "Arch": "amd64", + "SrcName": "iptables", + "SrcVersion": "1.8.9", + "SrcRelease": "2", + "Licenses": [ + "GPL-2.0-only", + "Artistic-2.0", + "GPL-2.0-or-later", + "custom" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "libzstd1@1.5.4+dfsg2-5", + "Name": "libzstd1", + "Identifier": { + "PURL": "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64\u0026distro=debian-12.7", + "UID": "6cdb102794e79bc1" + }, + "Version": "1.5.4+dfsg2", + "Release": "5", + "Arch": "amd64", + "SrcName": "libzstd", + "SrcVersion": "1.5.4+dfsg2", + "SrcRelease": "5", + "Licenses": [ + "BSD-3-Clause", + "GPL-2.0-only", + "Zlib", + "MIT" + ], + "Maintainer": "RPM packaging team \u003cteam+pkg-rpm@tracker.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.7", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "nftables@1.0.6-2+deb12u2", + "Name": "nftables", + "Identifier": { + "PURL": "pkg:deb/debian/nftables@1.0.6-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.7", + "UID": "2974f0aebd8fb743" + }, + "Version": "1.0.6", + "Release": "2+deb12u2", + "Arch": "amd64", + "SrcName": "nftables", + "SrcVersion": "1.0.6", + "SrcRelease": "2+deb12u2", + "Licenses": [ + "GPL-2.0-only", + "GPL-2.0-or-later", + "CC-BY-SA-4.0" + ], + "Maintainer": "Debian Netfilter Packaging Team \u003cpkg-netfilter-team@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.7", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2016-2781", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.7", + "UID": "bed513a0ab732758" + }, + "InstalledVersion": "9.1-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "LOW", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "azure": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "V2Score": 2.1, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 6.2, + "V3Score": 8.6 + } + }, + "References": [ + "http://seclists.org/oss-sec/2016/q1/452", + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3", + "https://access.redhat.com/security/cve/CVE-2016-2781", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://lore.kernel.org/patchwork/patch/793178/", + "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes", + "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", + "https://www.cve.org/CVERecord?id=CVE-2016-2781" + ], + "PublishedDate": "2017-02-07T15:59:00.333Z", + "LastModifiedDate": "2023-11-07T02:32:03.347Z" + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.7", + "UID": "bed513a0ab732758" + }, + "InstalledVersion": "9.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18018", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "LOW", + "CweIDs": [ + "CWE-362" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 1.9, + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 4.2 + } + }, + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html", + "https://access.redhat.com/security/cve/CVE-2017-18018", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18018", + "https://www.cve.org/CVERecord?id=CVE-2017-18018" + ], + "PublishedDate": "2018-01-04T04:29:00.19Z", + "LastModifiedDate": "2018-01-19T15:46:46.05Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "iptables@1.8.9-2", + "PkgName": "iptables", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/iptables@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "60542952c5093316" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2021-09-01T12:15:07.193Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2023-11-07T02:56:20.983Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-08-05T03:15:25.083Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-08-05T03:15:25.183Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-08-05T03:15:25.26Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-08-05T03:15:25.333Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc6@2.36-9+deb12u8", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u8?arch=amd64\u0026distro=debian-12.7", + "UID": "8e605a3d8e185a3c" + }, + "InstalledVersion": "2.36-9+deb12u8", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-08-04T22:15:34.74Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libip4tc2@1.8.9-2", + "PkgName": "libip4tc2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libip4tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "707fdf2f66e18cc8" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libip6tc2@1.8.9-2", + "PkgName": "libip6tc2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libip6tc2@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "b3d44a6e48a2933d" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + }, + { + "VulnerabilityID": "CVE-2020-36325", + "PkgID": "libjansson4@2.14-2", + "PkgName": "libjansson4", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libjansson4@2.14-2?arch=amd64\u0026distro=debian-12.7", + "UID": "e4f002a8d030bc6c" + }, + "InstalledVersion": "2.14-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36325", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "jansson: out-of-bounds read in json_loads() due to a parsing error", + "Description": "An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-36325", + "https://github.com/akheron/jansson/issues/548", + "https://nvd.nist.gov/vuln/detail/CVE-2020-36325", + "https://www.cve.org/CVERecord?id=CVE-2020-36325" + ], + "PublishedDate": "2021-04-26T18:15:07.493Z", + "LastModifiedDate": "2024-08-04T18:15:43.647Z" + }, + { + "VulnerabilityID": "CVE-2024-5535", + "PkgID": "libssl3@3.0.14-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.14-1~deb12u2?arch=amd64\u0026distro=debian-12.7", + "UID": "aaf438583e728488" + }, + "InstalledVersion": "3.0.14-1~deb12u2", + "FixedVersion": "3.0.15-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-5535", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: SSL_select_next_proto buffer overread", + "Description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 4, + "cbl-mariner": 4, + "oracle-oval": 1, + "photon": 4, + "redhat": 1, + "rocky": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-5535", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://bugzilla.redhat.com/show_bug.cgi?id=2294581", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://errata.rockylinux.org/RLSA-2024:7848", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://linux.oracle.com/cve/CVE-2024-5535.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "https://openssl.org/news/secadv/20240627.txt", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-5535", + "https://www.openssl.org/news/secadv/20240627.txt", + "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL" + ], + "PublishedDate": "2024-06-27T11:15:24.447Z", + "LastModifiedDate": "2024-07-12T14:15:16.79Z" + }, + { + "VulnerabilityID": "CVE-2024-9143", + "PkgID": "libssl3@3.0.14-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.14-1~deb12u2?arch=amd64\u0026distro=debian-12.7", + "UID": "aaf438583e728488" + }, + "InstalledVersion": "3.0.14-1~deb12u2", + "FixedVersion": "3.0.15-1~deb12u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access", + "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-9143", + "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712", + "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700", + "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4", + "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154", + "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a", + "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41", + "https://nvd.nist.gov/vuln/detail/CVE-2024-9143", + "https://openssl-library.org/news/secadv/20241016.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-9143" + ], + "PublishedDate": "2024-10-16T17:15:18.13Z", + "LastModifiedDate": "2024-11-08T16:35:21.58Z" + }, + { + "VulnerabilityID": "CVE-2012-2663", + "PkgID": "libxtables12@1.8.9-2", + "PkgName": "libxtables12", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxtables12@1.8.9-2?arch=amd64\u0026distro=debian-12.7", + "UID": "f97bafbffe5aa1a9" + }, + "InstalledVersion": "1.8.9-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2012-2663", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "iptables: --syn flag bypass", + "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "V2Score": 6.4 + } + }, + "References": [ + "http://www.spinics.net/lists/netfilter-devel/msg21248.html", + "https://access.redhat.com/security/cve/CVE-2012-2663", + "https://bugzilla.redhat.com/show_bug.cgi?id=826702", + "https://nvd.nist.gov/vuln/detail/CVE-2012-2663", + "https://www.cve.org/CVERecord?id=CVE-2012-2663" + ], + "PublishedDate": "2014-02-15T14:57:07.423Z", + "LastModifiedDate": "2023-11-07T02:10:39.77Z" + } + ] + }, + { + "Target": "go-runner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/release/images/build/go-runner", + "Identifier": { + "PURL": "pkg:golang/k8s.io/release/images/build/go-runner", + "UID": "de04e9e6653a54e4" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "fcb415220c9b00d9" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:ed7a63e1838fc2675aaffc06b03da167277c478416ef46993d0cf116d29d2f2d", + "DiffID": "sha256:88235a6ff08c74db38402d57811d25fe77f33f395e89e2b3b187df50d6dacd20" + } + } + ] + }, + { + "Target": "usr/local/bin/kube-proxy", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/kubernetes", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubernetes", + "UID": "811dad5f9719ddf8" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "be94ea06c59b0a6e" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/NYTimes/gziphandler", + "Identifier": { + "PURL": "pkg:golang/github.com/nytimes/gziphandler@v1.1.1", + "UID": "82fff87e5ba75c1" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/antlr4-go/antlr/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/antlr4-go/antlr/v4@v4.13.0", + "UID": "5a4b2b0efdcd4b85" + }, + "Version": "v4.13.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/asaskevich/govalidator", + "Identifier": { + "PURL": "pkg:golang/github.com/asaskevich/govalidator@v0.0.0-20190424111038-f61b66f89f4a", + "UID": "a68fe2fca5308677" + }, + "Version": "v0.0.0-20190424111038-f61b66f89f4a", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "9e5cf52bebb780ce" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/blang/semver/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/blang/semver/v4@v4.0.0", + "UID": "256c8b77e5b374ef" + }, + "Version": "v4.0.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.3.0", + "UID": "6cb7924df921316e" + }, + "Version": "v4.3.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.3.0", + "UID": "986690b2e05aa536" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.1", + "UID": "264d199d5ece939a" + }, + "Version": "v0.3.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.5.0", + "UID": "861c3a2d28763ebf" + }, + "Version": "v22.5.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/cyphar/filepath-securejoin", + "Identifier": { + "PURL": "pkg:golang/github.com/cyphar/filepath-securejoin@v0.2.4", + "UID": "7b33354e9eb1e88a" + }, + "Version": "v0.2.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "30e08d784f31fee1" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/distribution/reference", + "Identifier": { + "PURL": "pkg:golang/github.com/distribution/reference@v0.5.0", + "UID": "72f938aea546393b" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.11.0", + "UID": "3aca3a22f0d4de01" + }, + "Version": "v3.11.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/felixge/httpsnoop", + "Identifier": { + "PURL": "pkg:golang/github.com/felixge/httpsnoop@v1.0.4", + "UID": "4e491f8d09c9d510" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/fsnotify/fsnotify", + "Identifier": { + "PURL": "pkg:golang/github.com/fsnotify/fsnotify@v1.7.0", + "UID": "d05168aa4646aa03" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/fxamacker/cbor/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/fxamacker/cbor/v2@v2.7.0", + "UID": "5f95ceef00842ea6" + }, + "Version": "v2.7.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.2", + "UID": "bffdf3c547c699d8" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "69e2848f4188d313" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-logr/zapr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/zapr@v1.3.0", + "UID": "1c61c51e647bec43" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.19.6", + "UID": "cc064ae8e6bdfcf4" + }, + "Version": "v0.19.6", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.20.2", + "UID": "3783a56f3001213a" + }, + "Version": "v0.20.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.22.4", + "UID": "58ace94458d64ec" + }, + "Version": "v0.22.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/godbus/dbus/v5", + "Identifier": { + "PURL": "pkg:golang/github.com/godbus/dbus/v5@v5.1.0", + "UID": "2ba3e55bf72a4e61" + }, + "Version": "v5.1.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "664d1de4e00e8465" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "100484361befe7f4" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "979675784de37ef" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/cadvisor", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cadvisor@v0.49.0", + "UID": "d5ee97bf6d7ce36" + }, + "Version": "v0.49.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/cel-go", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cel-go@v0.20.1", + "UID": "6ffed1365cb83b19" + }, + "Version": "v0.20.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "544c0b3bc3afcb51" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "5685569c1cb05ca" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "2d01e36703bb1d65" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "be857c885c7e27a6" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "430884ea7990a7cb" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.20.0", + "UID": "57ce76caa75bf71a" + }, + "Version": "v2.20.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.6", + "UID": "e3c03696a8fb36a8" + }, + "Version": "v0.3.6", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "e7ed4056a86c4027" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "d06898b28e2a582b" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/lithammer/dedent", + "Identifier": { + "PURL": "pkg:golang/github.com/lithammer/dedent@v1.1.0", + "UID": "6156a57bc4c9b4ff" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "a728e226bdd1c471" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/mistifyio/go-zfs", + "Identifier": { + "PURL": "pkg:golang/github.com/mistifyio/go-zfs@v2.1.2-0.20190413222219-f784269be439%2Bincompatible", + "UID": "8306757fde5e9a95" + }, + "Version": "v2.1.2-0.20190413222219-f784269be439+incompatible", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/moby/ipvs", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/ipvs@v1.1.0", + "UID": "a00ed301b19b8217" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/moby/sys/mountinfo", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/sys/mountinfo@v0.7.1", + "UID": "45bb04422c936b9e" + }, + "Version": "v0.7.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "a8f0801a79dcbb11" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "59217a4a783dfa9a" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "46868673c7590084" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/opencontainers/go-digest", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/go-digest@v1.0.0", + "UID": "8ce33d4d3e6800a5" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/opencontainers/runc", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "acacd820aa5fe9b4" + }, + "Version": "v1.1.13", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/opencontainers/runtime-spec", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runtime-spec@v1.0.3-0.20220909204839-494a5a6aca78", + "UID": "1eefbb749f69509e" + }, + "Version": "v1.0.3-0.20220909204839-494a5a6aca78", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "f9f8261daa91ccb8" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.19.1", + "UID": "c40153474022618f" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "85680f1d011ed8ad" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.55.0", + "UID": "5372bd8d0ba88664" + }, + "Version": "v0.55.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.15.1", + "UID": "5663ef2fae560157" + }, + "Version": "v0.15.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/sirupsen/logrus", + "Identifier": { + "PURL": "pkg:golang/github.com/sirupsen/logrus@v1.9.3", + "UID": "ad4fb8d32225c8df" + }, + "Version": "v1.9.3", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.8.1", + "UID": "8d6fa1d28db7e7c5" + }, + "Version": "v1.8.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "42a8e4a68ef0091c" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/stoewer/go-strcase", + "Identifier": { + "PURL": "pkg:golang/github.com/stoewer/go-strcase@v1.2.0", + "UID": "f5c0a3fbf3c8927e" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/vishvananda/netlink", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netlink@v1.1.0", + "UID": "6cadd4cccef855cc" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/vishvananda/netns", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netns@v0.0.4", + "UID": "f89db08d4f7dd78f" + }, + "Version": "v0.0.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "github.com/x448/float16", + "Identifier": { + "PURL": "pkg:golang/github.com/x448/float16@v0.8.4", + "UID": "d6830ba932de4cd1" + }, + "Version": "v0.8.4", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.etcd.io/etcd/api/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/api/v3@v3.5.14", + "UID": "abd412b0f9506973" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.etcd.io/etcd/client/pkg/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/pkg/v3@v3.5.14", + "UID": "c62423d0c76a04a9" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.etcd.io/etcd/client/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/v3@v3.5.14", + "UID": "1364132ff9525e1a" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.53.0", + "UID": "220680e8a1ebf9d4" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.53.0", + "UID": "e9de1303936c54fb" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.28.0", + "UID": "6292a4ecbf89520" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.28.0", + "UID": "2f8878dc5edc7a56" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.27.0", + "UID": "adab89e15b176b7f" + }, + "Version": "v1.27.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.28.0", + "UID": "b21378f190ebd539" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.28.0", + "UID": "e7d50f8c8da7505c" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.28.0", + "UID": "72bfc1c9159af16c" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.3.1", + "UID": "9799bb4c742e8d0b" + }, + "Version": "v1.3.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.11.0", + "UID": "619be77ba290fca5" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.26.0", + "UID": "f447921a906d54e6" + }, + "Version": "v1.26.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.24.0", + "UID": "dd135cd5188c086d" + }, + "Version": "v0.24.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/exp", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/exp@v0.0.0-20230515195305-f3d0a9c9a5cc", + "UID": "eb6982663a22efae" + }, + "Version": "v0.0.0-20230515195305-f3d0a9c9a5cc", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.26.0", + "UID": "2c145c6fb158ecec" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.21.0", + "UID": "405dd99fd6e2a61b" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/sync", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sync@v0.7.0", + "UID": "4c9907937b1ab620" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.21.0", + "UID": "fe8f2d92a5301913" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.21.0", + "UID": "47dacb8b8d39cce8" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.16.0", + "UID": "f66693dc1af85019" + }, + "Version": "v0.16.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.3.0", + "UID": "b4623680a2ed19c0" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240528184218-531527333157", + "UID": "dc96dbb9d9b14806" + }, + "Version": "v0.0.0-20240528184218-531527333157", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20240701130421-f6361c86f094", + "UID": "5d14e2722144bc9d" + }, + "Version": "v0.0.0-20240701130421-f6361c86f094", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.65.0", + "UID": "300f571004d88d40" + }, + "Version": "v1.65.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.34.2", + "UID": "fb6e5cce7b5af50d" + }, + "Version": "v1.34.2", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "gopkg.in/evanphx/json-patch.v4", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/evanphx/json-patch.v4@v4.12.0", + "UID": "4dc800fe8818ace3" + }, + "Version": "v4.12.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "e26d264cd1cb1643" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.2.1", + "UID": "e29e032a0409f163" + }, + "Version": "v2.2.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "94a36a876cdb5a6" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "8ca53e5f8173db6a" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api", + "UID": "1992e8d507d3b931" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/apiextensions-apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiextensions-apiserver", + "UID": "272ba142c3585094" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery", + "UID": "dddc1fc43f313b60" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiserver", + "UID": "97450629dd84a5f" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go", + "UID": "42d23ba107338fd4" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/cloud-provider", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cloud-provider", + "UID": "cdb74f6dc19d368e" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/component-base", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-base", + "UID": "f5979ce3bce878b2" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/component-helpers", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-helpers", + "UID": "9c0f2a8dba000aa3" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/controller-manager", + "Identifier": { + "PURL": "pkg:golang/k8s.io/controller-manager", + "UID": "de5ec473cb9a8986" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/cri-api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cri-api", + "UID": "971eb06b6174eab7" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/cri-client", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cri-client", + "UID": "79447532fa7ccc8" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.130.1", + "UID": "5e37c9466909797a" + }, + "Version": "v2.130.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/kms", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kms", + "UID": "ca01e575e2b20d6e" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20240228011516-70dd3763d340", + "UID": "e44ba3bd1cd50a59" + }, + "Version": "v0.0.0-20240228011516-70dd3763d340", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/kube-proxy", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-proxy", + "UID": "2fee97695e1fab3c" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/kubelet", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubelet", + "UID": "6b62108ba309f4e5" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/mount-utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/mount-utils", + "UID": "8b2e8ab9049d118f" + }, + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20240711033017-18e509b52bc8", + "UID": "ea1ff85902c878da" + }, + "Version": "v0.0.0-20240711033017-18e509b52bc8", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "sigs.k8s.io/apiserver-network-proxy/konnectivity-client", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/apiserver-network-proxy/konnectivity-client@v0.30.3", + "UID": "ea3059a71ce3442a" + }, + "Version": "v0.30.3", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "7946f4c02e92064b" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "sigs.k8s.io/knftables", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/knftables@v0.0.17", + "UID": "6ddcbbe52b95c3b4" + }, + "Version": "v0.0.17", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "14d6f0c8dc4ce4b4" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.4.0", + "UID": "21e7865f2a4020db" + }, + "Version": "v1.4.0", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45310", + "PkgName": "github.com/opencontainers/runc", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "acacd820aa5fe9b4" + }, + "InstalledVersion": "v1.1.13", + "FixedVersion": "1.1.14, 1.2.0-rc.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a43de22bdfe474a26b117b1b33fc718a9ab3dc4b8f3f26bde4e3175245f3aa26", + "DiffID": "sha256:54cddbc5055ab0b98dbd20afc3859c9b0eaed4562123811a174205a4fde4b148" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45310", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "runc: runc can be tricked into creating empty files/directories on host", + "Description": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-363", + "CWE-61" + ], + "VendorSeverity": { + "amazon": 1, + "ghsa": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45310", + "https://github.com/opencontainers/runc", + "https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7", + "https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e", + "https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf", + "https://github.com/opencontainers/runc/pull/4359", + "https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45310", + "https://www.cve.org/CVERecord?id=CVE-2024-45310", + "https://www.openwall.com/lists/oss-security/2024/09/03/1" + ], + "PublishedDate": "2024-09-03T19:15:15.243Z", + "LastModifiedDate": "2024-09-03T19:40:46.783Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-apiserver-kind-control-plane", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.7" + }, + "ImageID": "sha256:9499c9960544e80a96c223cdc5d3059dd7c2cc37ea20e7138af4a6e415a49173", + "DiffIDs": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + ], + "RepoTags": [ + "registry.k8s.io/kube-apiserver:v1.31.2" + ], + "RepoDigests": [ + "registry.k8s.io/kube-apiserver@sha256:9d12daaedff9677744993f247bfbe4950f3da8cfd38179b3c59ec66dc81dfbe0" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-10-22T20:45:59.069988362Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL maintainers=Kubernetes Authors", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL description=go based runner for distroless scenarios", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "WORKDIR /", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "COPY /workspace/go-runner . # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "ENTRYPOINT [\"/go-runner\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-22T20:45:59.069988362Z", + "created_by": "ARG BINARY", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-22T20:45:59.069988362Z", + "created_by": "COPY /kube-apiserver /usr/local/bin/kube-apiserver # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + ] + }, + "config": { + "Entrypoint": [ + "/go-runner" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Labels": { + "description": "go based runner for distroless scenarios", + "maintainers": "Kubernetes Authors" + }, + "User": "0", + "WorkingDir": "/" + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/kube-apiserver:v1.31.2 (debian 12.7)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u7", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u7?arch=amd64\u0026distro=debian-12.7", + "UID": "392b0a2ef700f88e" + }, + "Version": "12.4+deb12u7", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u7", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:0674a6f58b64d0431620993268b1a1b0ef8618ee3cffd96d4662c2759ec43894", + "DiffID": "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.7", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:2e4cf50eeb92ac3a7afe75e15d96a26dee99449f86b46c75b5d95f4418a5bca0", + "DiffID": "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.7", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:6f4cfee9177b9f884e8d86b48261a25094b2fcea1a7920919f47ea00712dbee8", + "DiffID": "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c" + } + } + ] + }, + { + "Target": "go-runner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/release/images/build/go-runner", + "Identifier": { + "PURL": "pkg:golang/k8s.io/release/images/build/go-runner", + "UID": "de04e9e6653a54e4" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "fcb415220c9b00d9" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + } + ] + }, + { + "Target": "usr/local/bin/kube-apiserver", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/kubernetes", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubernetes", + "UID": "f4c969fbe4aa24ac" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "8d0c4cd9207cbdc6" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/NYTimes/gziphandler", + "Identifier": { + "PURL": "pkg:golang/github.com/nytimes/gziphandler@v1.1.1", + "UID": "be370d43696f4805" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/antlr4-go/antlr/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/antlr4-go/antlr/v4@v4.13.0", + "UID": "ed8b23aea1e27fa9" + }, + "Version": "v4.13.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/asaskevich/govalidator", + "Identifier": { + "PURL": "pkg:golang/github.com/asaskevich/govalidator@v0.0.0-20190424111038-f61b66f89f4a", + "UID": "f5f7398a1b94028b" + }, + "Version": "v0.0.0-20190424111038-f61b66f89f4a", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "f2834551a53abb36" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/blang/semver/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/blang/semver/v4@v4.0.0", + "UID": "9c173cd59f19eba7" + }, + "Version": "v4.0.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.3.0", + "UID": "b450a7965fe7b9aa" + }, + "Version": "v4.3.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.3.0", + "UID": "b1efb6e9b67a65be" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/coreos/go-oidc", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-oidc@v2.2.1%2Bincompatible", + "UID": "3099e514359f39bf" + }, + "Version": "v2.2.1+incompatible", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.1", + "UID": "f942122023618536" + }, + "Version": "v0.3.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.5.0", + "UID": "7b919df694b39dd3" + }, + "Version": "v22.5.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "92b1250110148919" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/distribution/reference", + "Identifier": { + "PURL": "pkg:golang/github.com/distribution/reference@v0.5.0", + "UID": "ee82b481ae02e2e7" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.11.0", + "UID": "abdb376a69be45b9" + }, + "Version": "v3.11.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/felixge/httpsnoop", + "Identifier": { + "PURL": "pkg:golang/github.com/felixge/httpsnoop@v1.0.4", + "UID": "ff399dd608fa9d78" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/fsnotify/fsnotify", + "Identifier": { + "PURL": "pkg:golang/github.com/fsnotify/fsnotify@v1.7.0", + "UID": "59fea5b6ef19139f" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/fxamacker/cbor/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/fxamacker/cbor/v2@v2.7.0", + "UID": "54066cbe321293c2" + }, + "Version": "v2.7.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.2", + "UID": "d6e558ce7c086418" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "dbac5f655e03a7a3" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-logr/zapr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/zapr@v1.3.0", + "UID": "7eb598027252ebdf" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.19.6", + "UID": "e460a31bc6c2bf10" + }, + "Version": "v0.19.6", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.20.2", + "UID": "a7167c9073a524d6" + }, + "Version": "v0.20.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.22.4", + "UID": "ca63a28220215a24" + }, + "Version": "v0.22.4", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "12229a7ea1a41bf9" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "a27ac1f77c8b0010" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "d43c8a3e3133d707" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/google/cel-go", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cel-go@v0.20.1", + "UID": "94ef7c8840a3b3b5" + }, + "Version": "v0.20.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "7946d08fc38d971d" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "9e29f5c152e2a706" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "71095bfebb1b396d" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "3f9a3eece1e77b4a" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/gorilla/websocket", + "Identifier": { + "PURL": "pkg:golang/github.com/gorilla/websocket@v1.5.0", + "UID": "13af6f4876df004f" + }, + "Version": "v1.5.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "8c03ad637556397b" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.20.0", + "UID": "fa1a70a5b00e5c1a" + }, + "Version": "v2.20.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.6", + "UID": "2cf304d2ecf78774" + }, + "Version": "v0.3.6", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "724d9e340658497f" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "81149636d2aebb4f" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "bfc7edff65f81181" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/moby/spdystream", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/spdystream@v0.4.0", + "UID": "ba16ae9a52e63cd9" + }, + "Version": "v0.4.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/moby/sys/mountinfo", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/sys/mountinfo@v0.7.1", + "UID": "531290fcaacbd70a" + }, + "Version": "v0.7.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/moby/term", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/term@v0.5.0", + "UID": "309066140f0ec5a5" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "62baa27cad21b235" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "3797709a6d442f9e" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "5d775abb3ac213f8" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/mxk/go-flowrate", + "Identifier": { + "PURL": "pkg:golang/github.com/mxk/go-flowrate@v0.0.0-20140419014527-cca7078d478f", + "UID": "ac7d5d9878a41691" + }, + "Version": "v0.0.0-20140419014527-cca7078d478f", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/opencontainers/go-digest", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/go-digest@v1.0.0", + "UID": "a9f702ca1f4a7271" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/opencontainers/runc", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "55d765dea925f8a8" + }, + "Version": "v1.1.13", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/opencontainers/selinux", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/selinux@v1.11.0", + "UID": "bdc9be1f77b1172c" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "dae2fdd5ebf16870" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/pquerna/cachecontrol", + "Identifier": { + "PURL": "pkg:golang/github.com/pquerna/cachecontrol@v0.1.0", + "UID": "1f21ed71e8fb134b" + }, + "Version": "v0.1.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.19.1", + "UID": "a57487d93e4fb677" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "d978e569ec8529a9" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.55.0", + "UID": "fa8e9bb0bfef17ac" + }, + "Version": "v0.55.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.15.1", + "UID": "67c18a295ba22153" + }, + "Version": "v0.15.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/robfig/cron/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/robfig/cron/v3@v3.0.1", + "UID": "c0a809fffe08bd6c" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.8.1", + "UID": "45bf0c421cb42c9" + }, + "Version": "v1.8.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "de56a2c5757edd98" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/stoewer/go-strcase", + "Identifier": { + "PURL": "pkg:golang/github.com/stoewer/go-strcase@v1.2.0", + "UID": "249158aa4e8780f6" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "github.com/x448/float16", + "Identifier": { + "PURL": "pkg:golang/github.com/x448/float16@v0.8.4", + "UID": "684869f933cf92fd" + }, + "Version": "v0.8.4", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.etcd.io/etcd/api/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/api/v3@v3.5.14", + "UID": "3fcddf6db5f58f4b" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.etcd.io/etcd/client/pkg/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/pkg/v3@v3.5.14", + "UID": "f649fa94f4c83be1" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.etcd.io/etcd/client/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/v3@v3.5.14", + "UID": "c76f5252ce51f35e" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.53.0", + "UID": "df1ca9b0e1d3f690" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.53.0", + "UID": "e33da004ea62cc07" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.28.0", + "UID": "19ce801e1b8ec560" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.28.0", + "UID": "43931ac2051f66e2" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.27.0", + "UID": "91ad69561c0b85df" + }, + "Version": "v1.27.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.28.0", + "UID": "371d3a8a672153dd" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.28.0", + "UID": "3ed7a8fd3ac90d48" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.28.0", + "UID": "c81f1e6eacde18dc" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.3.1", + "UID": "def19360bc242da3" + }, + "Version": "v1.3.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.11.0", + "UID": "2f1bae7c6056dd91" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.26.0", + "UID": "fe1ea7f879855a7a" + }, + "Version": "v1.26.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.24.0", + "UID": "9eb98134d2b62a01" + }, + "Version": "v0.24.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/exp", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/exp@v0.0.0-20230515195305-f3d0a9c9a5cc", + "UID": "52116995f3e5696" + }, + "Version": "v0.0.0-20230515195305-f3d0a9c9a5cc", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.26.0", + "UID": "6df80953272ffb9c" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.21.0", + "UID": "2bce49dc6658f25f" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/sync", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sync@v0.7.0", + "UID": "987a26b66e368514" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.21.0", + "UID": "d22961d20256297f" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.21.0", + "UID": "7cbaaf3992e98418" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.16.0", + "UID": "c4cad1605fd71869" + }, + "Version": "v0.16.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.3.0", + "UID": "9e36f14ec12c8b98" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "golang.org/x/tools", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/tools@v0.21.1-0.20240508182429-e35e4ccd0d2d", + "UID": "24dcbbf78bae2738" + }, + "Version": "v0.21.1-0.20240508182429-e35e4ccd0d2d", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240528184218-531527333157", + "UID": "ef8c1b2646d7a9fe" + }, + "Version": "v0.0.0-20240528184218-531527333157", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20240701130421-f6361c86f094", + "UID": "395cb4516d1bbd35" + }, + "Version": "v0.0.0-20240701130421-f6361c86f094", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.65.0", + "UID": "44bad598c75f4d04" + }, + "Version": "v1.65.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.34.2", + "UID": "a8b7b7cfbd991f3d" + }, + "Version": "v1.34.2", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/evanphx/json-patch.v4", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/evanphx/json-patch.v4@v4.12.0", + "UID": "b188e523c336fcb" + }, + "Version": "v4.12.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "304036436eb4e5ff" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.2.1", + "UID": "5b262623acf06f37" + }, + "Version": "v2.2.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/square/go-jose.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "7bc1b95ba4e2d9c2" + }, + "Version": "v2.6.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "8362a49dfe56273e" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "135332ad6d06b14e" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api", + "UID": "faf5b43d200cea6d" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/apiextensions-apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiextensions-apiserver", + "UID": "ac9c6e34133e4810" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery", + "UID": "ad87d8baa661412c" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiserver", + "UID": "23d99978a9985c57" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go", + "UID": "6a27c1d63ee7b58c" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/cloud-provider", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cloud-provider", + "UID": "a3d4764658788292" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/cluster-bootstrap", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cluster-bootstrap", + "UID": "59a4b5c482f23fec" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/component-base", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-base", + "UID": "53e4998fe042c8a2" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/component-helpers", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-helpers", + "UID": "6ebad784d7649f87" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/controller-manager", + "Identifier": { + "PURL": "pkg:golang/k8s.io/controller-manager", + "UID": "b909b531b6039a02" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/dynamic-resource-allocation", + "Identifier": { + "PURL": "pkg:golang/k8s.io/dynamic-resource-allocation", + "UID": "979270b7991bcbaf" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.130.1", + "UID": "e5156b31e1bb20ee" + }, + "Version": "v2.130.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/kms", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kms", + "UID": "c4685d5c9cd39d3e" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/kube-aggregator", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-aggregator", + "UID": "d5ce01ff317e9a34" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20240228011516-70dd3763d340", + "UID": "a07e09993d83fe1" + }, + "Version": "v0.0.0-20240228011516-70dd3763d340", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/kubelet", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubelet", + "UID": "f5067f39a56c4ba9" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/mount-utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/mount-utils", + "UID": "c11053580c59255b" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/pod-security-admission", + "Identifier": { + "PURL": "pkg:golang/k8s.io/pod-security-admission", + "UID": "1a11a9784fddd512" + }, + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20240711033017-18e509b52bc8", + "UID": "6d10fc1d431016fa" + }, + "Version": "v0.0.0-20240711033017-18e509b52bc8", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "sigs.k8s.io/apiserver-network-proxy/konnectivity-client", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/apiserver-network-proxy/konnectivity-client@v0.30.3", + "UID": "b56c556e257c1196" + }, + "Version": "v0.30.3", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "463a2816b98dd7fb" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "88a1eb179571b03c" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.4.0", + "UID": "dddfaf94868ab2b7" + }, + "Version": "v1.4.0", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45310", + "PkgName": "github.com/opencontainers/runc", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "55d765dea925f8a8" + }, + "InstalledVersion": "v1.1.13", + "FixedVersion": "1.1.14, 1.2.0-rc.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45310", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "runc: runc can be tricked into creating empty files/directories on host", + "Description": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-363", + "CWE-61" + ], + "VendorSeverity": { + "amazon": 1, + "ghsa": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45310", + "https://github.com/opencontainers/runc", + "https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7", + "https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e", + "https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf", + "https://github.com/opencontainers/runc/pull/4359", + "https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45310", + "https://www.cve.org/CVERecord?id=CVE-2024-45310", + "https://www.openwall.com/lists/oss-security/2024/09/03/1" + ], + "PublishedDate": "2024-09-03T19:15:15.243Z", + "LastModifiedDate": "2024-09-03T19:40:46.783Z" + }, + { + "VulnerabilityID": "CVE-2024-28180", + "PkgName": "gopkg.in/square/go-jose.v2", + "PkgIdentifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "7bc1b95ba4e2d9c2" + }, + "InstalledVersion": "v2.6.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:336107aa9da195fd1a95a8ba9879b9e3fa68ed5f6034f7192cfa309a318a646a", + "DiffID": "sha256:5b1efae7f7c35b14e825385decbcd30a0aa235a85b9469c7effb720b08c76ea6" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28180", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "jose-go: improper handling of highly compressed data", + "Description": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-409" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:3827", + "https://access.redhat.com/security/cve/CVE-2024-28180", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268820", + "https://bugzilla.redhat.com/2268854", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268820", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268854", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180", + "https://errata.almalinux.org/9/ALSA-2024-3827.html", + "https://errata.rockylinux.org/RLSA-2024:3827", + "https://github.com/go-jose/go-jose", + "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298", + "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a", + "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502", + "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g", + "https://linux.oracle.com/cve/CVE-2024-28180.html", + "https://linux.oracle.com/errata/ELSA-2024-3968.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28180", + "https://www.cve.org/CVERecord?id=CVE-2024-28180" + ], + "PublishedDate": "2024-03-09T01:15:07.34Z", + "LastModifiedDate": "2024-06-12T02:15:09.82Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "kube-controller-manager-kind-control-plane", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.7" + }, + "ImageID": "sha256:0486b6c53a1b5af26f2ad2fb89a089e04c6baa6369f8545ab0854f9d62b44503", + "DiffIDs": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + ], + "RepoTags": [ + "registry.k8s.io/kube-controller-manager:v1.31.2" + ], + "RepoDigests": [ + "registry.k8s.io/kube-controller-manager@sha256:a33795e8b0ff9923d1539331975c4e76e2a74090f9f82eca775e2390e4f20752" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-10-22T20:45:57.075864051Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL maintainers=Kubernetes Authors", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "LABEL description=go based runner for distroless scenarios", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "WORKDIR /", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "COPY /workspace/go-runner . # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-10-15T09:08:07.903895305Z", + "created_by": "ENTRYPOINT [\"/go-runner\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-10-22T20:45:57.075864051Z", + "created_by": "COPY /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55", + "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba", + "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa", + "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + ] + }, + "config": { + "Entrypoint": [ + "/go-runner" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Labels": { + "description": "go based runner for distroless scenarios", + "maintainers": "Kubernetes Authors" + }, + "User": "0", + "WorkingDir": "/" + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/kube-controller-manager:v1.31.2 (debian 12.7)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u7", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u7?arch=amd64\u0026distro=debian-12.7", + "UID": "392b0a2ef700f88e" + }, + "Version": "12.4+deb12u7", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u7", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:0674a6f58b64d0431620993268b1a1b0ef8618ee3cffd96d4662c2759ec43894", + "DiffID": "sha256:d37950ece3d30af513521db15b49bfcc95853a6664fe784eeea059572a5bbe55" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.7", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:2e4cf50eeb92ac3a7afe75e15d96a26dee99449f86b46c75b5d95f4418a5bca0", + "DiffID": "sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.7", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:6f4cfee9177b9f884e8d86b48261a25094b2fcea1a7920919f47ea00712dbee8", + "DiffID": "sha256:ddc6e550070ca022d94bd4415de20545ba69954033b4985045a8b05f538bbe5c" + } + } + ] + }, + { + "Target": "go-runner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/release/images/build/go-runner", + "Identifier": { + "PURL": "pkg:golang/k8s.io/release/images/build/go-runner", + "UID": "de04e9e6653a54e4" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "fcb415220c9b00d9" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:06b0f115d3d14c931cd74a4eb2c25db288bc369b9c85017d3f1a4bc6e62cc63a", + "DiffID": "sha256:5af9420e3bf1a287353fa1de7c571a55c6590eea8ebd4fac5fcf3b7f1f9903fa" + } + } + ] + }, + { + "Target": "usr/local/bin/kube-controller-manager", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "k8s.io/kubernetes", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubernetes", + "UID": "dde7d2a1e9fc3849" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.8", + "UID": "c659fc9d1459d907" + }, + "Version": "v1.22.8", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/NYTimes/gziphandler", + "Identifier": { + "PURL": "pkg:golang/github.com/nytimes/gziphandler@v1.1.1", + "UID": "3c19e7243096c18" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/antlr4-go/antlr/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/antlr4-go/antlr/v4@v4.13.0", + "UID": "33c19df2c431a81c" + }, + "Version": "v4.13.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/asaskevich/govalidator", + "Identifier": { + "PURL": "pkg:golang/github.com/asaskevich/govalidator@v0.0.0-20190424111038-f61b66f89f4a", + "UID": "90adb84a37018fc2" + }, + "Version": "v0.0.0-20190424111038-f61b66f89f4a", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "5f9f8ffad4ae237b" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/blang/semver/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/blang/semver/v4@v4.0.0", + "UID": "838094836fa5307a" + }, + "Version": "v4.0.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.3.0", + "UID": "fe3c3626eea6a8df" + }, + "Version": "v4.3.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.3.0", + "UID": "21f8e82de8c5dc7b" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/checkpoint-restore/go-criu/v5", + "Identifier": { + "PURL": "pkg:golang/github.com/checkpoint-restore/go-criu/v5@v5.3.0", + "UID": "6fa8eab8fbe7dc7" + }, + "Version": "v5.3.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/cilium/ebpf", + "Identifier": { + "PURL": "pkg:golang/github.com/cilium/ebpf@v0.9.1", + "UID": "4996e7e47f8087d0" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/container-storage-interface/spec", + "Identifier": { + "PURL": "pkg:golang/github.com/container-storage-interface/spec@v1.9.0", + "UID": "c0d452470af1736b" + }, + "Version": "v1.9.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/containerd/console", + "Identifier": { + "PURL": "pkg:golang/github.com/containerd/console@v1.0.3", + "UID": "da4f83cebe89acbb" + }, + "Version": "v1.0.3", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/containerd/ttrpc", + "Identifier": { + "PURL": "pkg:golang/github.com/containerd/ttrpc@v1.2.2", + "UID": "e111ce81b0cadb7a" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/coreos/go-oidc", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-oidc@v2.2.1%2Bincompatible", + "UID": "22690cc8b9637466" + }, + "Version": "v2.2.1+incompatible", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.1", + "UID": "c911ddb1d6d91233" + }, + "Version": "v0.3.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.5.0", + "UID": "f59c189649533a56" + }, + "Version": "v22.5.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/cyphar/filepath-securejoin", + "Identifier": { + "PURL": "pkg:golang/github.com/cyphar/filepath-securejoin@v0.2.4", + "UID": "f4ee3f18b75c967" + }, + "Version": "v0.2.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc", + "UID": "61fe57219d27dbb4" + }, + "Version": "v1.1.2-0.20180830191138-d8f796af33cc", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/distribution/reference", + "Identifier": { + "PURL": "pkg:golang/github.com/distribution/reference@v0.5.0", + "UID": "ee954a174ca31f6e" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/docker/go-units", + "Identifier": { + "PURL": "pkg:golang/github.com/docker/go-units@v0.5.0", + "UID": "510d2c9971943b2c" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/emicklei/go-restful/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/emicklei/go-restful/v3@v3.11.0", + "UID": "ec17d90ea7152d58" + }, + "Version": "v3.11.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/euank/go-kmsg-parser", + "Identifier": { + "PURL": "pkg:golang/github.com/euank/go-kmsg-parser@v2.0.0%2Bincompatible", + "UID": "19b8a4f0f36fe076" + }, + "Version": "v2.0.0+incompatible", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/felixge/httpsnoop", + "Identifier": { + "PURL": "pkg:golang/github.com/felixge/httpsnoop@v1.0.4", + "UID": "cdfe7b3fbaae16b1" + }, + "Version": "v1.0.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/fsnotify/fsnotify", + "Identifier": { + "PURL": "pkg:golang/github.com/fsnotify/fsnotify@v1.7.0", + "UID": "649a91c431794e86" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/fxamacker/cbor/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/fxamacker/cbor/v2@v2.7.0", + "UID": "da646e52dbd757c7" + }, + "Version": "v2.7.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.4.2", + "UID": "cb52d658689dcc45" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "69a31096e7a8295a" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-logr/zapr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/zapr@v1.3.0", + "UID": "9a24b5777b39b07e" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-openapi/jsonpointer", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonpointer@v0.19.6", + "UID": "1252bdcd17dd1d45" + }, + "Version": "v0.19.6", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-openapi/jsonreference", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/jsonreference@v0.20.2", + "UID": "e1cef710b45085b7" + }, + "Version": "v0.20.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/go-openapi/swag", + "Identifier": { + "PURL": "pkg:golang/github.com/go-openapi/swag@v0.22.4", + "UID": "acc37e7b8ea2a75d" + }, + "Version": "v0.22.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/godbus/dbus/v5", + "Identifier": { + "PURL": "pkg:golang/github.com/godbus/dbus/v5@v5.1.0", + "UID": "62fdd21a86373ec" + }, + "Version": "v5.1.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "6f6ad4164e772c00" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "948e031282ca4359" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "8927c3cdb2585b2e" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/cadvisor", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cadvisor@v0.49.0", + "UID": "ce17a99f9c82f6e7" + }, + "Version": "v0.49.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/cel-go", + "Identifier": { + "PURL": "pkg:golang/github.com/google/cel-go@v0.20.1", + "UID": "84c72b0589c2f49c" + }, + "Version": "v0.20.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/gnostic-models", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gnostic-models@v0.6.8", + "UID": "2c1e576e211f14a0" + }, + "Version": "v0.6.8", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.6.0", + "UID": "3c5265adfbbe8bc3" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.2.0", + "UID": "7b61c98e776ac678" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.6.0", + "UID": "dfdcabaf4801724f" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/gorilla/websocket", + "Identifier": { + "PURL": "pkg:golang/github.com/gorilla/websocket@v1.5.0", + "UID": "63a8de7c5fdee56a" + }, + "Version": "v1.5.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "56f4320057a55016" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.20.0", + "UID": "f176d1217312d3f" + }, + "Version": "v2.20.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.6", + "UID": "96ba3f08df93e171" + }, + "Version": "v0.3.6", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/josharian/intern", + "Identifier": { + "PURL": "pkg:golang/github.com/josharian/intern@v1.0.0", + "UID": "f7d8d20c816bf4be" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "f353b2d691661766" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/karrick/godirwalk", + "Identifier": { + "PURL": "pkg:golang/github.com/karrick/godirwalk@v1.17.0", + "UID": "5c14dd76f6996262" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/libopenstorage/openstorage", + "Identifier": { + "PURL": "pkg:golang/github.com/libopenstorage/openstorage@v1.0.0", + "UID": "657582cc2d92f4c2" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/mailru/easyjson", + "Identifier": { + "PURL": "pkg:golang/github.com/mailru/easyjson@v0.7.7", + "UID": "3eb0f13b5230184c" + }, + "Version": "v0.7.7", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/mistifyio/go-zfs", + "Identifier": { + "PURL": "pkg:golang/github.com/mistifyio/go-zfs@v2.1.2-0.20190413222219-f784269be439%2Bincompatible", + "UID": "8193423d0c1a52c0" + }, + "Version": "v2.1.2-0.20190413222219-f784269be439+incompatible", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/moby/spdystream", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/spdystream@v0.4.0", + "UID": "e60f378dd8689e80" + }, + "Version": "v0.4.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/moby/sys/mountinfo", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/sys/mountinfo@v0.7.1", + "UID": "8a3450b9f30982db" + }, + "Version": "v0.7.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/moby/term", + "Identifier": { + "PURL": "pkg:golang/github.com/moby/term@v0.5.0", + "UID": "c253b60835788404" + }, + "Version": "v0.5.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "756428e18b7bc9d8" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "73ab8e877f2390db" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/mohae/deepcopy", + "Identifier": { + "PURL": "pkg:golang/github.com/mohae/deepcopy@v0.0.0-20170603005431-491d3605edfb", + "UID": "b863b1494e1cd88" + }, + "Version": "v0.0.0-20170603005431-491d3605edfb", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/mrunalp/fileutils", + "Identifier": { + "PURL": "pkg:golang/github.com/mrunalp/fileutils@v0.5.1", + "UID": "c2b750ea45001a22" + }, + "Version": "v0.5.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/munnerz/goautoneg", + "Identifier": { + "PURL": "pkg:golang/github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822", + "UID": "163bba9270380db5" + }, + "Version": "v0.0.0-20191010083416-a7dc8b61c822", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/mxk/go-flowrate", + "Identifier": { + "PURL": "pkg:golang/github.com/mxk/go-flowrate@v0.0.0-20140419014527-cca7078d478f", + "UID": "9faf15c5157d8950" + }, + "Version": "v0.0.0-20140419014527-cca7078d478f", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/opencontainers/go-digest", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/go-digest@v1.0.0", + "UID": "55c72b67df836d2c" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/opencontainers/runc", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "6db4deb691a64cad" + }, + "Version": "v1.1.13", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/opencontainers/runtime-spec", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/runtime-spec@v1.0.3-0.20220909204839-494a5a6aca78", + "UID": "22b674cfbf5fd89f" + }, + "Version": "v1.0.3-0.20220909204839-494a5a6aca78", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/opencontainers/selinux", + "Identifier": { + "PURL": "pkg:golang/github.com/opencontainers/selinux@v1.11.0", + "UID": "6d2b0f073c128cd9" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "cb3e4dd3db5f31a1" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/pquerna/cachecontrol", + "Identifier": { + "PURL": "pkg:golang/github.com/pquerna/cachecontrol@v0.1.0", + "UID": "24bb6bd364b79256" + }, + "Version": "v0.1.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.19.1", + "UID": "32396a602d2a8e62" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.6.1", + "UID": "5c4407f8de3d4a14" + }, + "Version": "v0.6.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.55.0", + "UID": "7fb3b43cae37ed15" + }, + "Version": "v0.55.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.15.1", + "UID": "308057d0df88d166" + }, + "Version": "v0.15.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/robfig/cron/v3", + "Identifier": { + "PURL": "pkg:golang/github.com/robfig/cron/v3@v3.0.1", + "UID": "30dc75fdf103bcc1" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/sirupsen/logrus", + "Identifier": { + "PURL": "pkg:golang/github.com/sirupsen/logrus@v1.9.3", + "UID": "4bba563ef4bda8da" + }, + "Version": "v1.9.3", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.8.1", + "UID": "8975c36277e238a4" + }, + "Version": "v1.8.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "e0dad20b87bded01" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/stoewer/go-strcase", + "Identifier": { + "PURL": "pkg:golang/github.com/stoewer/go-strcase@v1.2.0", + "UID": "9e2bbc8d16551c8f" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/syndtr/gocapability", + "Identifier": { + "PURL": "pkg:golang/github.com/syndtr/gocapability@v0.0.0-20200815063812-42c35b437635", + "UID": "887bfa97a04681e3" + }, + "Version": "v0.0.0-20200815063812-42c35b437635", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/vishvananda/netlink", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netlink@v1.1.0", + "UID": "fed38348f01bc705" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/vishvananda/netns", + "Identifier": { + "PURL": "pkg:golang/github.com/vishvananda/netns@v0.0.4", + "UID": "1b410dd5134d8336" + }, + "Version": "v0.0.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "github.com/x448/float16", + "Identifier": { + "PURL": "pkg:golang/github.com/x448/float16@v0.8.4", + "UID": "9bb4e2409c5749c0" + }, + "Version": "v0.8.4", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.etcd.io/etcd/api/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/api/v3@v3.5.14", + "UID": "76b13d6a65a1d30a" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.etcd.io/etcd/client/pkg/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/pkg/v3@v3.5.14", + "UID": "bd27fff30c20ea04" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.etcd.io/etcd/client/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/client/v3@v3.5.14", + "UID": "af19afa1d1847fd3" + }, + "Version": "v3.5.14", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.53.0", + "UID": "c07bb64bc781704d" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.53.0", + "UID": "95c1bb1811a3af62" + }, + "Version": "v0.53.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.28.0", + "UID": "884ecea49837b7d9" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.28.0", + "UID": "d4e9c7624c4ed583" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.27.0", + "UID": "d99107f0b403f76e" + }, + "Version": "v1.27.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.28.0", + "UID": "e68f3e1d2da96a08" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.28.0", + "UID": "7d833482122f4fa1" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.28.0", + "UID": "9ac70e12d9906201" + }, + "Version": "v1.28.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.3.1", + "UID": "e685c38b99a859c2" + }, + "Version": "v1.3.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.11.0", + "UID": "e6ca0a85e89ac810" + }, + "Version": "v1.11.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.26.0", + "UID": "84d2a244b35955d7" + }, + "Version": "v1.26.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.24.0", + "UID": "47dcd144789713cc" + }, + "Version": "v0.24.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/exp", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/exp@v0.0.0-20230515195305-f3d0a9c9a5cc", + "UID": "184a50b454ee5ed3" + }, + "Version": "v0.0.0-20230515195305-f3d0a9c9a5cc", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.26.0", + "UID": "501de59f784dddcd" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.21.0", + "UID": "85e7679a4063b8de" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/sync", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sync@v0.7.0", + "UID": "a126ba43657c81b1" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.21.0", + "UID": "459d8bfc0e885f72" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.21.0", + "UID": "591c9cfae8958edd" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.16.0", + "UID": "7bc45a1ca6af1ac8" + }, + "Version": "v0.16.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.3.0", + "UID": "8e8d2966c4503a2d" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "golang.org/x/tools", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/tools@v0.21.1-0.20240508182429-e35e4ccd0d2d", + "UID": "bdf6c05c0daccced" + }, + "Version": "v0.21.1-0.20240508182429-e35e4ccd0d2d", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240528184218-531527333157", + "UID": "c3d337374b72d5f7" + }, + "Version": "v0.0.0-20240528184218-531527333157", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20240701130421-f6361c86f094", + "UID": "dc85907d5b829390" + }, + "Version": "v0.0.0-20240701130421-f6361c86f094", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.65.0", + "UID": "aae9c4425bb9abe5" + }, + "Version": "v1.65.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.34.2", + "UID": "9a81955672b73c08" + }, + "Version": "v1.34.2", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/evanphx/json-patch.v4", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/evanphx/json-patch.v4@v4.12.0", + "UID": "f09c8b7f9f192fce" + }, + "Version": "v4.12.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "e7f747fdd53ef0b2" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.2.1", + "UID": "ef0a5cfcd7bb13ee" + }, + "Version": "v2.2.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/square/go-jose.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "529998ca3e192b6b" + }, + "Version": "v2.6.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "4bb2af8d523ce8e3" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "gopkg.in/yaml.v3", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "UID": "55b4557dd03290e7" + }, + "Version": "v3.0.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api", + "UID": "dad09f687fdd2304" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/apiextensions-apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiextensions-apiserver", + "UID": "4bd3eb2150fb4121" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery", + "UID": "cd421755b58298fd" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/apiserver", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apiserver", + "UID": "22219354163238ca" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go", + "UID": "d5f7b2c6216bc791" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/cloud-provider", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cloud-provider", + "UID": "ce5a0c15c98c88eb" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/cluster-bootstrap", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cluster-bootstrap", + "UID": "3ef975f2e3d3238d" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/component-base", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-base", + "UID": "b794a3c117fc0eb" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/component-helpers", + "Identifier": { + "PURL": "pkg:golang/k8s.io/component-helpers", + "UID": "71017aaae95bbda6" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/controller-manager", + "Identifier": { + "PURL": "pkg:golang/k8s.io/controller-manager", + "UID": "b3a51c5a1dd5544b" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/cri-api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cri-api", + "UID": "fb8c7481f1b9a5b6" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/cri-client", + "Identifier": { + "PURL": "pkg:golang/k8s.io/cri-client", + "UID": "aaff44c4f2d50235" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/csi-translation-lib", + "Identifier": { + "PURL": "pkg:golang/k8s.io/csi-translation-lib", + "UID": "f7e68cd59997303f" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/dynamic-resource-allocation", + "Identifier": { + "PURL": "pkg:golang/k8s.io/dynamic-resource-allocation", + "UID": "1b489e68cde17f5e" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/endpointslice", + "Identifier": { + "PURL": "pkg:golang/k8s.io/endpointslice", + "UID": "f1dd63d3b43a54d5" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.130.1", + "UID": "ff2925120f0d9233" + }, + "Version": "v2.130.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kms", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kms", + "UID": "94110b3a278342fb" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kube-aggregator", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-aggregator", + "UID": "68d501691c1c4029" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kube-controller-manager", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-controller-manager", + "UID": "a4cccce7861e2c39" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20240228011516-70dd3763d340", + "UID": "af82df93d9c56c20" + }, + "Version": "v0.0.0-20240228011516-70dd3763d340", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kube-scheduler", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-scheduler", + "UID": "6c8db3ec23b2cea0" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kubectl", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubectl", + "UID": "7ff19ec5477e4f4a" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/kubelet", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kubelet", + "UID": "b68a0e4c3f5f50dc" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/metrics", + "Identifier": { + "PURL": "pkg:golang/k8s.io/metrics", + "UID": "a827d12781dbe703" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/mount-utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/mount-utils", + "UID": "956d2d4f22d3f6fa" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/pod-security-admission", + "Identifier": { + "PURL": "pkg:golang/k8s.io/pod-security-admission", + "UID": "a75bff4c0726cd3" + }, + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20240711033017-18e509b52bc8", + "UID": "84c10301ecdb0503" + }, + "Version": "v0.0.0-20240711033017-18e509b52bc8", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "sigs.k8s.io/apiserver-network-proxy/konnectivity-client", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/apiserver-network-proxy/konnectivity-client@v0.30.3", + "UID": "222f63e7ba156647" + }, + "Version": "v0.30.3", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "sigs.k8s.io/json", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/json@v0.0.0-20221116044647-bc3834ca7abd", + "UID": "b7ce92171c3d9826" + }, + "Version": "v0.0.0-20221116044647-bc3834ca7abd", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.4.1", + "UID": "9e6c9f930c29858d" + }, + "Version": "v4.4.1", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.4.0", + "UID": "dd621db5e6bb4ca" + }, + "Version": "v1.4.0", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-45310", + "PkgName": "github.com/opencontainers/runc", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/opencontainers/runc@v1.1.13", + "UID": "6db4deb691a64cad" + }, + "InstalledVersion": "v1.1.13", + "FixedVersion": "1.1.14, 1.2.0-rc.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45310", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "runc: runc can be tricked into creating empty files/directories on host", + "Description": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-363", + "CWE-61" + ], + "VendorSeverity": { + "amazon": 1, + "ghsa": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "V3Score": 3.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-45310", + "https://github.com/opencontainers/runc", + "https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7", + "https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e", + "https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf", + "https://github.com/opencontainers/runc/pull/4359", + "https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45310", + "https://www.cve.org/CVERecord?id=CVE-2024-45310", + "https://www.openwall.com/lists/oss-security/2024/09/03/1" + ], + "PublishedDate": "2024-09-03T19:15:15.243Z", + "LastModifiedDate": "2024-09-03T19:40:46.783Z" + }, + { + "VulnerabilityID": "CVE-2024-28180", + "PkgName": "gopkg.in/square/go-jose.v2", + "PkgIdentifier": { + "PURL": "pkg:golang/gopkg.in/square/go-jose.v2@v2.6.0", + "UID": "529998ca3e192b6b" + }, + "InstalledVersion": "v2.6.0", + "Status": "affected", + "Layer": { + "Digest": "sha256:711e50928cfb35055ff4a4b31e6a152ee5909763ad4d5ec31c25a916a49bebe4", + "DiffID": "sha256:c5c90b3a07ad6879d9511c3d60de1ef1816b4aba5afb47722d931442200c2e94" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28180", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "jose-go: improper handling of highly compressed data", + "Description": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-409" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:3827", + "https://access.redhat.com/security/cve/CVE-2024-28180", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268820", + "https://bugzilla.redhat.com/2268854", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268820", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268854", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180", + "https://errata.almalinux.org/9/ALSA-2024-3827.html", + "https://errata.rockylinux.org/RLSA-2024:3827", + "https://github.com/go-jose/go-jose", + "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298", + "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a", + "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502", + "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g", + "https://linux.oracle.com/cve/CVE-2024-28180.html", + "https://linux.oracle.com/errata/ELSA-2024-3968.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28180", + "https://www.cve.org/CVERecord?id=CVE-2024-28180" + ], + "PublishedDate": "2024-03-09T01:15:07.34Z", + "LastModifiedDate": "2024-06-12T02:15:09.82Z" + } + ] + } + ] + }, + { + "Namespace": "kube-system", + "Kind": "Pod", + "Name": "etcd-kind-control-plane", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "12.6" + }, + "ImageID": "sha256:2e96e5913fc06e3d26915af3d0f2ca5048cc4b6327e661e80da792cbf8d8d9d4", + "DiffIDs": [ + "sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475", + "sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421", + "sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:47454710974a5a737e5809f31bea21bbc63e97502cd9a2de3ce2c1e658b9098f", + "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83", + "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + ], + "RepoTags": [ + "registry.k8s.io/etcd:3.5.15-0" + ], + "RepoDigests": [ + "registry.k8s.io/etcd@sha256:a6dc63e6e8cfa0307d7851762fa6b629afb18f28d8aa3fab5a6e91b4af60026a" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-07-25T20:09:54.311611392Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-07-25T20:09:53.605227024Z", + "created_by": "WORKDIR /", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-07-25T20:09:53.605227024Z", + "created_by": "COPY /sh /bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-07-25T20:09:53.605227024Z", + "created_by": "EXPOSE map[2379/tcp:{} 2380/tcp:{} 4001/tcp:{} 7001/tcp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-07-25T20:09:54.239514928Z", + "created_by": "COPY etcd* etcdctl* /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-07-25T20:09:54.311611392Z", + "created_by": "COPY migrate-if-needed.sh migrate /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475", + "sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421", + "sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3", + "sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217", + "sha256:47454710974a5a737e5809f31bea21bbc63e97502cd9a2de3ce2c1e658b9098f", + "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83", + "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + ] + }, + "config": { + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "User": "0", + "WorkingDir": "/", + "ExposedPorts": { + "2379/tcp": {}, + "2380/tcp": {}, + "4001/tcp": {}, + "7001/tcp": {} + } + } + } + } + ], + "Results": [ + { + "Target": "registry.k8s.io/etcd:3.5.15-0 (debian 12.6)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@12.4+deb12u6", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@12.4%2Bdeb12u6?arch=amd64\u0026distro=debian-12.6", + "UID": "33e5b56b2a7eecfe" + }, + "Version": "12.4+deb12u6", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "12.4+deb12u6", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:f531499c6b730fc55a63e5ade55ce2c849bbf03f894248e3a2092689e3749312", + "DiffID": "sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475" + } + }, + { + "ID": "netbase@6.4", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.4?arch=all\u0026distro=debian-12.6", + "UID": "4f7e568d50cdb727" + }, + "Version": "6.4", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.4", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:e8d9a567199d7a318c875f2558a679ba8a924f817afacbb428afc3ffe6be6828", + "DiffID": "sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421" + } + }, + { + "ID": "tzdata@2024a-0+deb12u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all\u0026distro=debian-12.6", + "UID": "b88ec8ecf4963fd2" + }, + "Version": "2024a", + "Release": "0+deb12u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb12u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:058cf3d8c2ba04ad7c064698c08c5e886a8623c0ad6171b8d72684253534417d", + "DiffID": "sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60" + } + } + ] + }, + { + "Target": "usr/local/bin/etcd", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "go.etcd.io/etcd/server/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/server/v3", + "UID": "a195f31f12a48605" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "22529b83e39abf11" + }, + "Version": "v1.21.12", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../api", + "Identifier": { + "UID": "1459db69ee2bd53f" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/pkg", + "Identifier": { + "UID": "e51e00889662c548" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v2", + "Identifier": { + "UID": "2d39e65844c0a902" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v3", + "Identifier": { + "UID": "6921d29b77b4da81" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../pkg", + "Identifier": { + "UID": "6f4e46bbad3f4fd2" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../raft", + "Identifier": { + "UID": "5368dcd179e19237" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "a570f8dd2743f95b" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.2.1", + "UID": "ab80fb0ad7b5ea33" + }, + "Version": "v4.2.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.2.0", + "UID": "8822338c11d7928e" + }, + "Version": "v2.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.0", + "UID": "4ac5947444be3750" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.3.2", + "UID": "88edbae8e7359cec" + }, + "Version": "v22.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/dustin/go-humanize", + "Identifier": { + "PURL": "pkg:golang/github.com/dustin/go-humanize@v1.0.0", + "UID": "adc7e628d087cd08" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.3.0", + "UID": "9be8cf0ec160a159" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "87c53bb321e893d6" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "9e6cdd42d78c7244" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang-jwt/jwt/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "ec773a397a1cd715" + }, + "Version": "v4.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "43a45d93af27bd11" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "533ffbbd7c3ed002" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/google/btree", + "Identifier": { + "PURL": "pkg:golang/github.com/google/btree@v1.0.1", + "UID": "8bbe38f84e973941" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gorilla/websocket", + "Identifier": { + "PURL": "pkg:golang/github.com/gorilla/websocket@v1.4.2", + "UID": "b26dfc41cde3b307" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-middleware", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0", + "UID": "e58ccec1b6d93bc9" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "3835be9d058da35a" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway@v1.16.0", + "UID": "1b5c9881e570c173" + }, + "Version": "v1.16.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.16.0", + "UID": "4d52385e15d913c5" + }, + "Version": "v2.16.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/jonboulle/clockwork", + "Identifier": { + "PURL": "pkg:golang/github.com/jonboulle/clockwork@v0.2.2", + "UID": "7684c07b5244c94c" + }, + "Version": "v0.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.11", + "UID": "8782dea7a9093bc4" + }, + "Version": "v1.1.11", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1", + "UID": "80b398c4ff19a7cd" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "dd5d250df9d6b600" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.1", + "UID": "16db08241f9bdb4e" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.11.1", + "UID": "49c20c43f51f8452" + }, + "Version": "v1.11.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.2.0", + "UID": "edc5a1f78d36505b" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.26.0", + "UID": "751951482635cbe8" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.6.0", + "UID": "605d57b332f8c842" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/sirupsen/logrus", + "Identifier": { + "PURL": "pkg:golang/github.com/sirupsen/logrus@v1.9.3", + "UID": "8522d3c4e8377492" + }, + "Version": "v1.9.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/soheilhy/cmux", + "Identifier": { + "PURL": "pkg:golang/github.com/soheilhy/cmux@v0.1.5", + "UID": "57e79521cf77f9a0" + }, + "Version": "v0.1.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.1.3", + "UID": "da1232c180dcbaa" + }, + "Version": "v1.1.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "ba2cd594c629dc1" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/tmc/grpc-websocket-proxy", + "Identifier": { + "PURL": "pkg:golang/github.com/tmc/grpc-websocket-proxy@v0.0.0-20201229170055-e5319fda7802", + "UID": "c4187eda118efc4" + }, + "Version": "v0.0.0-20201229170055-e5319fda7802", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/xiang90/probing", + "Identifier": { + "PURL": "pkg:golang/github.com/xiang90/probing@v0.0.0-20190116061207-43a291ad63a2", + "UID": "3bbe55e1050d965" + }, + "Version": "v0.0.0-20190116061207-43a291ad63a2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.etcd.io/bbolt", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/bbolt@v1.3.10", + "UID": "24ebb26fa624b2b9" + }, + "Version": "v1.3.10", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0", + "UID": "29d3d2748c8e5557" + }, + "Version": "v0.46.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.20.0", + "UID": "40e6d505b448e688" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.20.0", + "UID": "b3fc04b8532ab651" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.20.0", + "UID": "3e8ffb1c45213bf" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.20.0", + "UID": "24231a678b2dd9b7" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.20.0", + "UID": "104e8fda753a7688" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.20.0", + "UID": "bf3823329ca0c4e9" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.0.0", + "UID": "e41d988f66334d50" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/atomic", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/atomic@v1.7.0", + "UID": "8a78f5ce4716b654" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.6.0", + "UID": "c634793a671d3aac" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.17.0", + "UID": "92bbe87c61be991f" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.21.0", + "UID": "8bc1a545d99266c5" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.23.0", + "UID": "bf8d91e38798b61e" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.18.0", + "UID": "f2da2bc110f2a676" + }, + "Version": "v0.18.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.14.0", + "UID": "5b441d68daa2a585" + }, + "Version": "v0.14.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.0.0-20210220033141-f8bda1e9f3ba", + "UID": "30141a8ebebac9c9" + }, + "Version": "v0.0.0-20210220033141-f8bda1e9f3ba", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto@v0.0.0-20230822172742-b8732ec3820d", + "UID": "b25d7781f35e0d55" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20230822172742-b8732ec3820d", + "UID": "5fbf60e263dcd299" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20230822172742-b8732ec3820d", + "UID": "d50f993784f2c826" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.59.0", + "UID": "4c2b6ffab123c9a2" + }, + "Version": "v1.59.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.33.0", + "UID": "19d74fab69c8fdce" + }, + "Version": "v1.33.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.0.0", + "UID": "2852aed104c60089" + }, + "Version": "v2.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "7983cbd5c2761873" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.2.0", + "UID": "5036e97359102680" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-51744", + "PkgName": "github.com/golang-jwt/jwt/v4", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "ec773a397a1cd715" + }, + "InstalledVersion": "v4.4.2", + "FixedVersion": "4.5.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", + "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", + "Severity": "LOW", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-51744", + "https://github.com/golang-jwt/jwt", + "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", + "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", + "https://www.cve.org/CVERecord?id=CVE-2024-51744" + ], + "PublishedDate": "2024-11-04T22:15:03.997Z", + "LastModifiedDate": "2024-11-05T16:04:26.053Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "22529b83e39abf11" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "22529b83e39abf11" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "22529b83e39abf11" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + }, + { + "Target": "usr/local/bin/etcd-3.5.15", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "go.etcd.io/etcd/server/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/server/v3", + "UID": "cdf962bd463dcd08" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "cc24951288b8e064" + }, + "Version": "v1.21.12", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../api", + "Identifier": { + "UID": "6e1580f00142cf92" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/pkg", + "Identifier": { + "UID": "f81ea9a069c5997d" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v2", + "Identifier": { + "UID": "9405a86bea3104d3" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v3", + "Identifier": { + "UID": "85e41f542c449374" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../pkg", + "Identifier": { + "UID": "3bb592f671c90913" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../raft", + "Identifier": { + "UID": "274522d6a1e4ab76" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "4f064b07fa889f4a" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cenkalti/backoff/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/cenkalti/backoff/v4@v4.2.1", + "UID": "89f9c7fc16d7e762" + }, + "Version": "v4.2.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.2.0", + "UID": "58c09bfdda72bf27" + }, + "Version": "v2.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.0", + "UID": "5968fc848c12dc71" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.3.2", + "UID": "db49dd23aec5edc1" + }, + "Version": "v22.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/dustin/go-humanize", + "Identifier": { + "PURL": "pkg:golang/github.com/dustin/go-humanize@v1.0.0", + "UID": "51fd349072cc6e0d" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.3.0", + "UID": "b7e0f3aaa0bb41a0" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "a407fc8dd9ee7da7" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "bc5995b820e761d5" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang-jwt/jwt/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "bad1770c3141eb18" + }, + "Version": "v4.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20210331224755-41bb18bfe9da", + "UID": "54ddcfb9c90808f0" + }, + "Version": "v0.0.0-20210331224755-41bb18bfe9da", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "8aabdba62ad8ddcb" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/google/btree", + "Identifier": { + "PURL": "pkg:golang/github.com/google/btree@v1.0.1", + "UID": "39a43989213d7a1c" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gorilla/websocket", + "Identifier": { + "PURL": "pkg:golang/github.com/gorilla/websocket@v1.4.2", + "UID": "43d8ed523adb83e" + }, + "Version": "v1.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-middleware", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0", + "UID": "6bf1998ca827d9a8" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/go-grpc-prometheus", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0", + "UID": "f60b1c665585ab9b" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway@v1.16.0", + "UID": "fce0fad4cdba0c2e" + }, + "Version": "v1.16.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/grpc-ecosystem/grpc-gateway/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/grpc-ecosystem/grpc-gateway/v2@v2.16.0", + "UID": "bd784c7f3f0b9c94" + }, + "Version": "v2.16.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/jonboulle/clockwork", + "Identifier": { + "PURL": "pkg:golang/github.com/jonboulle/clockwork@v0.2.2", + "UID": "d57ac9f2c5a61d31" + }, + "Version": "v0.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.11", + "UID": "1e693274a63f19d5" + }, + "Version": "v1.1.11", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1", + "UID": "f1e99ce1f2f43e4" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "1849e16785d53295" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.1", + "UID": "9b4f4a3a103aade3" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.11.1", + "UID": "b42cb36acffbe027" + }, + "Version": "v1.11.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.2.0", + "UID": "243ef73c46c82e02" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.26.0", + "UID": "e07bc77c357ea1d9" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.6.0", + "UID": "e8168514c1a69787" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/sirupsen/logrus", + "Identifier": { + "PURL": "pkg:golang/github.com/sirupsen/logrus@v1.9.3", + "UID": "848fa34c70f7f873" + }, + "Version": "v1.9.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/soheilhy/cmux", + "Identifier": { + "PURL": "pkg:golang/github.com/soheilhy/cmux@v0.1.5", + "UID": "754087025cffb021" + }, + "Version": "v0.1.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.1.3", + "UID": "a7163912d4dde107" + }, + "Version": "v1.1.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "2b20baa516446fe4" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/tmc/grpc-websocket-proxy", + "Identifier": { + "PURL": "pkg:golang/github.com/tmc/grpc-websocket-proxy@v0.0.0-20201229170055-e5319fda7802", + "UID": "38e776007c2d86c1" + }, + "Version": "v0.0.0-20201229170055-e5319fda7802", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/xiang90/probing", + "Identifier": { + "PURL": "pkg:golang/github.com/xiang90/probing@v0.0.0-20190116061207-43a291ad63a2", + "UID": "bfcd7a853709a7b0" + }, + "Version": "v0.0.0-20190116061207-43a291ad63a2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.etcd.io/bbolt", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/bbolt@v1.3.10", + "UID": "7ffe3e01fb07c468" + }, + "Version": "v1.3.10", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0", + "UID": "67bf0b93a1395ece" + }, + "Version": "v0.46.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.20.0", + "UID": "5fb5567760ff8c9" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.20.0", + "UID": "d07f06e1a26d7f38" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.20.0", + "UID": "d91bafd633a3d97e" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.20.0", + "UID": "e7b5bf185e8f022" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/sdk", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/sdk@v1.20.0", + "UID": "229730b49f71161d" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.20.0", + "UID": "a85d7de7bb53bd54" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/proto/otlp", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/proto/otlp@v1.0.0", + "UID": "e0b9d82792497555" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/atomic", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/atomic@v1.7.0", + "UID": "c958dab38f284421" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.6.0", + "UID": "3cb455f22a8fe489" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.17.0", + "UID": "39bea9e51c32b502" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.21.0", + "UID": "c50f8aba3517e87c" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.23.0", + "UID": "4770d275fde358ef" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.18.0", + "UID": "7afbe35b5e107f37" + }, + "Version": "v0.18.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.14.0", + "UID": "27e386d46c1defc0" + }, + "Version": "v0.14.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.0.0-20210220033141-f8bda1e9f3ba", + "UID": "bcefc602f4ca8398" + }, + "Version": "v0.0.0-20210220033141-f8bda1e9f3ba", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto@v0.0.0-20230822172742-b8732ec3820d", + "UID": "1c7a2c081d4848bc" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20230822172742-b8732ec3820d", + "UID": "315565aae2a36f10" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20230822172742-b8732ec3820d", + "UID": "26cebfc95115f617" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.59.0", + "UID": "66d4d7613f3512df" + }, + "Version": "v1.59.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.33.0", + "UID": "d3daff240dd4aa5b" + }, + "Version": "v1.33.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/natefinch/lumberjack.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/natefinch/lumberjack.v2@v2.0.0", + "UID": "a33602752b21d4f8" + }, + "Version": "v2.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "1b1152631e51cdf2" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.2.0", + "UID": "5e06d67402486931" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-51744", + "PkgName": "github.com/golang-jwt/jwt/v4", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "bad1770c3141eb18" + }, + "InstalledVersion": "v4.4.2", + "FixedVersion": "4.5.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", + "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", + "Severity": "LOW", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-51744", + "https://github.com/golang-jwt/jwt", + "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", + "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", + "https://www.cve.org/CVERecord?id=CVE-2024-51744" + ], + "PublishedDate": "2024-11-04T22:15:03.997Z", + "LastModifiedDate": "2024-11-05T16:04:26.053Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "cc24951288b8e064" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "cc24951288b8e064" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "cc24951288b8e064" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + }, + { + "Target": "usr/local/bin/etcdctl", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "go.etcd.io/etcd/etcdctl/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/etcdctl/v3", + "UID": "c753b6dedabc8c2f" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "aa15399ca0e84931" + }, + "Version": "v1.21.12", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../api", + "Identifier": { + "UID": "bcec1ae769c27fff" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/pkg", + "Identifier": { + "UID": "2591ddcce95c6788" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v2", + "Identifier": { + "UID": "80eed298d7737f46" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v3", + "Identifier": { + "UID": "e443db4c104a0add" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../etcdutl", + "Identifier": { + "UID": "72bdc66829aefe5b" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../pkg", + "Identifier": { + "UID": "c77946db64ac1c56" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../raft", + "Identifier": { + "UID": "43146606d4e127b" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../server", + "Identifier": { + "UID": "b111df5acf5138b1" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "1b7dc704679f62ef" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/bgentry/speakeasy", + "Identifier": { + "PURL": "pkg:golang/github.com/bgentry/speakeasy@v0.1.0", + "UID": "11b86c67e77c0bee" + }, + "Version": "v0.1.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.2.0", + "UID": "e3df6ec7c0851d9a" + }, + "Version": "v2.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.0", + "UID": "a10477127004bd78" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.3.2", + "UID": "c488952fb4f29b9c" + }, + "Version": "v22.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cpuguy83/go-md2man/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cpuguy83/go-md2man/v2@v2.0.0", + "UID": "7b10d9a35faf774b" + }, + "Version": "v2.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/dustin/go-humanize", + "Identifier": { + "PURL": "pkg:golang/github.com/dustin/go-humanize@v1.0.0", + "UID": "af02cc9fcecc3c28" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.3.0", + "UID": "14752d87c52b9395" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "67aa2ae8b2c95332" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "6b98ddd46e27fb6c" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang-jwt/jwt/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "c102d3b86d1bd971" + }, + "Version": "v4.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "937f9408ac5773d6" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/google/btree", + "Identifier": { + "PURL": "pkg:golang/github.com/google/btree@v1.0.1", + "UID": "9f399e26bc93c1d" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/jonboulle/clockwork", + "Identifier": { + "PURL": "pkg:golang/github.com/jonboulle/clockwork@v0.2.2", + "UID": "c3d9197cfdc2f28" + }, + "Version": "v0.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.11", + "UID": "83d5b912b4f78ac8" + }, + "Version": "v1.1.11", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/mattn/go-runewidth", + "Identifier": { + "PURL": "pkg:golang/github.com/mattn/go-runewidth@v0.0.9", + "UID": "25d10c337f5137ba" + }, + "Version": "v0.0.9", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1", + "UID": "46bf1d1225fad20d" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "24b16d462d492c24" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.1", + "UID": "a1a132a1298dccc6" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/olekukonko/tablewriter", + "Identifier": { + "PURL": "pkg:golang/github.com/olekukonko/tablewriter@v0.0.5", + "UID": "6e7d9c835b9daa89" + }, + "Version": "v0.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.11.1", + "UID": "8c2009e1bcf5397a" + }, + "Version": "v1.11.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.2.0", + "UID": "ea650feeec18ef47" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.26.0", + "UID": "355e7b0c35fa3d6c" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.6.0", + "UID": "7f71b9784700ee46" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/russross/blackfriday/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/russross/blackfriday/v2@v2.0.1", + "UID": "69257b1f101296" + }, + "Version": "v2.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/shurcooL/sanitized_anchor_name", + "Identifier": { + "PURL": "pkg:golang/github.com/shurcool/sanitized_anchor_name@v1.0.0", + "UID": "ce9aa5abb7299894" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.1.3", + "UID": "9caee571390f63ca" + }, + "Version": "v1.1.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "2c3b03008e946249" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/urfave/cli", + "Identifier": { + "PURL": "pkg:golang/github.com/urfave/cli@v1.22.4", + "UID": "489007e7c0f90166" + }, + "Version": "v1.22.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/xiang90/probing", + "Identifier": { + "PURL": "pkg:golang/github.com/xiang90/probing@v0.0.0-20190116061207-43a291ad63a2", + "UID": "e4fd1506c517e87d" + }, + "Version": "v0.0.0-20190116061207-43a291ad63a2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.etcd.io/bbolt", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/bbolt@v1.3.10", + "UID": "172d9405abd30ee1" + }, + "Version": "v1.3.10", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0", + "UID": "ab81c35a32d8f66f" + }, + "Version": "v0.46.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.20.0", + "UID": "30e9cb80a859a4a8" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.20.0", + "UID": "ae7b9e04047f8e73" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.20.0", + "UID": "dd188fb7798cc155" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/atomic", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/atomic@v1.7.0", + "UID": "e2673d21b1f18334" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.6.0", + "UID": "96307ef4c281dcc8" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.17.0", + "UID": "cc994382abbee8db" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.21.0", + "UID": "f6791b8038f1bac1" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.23.0", + "UID": "2e18336b852a9eae" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.18.0", + "UID": "e1a85a554432f49e" + }, + "Version": "v0.18.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.14.0", + "UID": "f6ed1ed5dced830d" + }, + "Version": "v0.14.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.0.0-20210220033141-f8bda1e9f3ba", + "UID": "c726ec14ab564c09" + }, + "Version": "v0.0.0-20210220033141-f8bda1e9f3ba", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20230822172742-b8732ec3820d", + "UID": "1fd8b75b450fe999" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20230822172742-b8732ec3820d", + "UID": "48c8d428fbaa398a" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.59.0", + "UID": "d22a8da8a5925062" + }, + "Version": "v1.59.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.33.0", + "UID": "3667b57612969d3a" + }, + "Version": "v1.33.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/cheggaaa/pb.v1", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/cheggaaa/pb.v1@v1.0.28", + "UID": "41ebb3fb58d72142" + }, + "Version": "v1.0.28", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-51744", + "PkgName": "github.com/golang-jwt/jwt/v4", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "c102d3b86d1bd971" + }, + "InstalledVersion": "v4.4.2", + "FixedVersion": "4.5.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", + "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", + "Severity": "LOW", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-51744", + "https://github.com/golang-jwt/jwt", + "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", + "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", + "https://www.cve.org/CVERecord?id=CVE-2024-51744" + ], + "PublishedDate": "2024-11-04T22:15:03.997Z", + "LastModifiedDate": "2024-11-05T16:04:26.053Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "aa15399ca0e84931" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "aa15399ca0e84931" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "aa15399ca0e84931" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + }, + { + "Target": "usr/local/bin/etcdctl-3.5.15", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "go.etcd.io/etcd/etcdctl/v3", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/etcd/etcdctl/v3", + "UID": "e8a1314b45589154" + }, + "Relationship": "root", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "ca6688bb0ff57c1e" + }, + "Version": "v1.21.12", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../api", + "Identifier": { + "UID": "6e16bcef2cfe0f34" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/pkg", + "Identifier": { + "UID": "5f6b7a06ada3f8f" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v2", + "Identifier": { + "UID": "80b102ee397dfb51" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../client/v3", + "Identifier": { + "UID": "4a582707631b872e" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../etcdutl", + "Identifier": { + "UID": "5b9f933c640021dc" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../pkg", + "Identifier": { + "UID": "1f3eccfc3ca04881" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../raft", + "Identifier": { + "UID": "91922eb41c7c70a8" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "../server", + "Identifier": { + "UID": "4a596f2b433de28e" + }, + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "8450e554359e52f8" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/bgentry/speakeasy", + "Identifier": { + "PURL": "pkg:golang/github.com/bgentry/speakeasy@v0.1.0", + "UID": "f6d36adf46447e99" + }, + "Version": "v0.1.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.2.0", + "UID": "e2e2eed9b950242d" + }, + "Version": "v2.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-semver", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-semver@v0.3.0", + "UID": "eca72768b2179fe3" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/coreos/go-systemd/v22", + "Identifier": { + "PURL": "pkg:golang/github.com/coreos/go-systemd/v22@v22.3.2", + "UID": "768bda8c6e7f8b13" + }, + "Version": "v22.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/cpuguy83/go-md2man/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cpuguy83/go-md2man/v2@v2.0.0", + "UID": "4237ae3aec4f109c" + }, + "Version": "v2.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/dustin/go-humanize", + "Identifier": { + "PURL": "pkg:golang/github.com/dustin/go-humanize@v1.0.0", + "UID": "78b2a4bbcd62d197" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v1.3.0", + "UID": "df9b1502a6fa088a" + }, + "Version": "v1.3.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/go-logr/stdr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/stdr@v1.2.2", + "UID": "1c899f3648e1289" + }, + "Version": "v1.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.2", + "UID": "4584bbe3760ac08f" + }, + "Version": "v1.3.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang-jwt/jwt/v4", + "Identifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "71e71873cf96a22e" + }, + "Version": "v4.4.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.4", + "UID": "9c36cebdb69dda99" + }, + "Version": "v1.5.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/google/btree", + "Identifier": { + "PURL": "pkg:golang/github.com/google/btree@v1.0.1", + "UID": "b644f10a4666adfe" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/jonboulle/clockwork", + "Identifier": { + "PURL": "pkg:golang/github.com/jonboulle/clockwork@v0.2.2", + "UID": "d1e04b22910b489b" + }, + "Version": "v0.2.2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.11", + "UID": "ff763908552d42e7" + }, + "Version": "v1.1.11", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/mattn/go-runewidth", + "Identifier": { + "PURL": "pkg:golang/github.com/mattn/go-runewidth@v0.0.9", + "UID": "332c32b538622695" + }, + "Version": "v0.0.9", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1", + "UID": "e088d6f4358a76b6" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "e87554a62e1d9073" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.1", + "UID": "1666fef541e5f195" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/olekukonko/tablewriter", + "Identifier": { + "PURL": "pkg:golang/github.com/olekukonko/tablewriter@v0.0.5", + "UID": "129c0210fecae1fa" + }, + "Version": "v0.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.11.1", + "UID": "5dd544f1d2794975" + }, + "Version": "v1.11.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.2.0", + "UID": "bebcda1cbebed2e8" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.26.0", + "UID": "ce8e89b79553e403" + }, + "Version": "v0.26.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.6.0", + "UID": "88973202d886a409" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/russross/blackfriday/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/russross/blackfriday/v2@v2.0.1", + "UID": "9127f6eeb40a657d" + }, + "Version": "v2.0.1", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/shurcooL/sanitized_anchor_name", + "Identifier": { + "PURL": "pkg:golang/github.com/shurcool/sanitized_anchor_name@v1.0.0", + "UID": "8fb7752fa49ed17f" + }, + "Version": "v1.0.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/cobra", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/cobra@v1.1.3", + "UID": "5d6dcf51f799e785" + }, + "Version": "v1.1.3", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "1fb71d6687b0c592" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/urfave/cli", + "Identifier": { + "PURL": "pkg:golang/github.com/urfave/cli@v1.22.4", + "UID": "b45ceded9786ca79" + }, + "Version": "v1.22.4", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "github.com/xiang90/probing", + "Identifier": { + "PURL": "pkg:golang/github.com/xiang90/probing@v0.0.0-20190116061207-43a291ad63a2", + "UID": "30f5bae364119276" + }, + "Version": "v0.0.0-20190116061207-43a291ad63a2", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.etcd.io/bbolt", + "Identifier": { + "PURL": "pkg:golang/go.etcd.io/bbolt@v1.3.10", + "UID": "dac495e37a24fe3e" + }, + "Version": "v1.3.10", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0", + "UID": "4e7cc6855abd66e8" + }, + "Version": "v0.46.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel@v1.20.0", + "UID": "5fc28bb31fedbf7b" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/metric", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/metric@v1.20.0", + "UID": "71c557253c93398c" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.opentelemetry.io/otel/trace", + "Identifier": { + "PURL": "pkg:golang/go.opentelemetry.io/otel/trace@v1.20.0", + "UID": "6d602ba805963b9e" + }, + "Version": "v1.20.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/atomic", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/atomic@v1.7.0", + "UID": "9c10515b7be5c583" + }, + "Version": "v1.7.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/multierr", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/multierr@v1.6.0", + "UID": "577307448194491f" + }, + "Version": "v1.6.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "go.uber.org/zap", + "Identifier": { + "PURL": "pkg:golang/go.uber.org/zap@v1.17.0", + "UID": "d677ff654f13a884" + }, + "Version": "v1.17.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.21.0", + "UID": "d78070a6935ced4e" + }, + "Version": "v0.21.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.23.0", + "UID": "b3d5bccd10bc1df9" + }, + "Version": "v0.23.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.18.0", + "UID": "6a4444c557bd7801" + }, + "Version": "v0.18.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.14.0", + "UID": "84c54cf0a52e69c2" + }, + "Version": "v0.14.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.0.0-20210220033141-f8bda1e9f3ba", + "UID": "801910c172e75e46" + }, + "Version": "v0.0.0-20210220033141-f8bda1e9f3ba", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/api", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20230822172742-b8732ec3820d", + "UID": "6140e1345edee936" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/genproto/googleapis/rpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20230822172742-b8732ec3820d", + "UID": "f267fe9c030e405" + }, + "Version": "v0.0.0-20230822172742-b8732ec3820d", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/grpc", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/grpc@v1.59.0", + "UID": "85061409e6ed8055" + }, + "Version": "v1.59.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.33.0", + "UID": "ec9815439352e0f9" + }, + "Version": "v1.33.0", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + }, + { + "Name": "gopkg.in/cheggaaa/pb.v1", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/cheggaaa/pb.v1@v1.0.28", + "UID": "d0927f197c3b1e45" + }, + "Version": "v1.0.28", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-51744", + "PkgName": "github.com/golang-jwt/jwt/v4", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.4.2", + "UID": "71e71873cf96a22e" + }, + "InstalledVersion": "v4.4.2", + "FixedVersion": "4.5.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", + "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", + "Severity": "LOW", + "CweIDs": [ + "CWE-755" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "V3Score": 3.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-51744", + "https://github.com/golang-jwt/jwt", + "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", + "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", + "https://www.cve.org/CVERecord?id=CVE-2024-51744" + ], + "PublishedDate": "2024-11-04T22:15:03.997Z", + "LastModifiedDate": "2024-11-05T16:04:26.053Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "ca6688bb0ff57c1e" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "ca6688bb0ff57c1e" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "ca6688bb0ff57c1e" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:9fa13a1d70342308493e7c749f440157fe9da6d33639eee89a3ba0fbb8351dbf", + "DiffID": "sha256:c271479d6735a9cd0bd8cabc90c39fdbfe004c4382bdd396bd759f224e122c83" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + }, + { + "Target": "usr/local/bin/migrate", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "e6e2fccbe7fc0921" + }, + "Version": "v1.21.12", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:7e6d002f7f7e8ec39ff23a7fb02061876ad29b9dc8cfc7bd5523cb683c965382", + "DiffID": "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "e6e2fccbe7fc0921" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:7e6d002f7f7e8ec39ff23a7fb02061876ad29b9dc8cfc7bd5523cb683c965382", + "DiffID": "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "e6e2fccbe7fc0921" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:7e6d002f7f7e8ec39ff23a7fb02061876ad29b9dc8cfc7bd5523cb683c965382", + "DiffID": "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.21.12", + "UID": "e6e2fccbe7fc0921" + }, + "InstalledVersion": "v1.21.12", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:7e6d002f7f7e8ec39ff23a7fb02061876ad29b9dc8cfc7bd5523cb683c965382", + "DiffID": "sha256:b20c1907f1d5c1c296bad50c967b10ceae5998d06942e8f08286ec41746aa57d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + } + ] + }, + { + "Namespace": "local-path-storage", + "Kind": "Deployment", + "Name": "local-path-provisioner", + "Metadata": [ + { + "OS": { + "Family": "debian", + "Name": "11.10" + }, + "ImageID": "sha256:3a195b56ff1540463285c7f6287ef0d4ec18754013f68a3666b363b7893a62ad", + "DiffIDs": [ + "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c", + "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660", + "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:c048279a7d9f8e94b4c022b699ad8e8a0cb08b717b014ce4af15afaf375a6ac2", + "sha256:2388d21e8e2b74e055216652e6af384768e97513ad568e10c27bacec389b7f0a", + "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc", + "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801", + "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d", + "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988", + "sha256:f5fde6c2cbea022f54c53abc412714ba202e3e172a7e7918f1c6b47ba02dbded", + "sha256:0d7030dacec8bb5fd0f67090445938d06a3e8698889a7cfb1fecfae78e19e6cd" + ], + "RepoTags": [ + "kindest/local-path-provisioner:v20240813-c6f155d6" + ], + "RepoDigests": [ + "kindest/local-path-provisioner@sha256:1f05a0a7698401d1a606583b8d571797e7c2a9310b9a19e6e1cd34b8ddb5cb11" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-08-13T21:34:57.162440017Z", + "history": [ + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "0001-01-01T00:00:00Z" + }, + { + "created": "2024-08-13T21:34:55.824918205Z", + "created_by": "COPY /usr/local/bin/local-path-provisioner /usr/local/bin/local-path-provisioner # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-08-13T21:34:57.125751862Z", + "created_by": "COPY /_LICENSES/* /LICENSES/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-08-13T21:34:57.162440017Z", + "created_by": "COPY --chmod=0644 files/LICENSES/* /LICENSES/* # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-08-13T21:34:57.162440017Z", + "created_by": "ENTRYPOINT [\"/bin/sh\" \"-c\" \"/usr/local/bin/local-path-provisioner\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c", + "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660", + "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc", + "sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b", + "sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1", + "sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849", + "sha256:c048279a7d9f8e94b4c022b699ad8e8a0cb08b717b014ce4af15afaf375a6ac2", + "sha256:2388d21e8e2b74e055216652e6af384768e97513ad568e10c27bacec389b7f0a", + "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc", + "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801", + "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d", + "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988", + "sha256:f5fde6c2cbea022f54c53abc412714ba202e3e172a7e7918f1c6b47ba02dbded", + "sha256:0d7030dacec8bb5fd0f67090445938d06a3e8698889a7cfb1fecfae78e19e6cd" + ] + }, + "config": { + "Entrypoint": [ + "/bin/sh", + "-c", + "/usr/local/bin/local-path-provisioner" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "User": "0", + "WorkingDir": "/" + } + } + } + ], + "Results": [ + { + "Target": "docker.io/kindest/local-path-provisioner:v20240813-c6f155d6 (debian 11.10)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@11.1+deb11u10", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@11.1%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "2b3478f30510db86" + }, + "Version": "11.1+deb11u10", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "11.1+deb11u10", + "Licenses": [ + "GPL-2.0-or-later" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Layer": { + "Digest": "sha256:804c8aba2cc61168600515a6831474978d0ea8faddd8a66f99cc9f2bbd576105", + "DiffID": "sha256:5342a2647e8784b3afdeb9b148d5fe1e7e1089ed3650204077765c78b3b0f93c" + } + }, + { + "ID": "libc6@2.31-13+deb11u10", + "Name": "libc6", + "Identifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "Version": "2.31", + "Release": "13+deb11u10", + "Arch": "amd64", + "SrcName": "glibc", + "SrcVersion": "2.31", + "SrcRelease": "13+deb11u10", + "Licenses": [ + "LGPL-2.1-only", + "GPL-2.0-only" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + } + }, + { + "ID": "libssl1.1@1.1.1w-0+deb11u1", + "Name": "libssl1.1", + "Identifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "Version": "1.1.1w", + "Release": "0+deb11u1", + "Arch": "amd64", + "SrcName": "openssl", + "SrcVersion": "1.1.1w", + "SrcRelease": "0+deb11u1", + "Maintainer": "Debian OpenSSL Team \u003cpkg-openssl-devel@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + } + }, + { + "ID": "netbase@6.3", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.3?arch=all\u0026distro=debian-11.10", + "UID": "2aded3474d1b415c" + }, + "Version": "6.3", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.3", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Layer": { + "Digest": "sha256:2ae710cd8bfef4545fa3a6dc274d6b7a991ca379cdaa3cdf460d5cb5840a3c88", + "DiffID": "sha256:577c8ee06f39e2bc276615f1058fa40081255ce5e2f072df4875e27868de5660" + } + }, + { + "ID": "openssl@1.1.1w-0+deb11u1", + "Name": "openssl", + "Identifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "Version": "1.1.1w", + "Release": "0+deb11u1", + "Arch": "amd64", + "SrcName": "openssl", + "SrcVersion": "1.1.1w", + "SrcRelease": "0+deb11u1", + "Maintainer": "Debian OpenSSL Team \u003cpkg-openssl-devel@lists.alioth.debian.org\u003e", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + } + }, + { + "ID": "tzdata@2024a-0+deb11u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb11u1?arch=all\u0026distro=debian-11.10", + "UID": "bf6813efdcb4c716" + }, + "Version": "2024a", + "Release": "0+deb11u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2024a", + "SrcRelease": "0+deb11u1", + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Layer": { + "Digest": "sha256:d462aa3453675bb1f9a271a72cc72a53e628521a7d0e94b720bd07f9ca4962dc", + "DiffID": "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-4806", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4806", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: potential use-after-free in getaddrinfo()", + "Description": "A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 2, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5453", + "https://access.redhat.com/errata/RHSA-2023:5455", + "https://access.redhat.com/errata/RHSA-2023:7409", + "https://access.redhat.com/security/cve/CVE-2023-4806", + "https://bugzilla.redhat.com/2234712", + "https://bugzilla.redhat.com/2237782", + "https://bugzilla.redhat.com/2237798", + "https://bugzilla.redhat.com/2238352", + "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", + "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", + "https://errata.almalinux.org/9/ALSA-2023-5453.html", + "https://errata.rockylinux.org/RLSA-2023:5455", + "https://linux.oracle.com/cve/CVE-2023-4806.html", + "https://linux.oracle.com/errata/ELSA-2023-5455.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4806", + "https://ubuntu.com/security/notices/USN-6541-1", + "https://ubuntu.com/security/notices/USN-6541-2", + "https://www.cve.org/CVERecord?id=CVE-2023-4806" + ], + "PublishedDate": "2023-09-18T17:15:55.813Z", + "LastModifiedDate": "2024-09-16T14:15:12.46Z" + }, + { + "VulnerabilityID": "CVE-2023-4813", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4813", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: potential use-after-free in gaih_inet()", + "Description": "A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "nvd": 2, + "oracle-oval": 3, + "photon": 2, + "redhat": 2, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:5453", + "https://access.redhat.com/errata/RHSA-2023:5455", + "https://access.redhat.com/errata/RHSA-2023:7409", + "https://access.redhat.com/security/cve/CVE-2023-4813", + "https://bugzilla.redhat.com/2234712", + "https://bugzilla.redhat.com/2237782", + "https://bugzilla.redhat.com/2237798", + "https://bugzilla.redhat.com/2238352", + "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", + "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", + "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", + "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", + "https://errata.almalinux.org/9/ALSA-2023-5453.html", + "https://errata.rockylinux.org/RLSA-2023:5455", + "https://linux.oracle.com/cve/CVE-2023-4813.html", + "https://linux.oracle.com/errata/ELSA-2023-5455.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4813", + "https://ubuntu.com/security/notices/USN-6541-1", + "https://ubuntu.com/security/notices/USN-6541-2", + "https://www.cve.org/CVERecord?id=CVE-2023-4813" + ], + "PublishedDate": "2023-09-12T22:15:08.277Z", + "LastModifiedDate": "2024-09-16T14:15:12.617Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2021-09-01T12:15:07.193Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2023-11-07T02:56:20.983Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-08-05T03:15:25.083Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-08-05T03:15:25.183Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-08-05T03:15:25.26Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-08-05T03:15:25.333Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc6@2.31-13+deb11u10", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.31-13%2Bdeb11u10?arch=amd64\u0026distro=debian-11.10", + "UID": "efd16d45658e33b6" + }, + "InstalledVersion": "2.31-13+deb11u10", + "Status": "affected", + "Layer": { + "Digest": "sha256:83f8d4690e1f293d0438aef7d1075e590ce77fdec97bb4d90b1d227aeba343fd", + "DiffID": "sha256:8451c71f8c1e6674db22f6f55f1360dab6bf5afb43a76e95813fad65566a33fc" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-08-04T22:15:34.74Z" + }, + { + "VulnerabilityID": "CVE-2023-5678", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", + "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-754", + "CWE-606" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:2447", + "https://access.redhat.com/security/cve/CVE-2023-5678", + "https://bugzilla.redhat.com/2223016", + "https://bugzilla.redhat.com/2224962", + "https://bugzilla.redhat.com/2227852", + "https://bugzilla.redhat.com/2248616", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://errata.almalinux.org/9/ALSA-2024-2447.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://linux.oracle.com/cve/CVE-2023-5678.html", + "https://linux.oracle.com/errata/ELSA-2024-2447.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5678", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "PublishedDate": "2023-11-06T16:15:42.67Z", + "LastModifiedDate": "2024-10-14T15:15:12.603Z" + }, + { + "VulnerabilityID": "CVE-2024-0727", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: denial of service via null dereference", + "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://access.redhat.com/errata/RHSA-2024:9088", + "https://access.redhat.com/security/cve/CVE-2024-0727", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://bugzilla.redhat.com/2284243", + "https://errata.almalinux.org/9/ALSA-2024-9088.html", + "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "https://github.com/github/advisory-database/pull/3472", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.com/openssl/openssl/pull/23362", + "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://linux.oracle.com/cve/CVE-2024-0727.html", + "https://linux.oracle.com/errata/ELSA-2024-9088.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "https://security.netapp.com/advisory/ntap-20240208-0006", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2024-0727", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "PublishedDate": "2024-01-26T09:15:07.637Z", + "LastModifiedDate": "2024-10-14T15:15:13.1Z" + }, + { + "VulnerabilityID": "CVE-2024-4741", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4741", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Use After Free with SSL_free_buffers", + "Description": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "cbl-mariner": 3, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-4741", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177", + "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d", + "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac", + "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8", + "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4", + "https://linux.oracle.com/cve/CVE-2024-4741.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4741", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-4741", + "https://www.openssl.org/news/secadv/20240528.txt" + ], + "PublishedDate": "2024-11-13T11:15:04.48Z", + "LastModifiedDate": "2024-11-13T17:01:16.85Z" + }, + { + "VulnerabilityID": "CVE-2024-5535", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-5535", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: SSL_select_next_proto buffer overread", + "Description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 4, + "cbl-mariner": 4, + "oracle-oval": 1, + "photon": 4, + "redhat": 1, + "rocky": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-5535", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://bugzilla.redhat.com/show_bug.cgi?id=2294581", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://errata.rockylinux.org/RLSA-2024:7848", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://linux.oracle.com/cve/CVE-2024-5535.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "https://openssl.org/news/secadv/20240627.txt", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-5535", + "https://www.openssl.org/news/secadv/20240627.txt", + "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL" + ], + "PublishedDate": "2024-06-27T11:15:24.447Z", + "LastModifiedDate": "2024-07-12T14:15:16.79Z" + }, + { + "VulnerabilityID": "CVE-2024-2511", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2511", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Unbounded memory growth with session handling in TLSv1.3", + "Description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1325" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 1, + "cbl-mariner": 1, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-2511", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://linux.oracle.com/cve/CVE-2024-2511.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.openssl.org/news/vulnerabilities.html" + ], + "PublishedDate": "2024-04-08T14:15:07.66Z", + "LastModifiedDate": "2024-10-14T15:15:13.27Z" + }, + { + "VulnerabilityID": "CVE-2024-9143", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "libssl1.1@1.1.1w-0+deb11u1", + "PkgName": "libssl1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl1.1@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "a9f1595ff2f3d494" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:a4ba90834fb4abf3d80bbdaaaef36560ab1bb682f5279d44114d768e119639b9", + "DiffID": "sha256:24aacbf97031b87ad5f19cca54239e982f5f02277dabbfca5c6aafda47257801" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access", + "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-9143", + "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712", + "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700", + "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4", + "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154", + "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a", + "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41", + "https://nvd.nist.gov/vuln/detail/CVE-2024-9143", + "https://openssl-library.org/news/secadv/20241016.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-9143" + ], + "PublishedDate": "2024-10-16T17:15:18.13Z", + "LastModifiedDate": "2024-11-08T16:35:21.58Z" + }, + { + "VulnerabilityID": "CVE-2023-5678", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", + "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-754", + "CWE-606" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:2447", + "https://access.redhat.com/security/cve/CVE-2023-5678", + "https://bugzilla.redhat.com/2223016", + "https://bugzilla.redhat.com/2224962", + "https://bugzilla.redhat.com/2227852", + "https://bugzilla.redhat.com/2248616", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://errata.almalinux.org/9/ALSA-2024-2447.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://linux.oracle.com/cve/CVE-2023-5678.html", + "https://linux.oracle.com/errata/ELSA-2024-2447.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5678", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "PublishedDate": "2023-11-06T16:15:42.67Z", + "LastModifiedDate": "2024-10-14T15:15:12.603Z" + }, + { + "VulnerabilityID": "CVE-2024-0727", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: denial of service via null dereference", + "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://access.redhat.com/errata/RHSA-2024:9088", + "https://access.redhat.com/security/cve/CVE-2024-0727", + "https://bugzilla.redhat.com/2257571", + "https://bugzilla.redhat.com/2258502", + "https://bugzilla.redhat.com/2259944", + "https://bugzilla.redhat.com/2284243", + "https://errata.almalinux.org/9/ALSA-2024-9088.html", + "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "https://github.com/github/advisory-database/pull/3472", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.com/openssl/openssl/pull/23362", + "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://linux.oracle.com/cve/CVE-2024-0727.html", + "https://linux.oracle.com/errata/ELSA-2024-9088.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "https://security.netapp.com/advisory/ntap-20240208-0006", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://ubuntu.com/security/notices/USN-7018-1", + "https://www.cve.org/CVERecord?id=CVE-2024-0727", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "PublishedDate": "2024-01-26T09:15:07.637Z", + "LastModifiedDate": "2024-10-14T15:15:13.1Z" + }, + { + "VulnerabilityID": "CVE-2024-4741", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-4741", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Use After Free with SSL_free_buffers", + "Description": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "cbl-mariner": 3, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-4741", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177", + "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d", + "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac", + "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8", + "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4", + "https://linux.oracle.com/cve/CVE-2024-4741.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4741", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-4741", + "https://www.openssl.org/news/secadv/20240528.txt" + ], + "PublishedDate": "2024-11-13T11:15:04.48Z", + "LastModifiedDate": "2024-11-13T17:01:16.85Z" + }, + { + "VulnerabilityID": "CVE-2024-5535", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-5535", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: SSL_select_next_proto buffer overread", + "Description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 4, + "cbl-mariner": 4, + "oracle-oval": 1, + "photon": 4, + "redhat": 1, + "rocky": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-5535", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://bugzilla.redhat.com/show_bug.cgi?id=2294581", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://errata.rockylinux.org/RLSA-2024:7848", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://linux.oracle.com/cve/CVE-2024-5535.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "https://openssl.org/news/secadv/20240627.txt", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-5535", + "https://www.openssl.org/news/secadv/20240627.txt", + "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL" + ], + "PublishedDate": "2024-06-27T11:15:24.447Z", + "LastModifiedDate": "2024-07-12T14:15:16.79Z" + }, + { + "VulnerabilityID": "CVE-2024-2511", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2511", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Unbounded memory growth with session handling in TLSv1.3", + "Description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1325" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 2, + "azure": 1, + "cbl-mariner": 1, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9333", + "https://access.redhat.com/security/cve/CVE-2024-2511", + "https://bugzilla.redhat.com/2274020", + "https://bugzilla.redhat.com/2281029", + "https://bugzilla.redhat.com/2283757", + "https://bugzilla.redhat.com/2294581", + "https://errata.almalinux.org/9/ALSA-2024-9333.html", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://linux.oracle.com/cve/CVE-2024-2511.html", + "https://linux.oracle.com/errata/ELSA-2024-9333.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.openssl.org/news/vulnerabilities.html" + ], + "PublishedDate": "2024-04-08T14:15:07.66Z", + "LastModifiedDate": "2024-10-14T15:15:13.27Z" + }, + { + "VulnerabilityID": "CVE-2024-9143", + "VendorIDs": [ + "DLA-3942-1", + "DLA-3942-2" + ], + "PkgID": "openssl@1.1.1w-0+deb11u1", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@1.1.1w-0%2Bdeb11u1?arch=amd64\u0026distro=debian-11.10", + "UID": "5df690a54ba219aa" + }, + "InstalledVersion": "1.1.1w-0+deb11u1", + "FixedVersion": "1.1.1w-0+deb11u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:df368711b36276ed02b2040d3e3296b919042d2a05a2bbe9f758e708436c12cf", + "DiffID": "sha256:6835249f577a022181beee33e1f411f8368788ab8805b4c43aed61fbd7efcc9d" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access", + "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-9143", + "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712", + "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700", + "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4", + "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154", + "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a", + "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41", + "https://nvd.nist.gov/vuln/detail/CVE-2024-9143", + "https://openssl-library.org/news/secadv/20241016.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-9143" + ], + "PublishedDate": "2024-10-16T17:15:18.13Z", + "LastModifiedDate": "2024-11-08T16:35:21.58Z" + }, + { + "VulnerabilityID": "DLA-3972-1", + "VendorIDs": [ + "DLA-3972-1" + ], + "PkgID": "tzdata@2024a-0+deb11u1", + "PkgName": "tzdata", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/tzdata@2024a-0%2Bdeb11u1?arch=all\u0026distro=debian-11.10", + "UID": "bf6813efdcb4c716" + }, + "InstalledVersion": "2024a-0+deb11u1", + "FixedVersion": "2024b-0+deb11u1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d462aa3453675bb1f9a271a72cc72a53e628521a7d0e94b720bd07f9ca4962dc", + "DiffID": "sha256:9ed498e122b248a801130d052c25418381ee7bf215cdf7990965bae0dc37dcc2" + }, + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "tzdata - new timezone database", + "Severity": "UNKNOWN" + } + ] + }, + { + "Target": "usr/local/bin/local-path-provisioner", + "Class": "lang-pkgs", + "Type": "gobinary", + "Packages": [ + { + "Name": "github.com/rancher/local-path-provisioner", + "Identifier": { + "PURL": "pkg:golang/github.com/rancher/local-path-provisioner@v0.0.24", + "UID": "7294f16e77c70a0c" + }, + "Version": "v0.0.24", + "Relationship": "root", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "stdlib", + "Identifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "3b62669ee248784c" + }, + "Version": "v1.22.6", + "Relationship": "direct", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/Sirupsen/logrus", + "Identifier": { + "PURL": "pkg:golang/github.com/sirupsen/logrus@v0.11.0", + "UID": "e9886d1266c7aaf5" + }, + "Version": "v0.11.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/beorn7/perks", + "Identifier": { + "PURL": "pkg:golang/github.com/beorn7/perks@v1.0.1", + "UID": "b24b2192700ebd9d" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/cespare/xxhash/v2", + "Identifier": { + "PURL": "pkg:golang/github.com/cespare/xxhash/v2@v2.1.2", + "UID": "c148dab82e8db75e" + }, + "Version": "v2.1.2", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/davecgh/go-spew", + "Identifier": { + "PURL": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "UID": "96c62d43613cf301" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/go-logr/logr", + "Identifier": { + "PURL": "pkg:golang/github.com/go-logr/logr@v0.2.0", + "UID": "5fe2d78757fcc3b4" + }, + "Version": "v0.2.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/gogo/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.1", + "UID": "492acb8f3215ac8a" + }, + "Version": "v1.3.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/golang/groupcache", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/groupcache@v0.0.0-20200121045136-8c9f03a8e57e", + "UID": "249edae74d7e4895" + }, + "Version": "v0.0.0-20200121045136-8c9f03a8e57e", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/golang/protobuf", + "Identifier": { + "PURL": "pkg:golang/github.com/golang/protobuf@v1.5.3", + "UID": "f43fce0129e58488" + }, + "Version": "v1.5.3", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/google/go-cmp", + "Identifier": { + "PURL": "pkg:golang/github.com/google/go-cmp@v0.5.8", + "UID": "f9e3578ab0316512" + }, + "Version": "v0.5.8", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/google/gofuzz", + "Identifier": { + "PURL": "pkg:golang/github.com/google/gofuzz@v1.1.0", + "UID": "f133e199496ddc92" + }, + "Version": "v1.1.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/google/uuid", + "Identifier": { + "PURL": "pkg:golang/github.com/google/uuid@v1.1.1", + "UID": "e6b9768d019c56e9" + }, + "Version": "v1.1.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/googleapis/gnostic", + "Identifier": { + "PURL": "pkg:golang/github.com/googleapis/gnostic@v0.4.1", + "UID": "6c8bf0377bc22a9c" + }, + "Version": "v0.4.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/hashicorp/golang-lru", + "Identifier": { + "PURL": "pkg:golang/github.com/hashicorp/golang-lru@v0.5.1", + "UID": "a85f8cb018c4c96e" + }, + "Version": "v0.5.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/imdario/mergo", + "Identifier": { + "PURL": "pkg:golang/github.com/imdario/mergo@v0.3.5", + "UID": "67882b11dd1bb27a" + }, + "Version": "v0.3.5", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/json-iterator/go", + "Identifier": { + "PURL": "pkg:golang/github.com/json-iterator/go@v1.1.12", + "UID": "9c20322c61a00ff8" + }, + "Version": "v1.1.12", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/matttproud/golang_protobuf_extensions", + "Identifier": { + "PURL": "pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1", + "UID": "ee423d660184c9e7" + }, + "Version": "v1.0.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/miekg/dns", + "Identifier": { + "PURL": "pkg:golang/github.com/miekg/dns@v1.1.29", + "UID": "65cc4961c9b6d071" + }, + "Version": "v1.1.29", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/modern-go/concurrent", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd", + "UID": "1ca2e3858456bd52" + }, + "Version": "v0.0.0-20180306012644-bacd9c7ef1dd", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/modern-go/reflect2", + "Identifier": { + "PURL": "pkg:golang/github.com/modern-go/reflect2@v1.0.2", + "UID": "80e98d21ea7dcfc9" + }, + "Version": "v1.0.2", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/pkg/errors", + "Identifier": { + "PURL": "pkg:golang/github.com/pkg/errors@v0.9.1", + "UID": "dca208593a7e4f63" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/prometheus/client_golang", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_golang@v1.11.1", + "UID": "ebe5b11169fa61fc" + }, + "Version": "v1.11.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/prometheus/client_model", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/client_model@v0.3.0", + "UID": "4839acefef220a1e" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/prometheus/common", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/common@v0.32.1", + "UID": "e5eb0f1492f4aaa1" + }, + "Version": "v0.32.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/prometheus/procfs", + "Identifier": { + "PURL": "pkg:golang/github.com/prometheus/procfs@v0.8.0", + "UID": "57756ded2f593e03" + }, + "Version": "v0.8.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/spf13/pflag", + "Identifier": { + "PURL": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "UID": "ab2700fc268ee873" + }, + "Version": "v1.0.5", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "github.com/urfave/cli", + "Identifier": { + "PURL": "pkg:golang/github.com/urfave/cli@v1.19.1", + "UID": "2a1d9af6f15b9110" + }, + "Version": "v1.19.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/crypto", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.7.0", + "UID": "57aaef59e34a1080" + }, + "Version": "v0.7.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/net", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.8.0", + "UID": "63dbefb5b07aa705" + }, + "Version": "v0.8.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/oauth2", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/oauth2@v0.6.0", + "UID": "47e0ef9cce462be7" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/sys", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/sys@v0.6.0", + "UID": "491e50488be451c6" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/term", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/term@v0.6.0", + "UID": "9eea6e1aa70a8696" + }, + "Version": "v0.6.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/text", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/text@v0.8.0", + "UID": "46739cd0a9c0ad43" + }, + "Version": "v0.8.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "golang.org/x/time", + "Identifier": { + "PURL": "pkg:golang/golang.org/x/time@v0.3.0", + "UID": "43f98fb4537cd2c7" + }, + "Version": "v0.3.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "google.golang.org/protobuf", + "Identifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.30.0", + "UID": "bf035b8638f138ba" + }, + "Version": "v1.30.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "gopkg.in/inf.v0", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/inf.v0@v0.9.1", + "UID": "13857288f23b6a38" + }, + "Version": "v0.9.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "gopkg.in/yaml.v2", + "Identifier": { + "PURL": "pkg:golang/gopkg.in/yaml.v2@v2.4.0", + "UID": "df6d2d7a08b589dd" + }, + "Version": "v2.4.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/api", + "Identifier": { + "PURL": "pkg:golang/k8s.io/api@v0.19.1", + "UID": "4df485f7cb1e0e49" + }, + "Version": "v0.19.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/apimachinery", + "Identifier": { + "PURL": "pkg:golang/k8s.io/apimachinery@v0.19.1", + "UID": "8557daf2d0b8a3c0" + }, + "Version": "v0.19.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/client-go", + "Identifier": { + "PURL": "pkg:golang/k8s.io/client-go@v0.19.1", + "UID": "c82581b71c6f1741" + }, + "Version": "v0.19.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/klog/v2", + "Identifier": { + "PURL": "pkg:golang/k8s.io/klog/v2@v2.3.0", + "UID": "fc3dd2cb8453c29e" + }, + "Version": "v2.3.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/kube-openapi", + "Identifier": { + "PURL": "pkg:golang/k8s.io/kube-openapi@v0.0.0-20200805222855-6aeccd4b50c6", + "UID": "85785ed88447426b" + }, + "Version": "v0.0.0-20200805222855-6aeccd4b50c6", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "k8s.io/utils", + "Identifier": { + "PURL": "pkg:golang/k8s.io/utils@v0.0.0-20200729134348-d5654de09c73", + "UID": "dda78bcddecbd4b2" + }, + "Version": "v0.0.0-20200729134348-d5654de09c73", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "sigs.k8s.io/sig-storage-lib-external-provisioner/v8", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/sig-storage-lib-external-provisioner/v8@v8.0.0", + "UID": "705d836ab682ce80" + }, + "Version": "v8.0.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "sigs.k8s.io/structured-merge-diff/v4", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/structured-merge-diff/v4@v4.0.1", + "UID": "9e1adf7607ce8133" + }, + "Version": "v4.0.1", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + }, + { + "Name": "sigs.k8s.io/yaml", + "Identifier": { + "PURL": "pkg:golang/sigs.k8s.io/yaml@v1.2.0", + "UID": "3c4c78fb5b3ecbb6" + }, + "Version": "v1.2.0", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + } + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-3121", + "PkgName": "github.com/gogo/protobuf", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/gogo/protobuf@v1.3.1", + "UID": "492acb8f3215ac8a" + }, + "InstalledVersion": "v1.3.1", + "FixedVersion": "1.3.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3121", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", + "Description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-129" + ], + "VendorSeverity": { + "bitnami": 3, + "ghsa": 3, + "nvd": 3, + "photon": 3, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 8.6 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 8.6 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V2Score": 7.5, + "V3Score": 8.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "V3Score": 8.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-3121", + "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025", + "https://github.com/gogo/protobuf", + "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc", + "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2", + "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E", + "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E", + "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3121", + "https://pkg.go.dev/vuln/GO-2021-0053", + "https://security.netapp.com/advisory/ntap-20210219-0006", + "https://security.netapp.com/advisory/ntap-20210219-0006/", + "https://www.cve.org/CVERecord?id=CVE-2021-3121" + ], + "PublishedDate": "2021-01-11T06:15:13.46Z", + "LastModifiedDate": "2023-11-07T03:37:55.767Z" + }, + { + "VulnerabilityID": "CVE-2023-48795", + "PkgName": "golang.org/x/crypto", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/crypto@v0.7.0", + "UID": "57aaef59e34a1080" + }, + "InstalledVersion": "v0.7.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-48795", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", + "Description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html", + "http://seclists.org/fulldisclosure/2024/Mar/21", + "http://www.openwall.com/lists/oss-security/2023/12/18/3", + "http://www.openwall.com/lists/oss-security/2023/12/19/5", + "http://www.openwall.com/lists/oss-security/2023/12/20/3", + "http://www.openwall.com/lists/oss-security/2024/03/06/3", + "http://www.openwall.com/lists/oss-security/2024/04/17/8", + "https://access.redhat.com/errata/RHSA-2024:1150", + "https://access.redhat.com/security/cve/CVE-2023-48795", + "https://access.redhat.com/security/cve/cve-2023-48795", + "https://access.redhat.com/solutions/7071748", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack", + "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/", + "https://bugs.gentoo.org/920280", + "https://bugzilla.redhat.com/2254210", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", + "https://bugzilla.suse.com/show_bug.cgi?id=1217950", + "https://crates.io/crates/thrussh/versions", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795", + "https://errata.almalinux.org/9/ALSA-2024-1150.html", + "https://errata.rockylinux.org/RLSA-2024:0628", + "https://filezilla-project.org/versions.php", + "https://forum.netgate.com/topic/184941/terrapin-ssh-attack", + "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6", + "https://github.com/NixOS/nixpkgs/pull/275249", + "https://github.com/PowerShell/Win32-OpenSSH/issues/2189", + "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta", + "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0", + "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1", + "https://github.com/advisories/GHSA-45x7-px36-x8w8", + "https://github.com/apache/mina-sshd/issues/445", + "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab", + "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22", + "https://github.com/cyd01/KiTTY/issues/520", + "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6", + "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42", + "https://github.com/erlang/otp/releases/tag/OTP-26.2.1", + "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d", + "https://github.com/hierynomus/sshj/issues/916", + "https://github.com/janmojzis/tinyssh/issues/81", + "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5", + "https://github.com/libssh2/libssh2/pull/1291", + "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25", + "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3", + "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15", + "https://github.com/mwiede/jsch/issues/457", + "https://github.com/mwiede/jsch/pull/461", + "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16", + "https://github.com/openssh/openssh-portable/commits/master", + "https://github.com/paramiko/paramiko/issues/2337", + "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773", + "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES", + "https://github.com/proftpd/proftpd/issues/456", + "https://github.com/rapier1/hpn-ssh/releases", + "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst", + "https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55", + "https://github.com/ronf/asyncssh/tags", + "https://github.com/ssh-mitm/ssh-mitm/issues/165", + "https://github.com/warp-tech/russh", + "https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951", + "https://github.com/warp-tech/russh/releases/tag/v0.40.2", + "https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8", + "https://gitlab.com/libssh/libssh-mirror/-/tags", + "https://go.dev/cl/550715", + "https://go.dev/issue/64784", + "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ", + "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg", + "https://help.panic.com/releasenotes/transmit5", + "https://help.panic.com/releasenotes/transmit5/", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795", + "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/", + "https://linux.oracle.com/cve/CVE-2023-48795.html", + "https://linux.oracle.com/errata/ELSA-2024-2988.html", + "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/", + "https://matt.ucc.asn.au/dropbear/CHANGES", + "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC", + "https://news.ycombinator.com/item?id=38684904", + "https://news.ycombinator.com/item?id=38685286", + "https://news.ycombinator.com/item?id=38732005", + "https://nova.app/releases/#v11.8", + "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", + "https://oryx-embedded.com/download/#changelog", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002", + "https://roumenpetrov.info/secsh/#news20231220", + "https://security-tracker.debian.org/tracker/CVE-2023-48795", + "https://security-tracker.debian.org/tracker/source-package/libssh2", + "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg", + "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2", + "https://security.gentoo.org/glsa/202312-16", + "https://security.gentoo.org/glsa/202312-17", + "https://security.netapp.com/advisory/ntap-20240105-0004", + "https://security.netapp.com/advisory/ntap-20240105-0004/", + "https://support.apple.com/kb/HT214084", + "https://terrapin-attack.com/", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway", + "https://thorntech.com/cve-2023-48795-and-sftp-gateway/", + "https://twitter.com/TrueSkrillor/status/1736774389725565005", + "https://ubuntu.com/security/CVE-2023-48795", + "https://ubuntu.com/security/notices/USN-6560-1", + "https://ubuntu.com/security/notices/USN-6560-2", + "https://ubuntu.com/security/notices/USN-6561-1", + "https://ubuntu.com/security/notices/USN-6585-1", + "https://ubuntu.com/security/notices/USN-6589-1", + "https://ubuntu.com/security/notices/USN-6598-1", + "https://ubuntu.com/security/notices/USN-6738-1", + "https://ubuntu.com/security/notices/USN-7051-1", + "https://winscp.net/eng/docs/history#6.2.2", + "https://www.bitvise.com/ssh-client-version-history#933", + "https://www.bitvise.com/ssh-server-version-history", + "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html", + "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", + "https://www.cve.org/CVERecord?id=CVE-2023-48795", + "https://www.debian.org/security/2023/dsa-5586", + "https://www.debian.org/security/2023/dsa-5588", + "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc", + "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508", + "https://www.netsarang.com/en/xshell-update-history", + "https://www.netsarang.com/en/xshell-update-history/", + "https://www.openssh.com/openbsd.html", + "https://www.openssh.com/txt/release-9.6", + "https://www.openwall.com/lists/oss-security/2023/12/18/2", + "https://www.openwall.com/lists/oss-security/2023/12/18/3", + "https://www.openwall.com/lists/oss-security/2023/12/20/3", + "https://www.paramiko.org/changelog.html", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed", + "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795", + "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/", + "https://www.terrapin-attack.com", + "https://www.theregister.com/2023/12/20/terrapin_attack_ssh", + "https://www.vandyke.com/products/securecrt/history.txt" + ], + "PublishedDate": "2023-12-18T16:15:10.897Z", + "LastModifiedDate": "2024-12-02T14:54:27.177Z" + }, + { + "VulnerabilityID": "CVE-2023-39325", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.8.0", + "UID": "63dbefb5b07aa705" + }, + "InstalledVersion": "v0.8.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39325", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)", + "Description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 3, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "golang.org/x/net", + "https://access.redhat.com/errata/RHSA-2023:6077", + "https://access.redhat.com/security/cve/CVE-2023-39325", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/2243296", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2243296", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://errata.almalinux.org/9/ALSA-2023-6077.html", + "https://errata.rockylinux.org/RLSA-2023:5863", + "https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3 [golang- 1.21]", + "https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 [golang-1.20]", + "https://github.com/golang/go/issues/63417", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://linux.oracle.com/cve/CVE-2023-39325.html", + "https://linux.oracle.com/errata/ELSA-2023-5867.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231110-0008", + "https://security.netapp.com/advisory/ntap-20231110-0008/", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-7061-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-39325" + ], + "PublishedDate": "2023-10-11T22:15:09.88Z", + "LastModifiedDate": "2024-04-28T04:15:09.877Z" + }, + { + "VulnerabilityID": "CVE-2023-3978", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.8.0", + "UID": "63dbefb5b07aa705" + }, + "InstalledVersion": "v0.8.0", + "FixedVersion": "0.13.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3978", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang.org/x/net/html: Cross site scripting", + "Description": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6474", + "https://access.redhat.com/security/cve/CVE-2023-3978", + "https://bugzilla.redhat.com/2174485", + "https://bugzilla.redhat.com/2178358", + "https://bugzilla.redhat.com/2178488", + "https://bugzilla.redhat.com/2178492", + "https://bugzilla.redhat.com/2184481", + "https://bugzilla.redhat.com/2184482", + "https://bugzilla.redhat.com/2184483", + "https://bugzilla.redhat.com/2184484", + "https://bugzilla.redhat.com/2196026", + "https://bugzilla.redhat.com/2196027", + "https://bugzilla.redhat.com/2196029", + "https://bugzilla.redhat.com/2222167", + "https://bugzilla.redhat.com/2228689", + "https://errata.almalinux.org/9/ALSA-2023-6474.html", + "https://go.dev/cl/514896", + "https://go.dev/issue/61615", + "https://linux.oracle.com/cve/CVE-2023-3978.html", + "https://linux.oracle.com/errata/ELSA-2023-6939.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3978", + "https://pkg.go.dev/vuln/GO-2023-1988", + "https://www.cve.org/CVERecord?id=CVE-2023-3978" + ], + "PublishedDate": "2023-08-02T20:15:12.097Z", + "LastModifiedDate": "2023-11-07T04:20:03.647Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.8.0", + "UID": "63dbefb5b07aa705" + }, + "InstalledVersion": "v0.8.0", + "FixedVersion": "0.17.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5928", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.netapp.com/advisory/ntap-20240426-0007", + "https://security.netapp.com/advisory/ntap-20240426-0007/", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6994-1", + "https://ubuntu.com/security/notices/USN-7067-1", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2024-08-14T19:57:18.86Z" + }, + { + "VulnerabilityID": "CVE-2023-45288", + "PkgName": "golang.org/x/net", + "PkgIdentifier": { + "PURL": "pkg:golang/golang.org/x/net@v0.8.0", + "UID": "63dbefb5b07aa705" + }, + "InstalledVersion": "v0.8.0", + "FixedVersion": "0.23.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", + "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 2, + "azure": 3, + "bitnami": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/04/03/16", + "http://www.openwall.com/lists/oss-security/2024/04/05/4", + "https://access.redhat.com/errata/RHSA-2024:2724", + "https://access.redhat.com/security/cve/CVE-2023-45288", + "https://bugzilla.redhat.com/2268017", + "https://bugzilla.redhat.com/2268018", + "https://bugzilla.redhat.com/2268019", + "https://bugzilla.redhat.com/2268273", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268017", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268018", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268273", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783", + "https://errata.almalinux.org/9/ALSA-2024-2724.html", + "https://errata.rockylinux.org/RLSA-2024:3346", + "https://go.dev/cl/576155", + "https://go.dev/issue/65051", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M", + "https://kb.cert.org/vuls/id/421644", + "https://linux.oracle.com/cve/CVE-2023-45288.html", + "https://linux.oracle.com/errata/ELSA-2024-3346.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://nowotarski.info/http2-continuation-flood-technical-details", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://pkg.go.dev/vuln/GO-2024-2687", + "https://security.netapp.com/advisory/ntap-20240419-0009", + "https://security.netapp.com/advisory/ntap-20240419-0009/", + "https://ubuntu.com/security/notices/USN-6886-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2023-45288", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T21:15:16.113Z", + "LastModifiedDate": "2024-08-26T21:35:02.457Z" + }, + { + "VulnerabilityID": "CVE-2024-24786", + "PkgName": "google.golang.org/protobuf", + "PkgIdentifier": { + "PURL": "pkg:golang/google.golang.org/protobuf@v1.30.0", + "UID": "bf035b8638f138ba" + }, + "InstalledVersion": "v1.30.0", + "FixedVersion": "1.33.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON", + "Description": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 3, + "cbl-mariner": 3, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/03/08/4", + "https://access.redhat.com/errata/RHSA-2024:2550", + "https://access.redhat.com/security/cve/CVE-2024-24786", + "https://bugzilla.redhat.com/2268046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786", + "https://errata.almalinux.org/9/ALSA-2024-2550.html", + "https://errata.rockylinux.org/RLSA-2024:2550", + "https://github.com/protocolbuffers/protobuf-go", + "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023", + "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0", + "https://go-review.googlesource.com/c/protobuf/+/569356", + "https://go.dev/cl/569356", + "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/", + "https://linux.oracle.com/cve/CVE-2024-24786.html", + "https://linux.oracle.com/errata/ELSA-2024-4246.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24786", + "https://pkg.go.dev/vuln/GO-2024-2611", + "https://security.netapp.com/advisory/ntap-20240517-0002", + "https://security.netapp.com/advisory/ntap-20240517-0002/", + "https://ubuntu.com/security/notices/USN-6746-1", + "https://ubuntu.com/security/notices/USN-6746-2", + "https://www.cve.org/CVERecord?id=CVE-2024-24786" + ], + "PublishedDate": "2024-03-05T23:15:07.82Z", + "LastModifiedDate": "2024-11-07T17:35:15.08Z" + }, + { + "VulnerabilityID": "CVE-2020-8565", + "PkgName": "k8s.io/client-go", + "PkgIdentifier": { + "PURL": "pkg:golang/k8s.io/client-go@v0.19.1", + "UID": "c82581b71c6f1741" + }, + "InstalledVersion": "v0.19.1", + "FixedVersion": "0.19.6, 0.20.0-alpha.2, 0.18.14, 0.17.16", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8565", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel \u003e= 9", + "Description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects \u003c= v1.19.3, \u003c= v1.18.10, \u003c= v1.17.13, \u003c v1.20.0-alpha2.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-532" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 2, + "k8s": 2, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 4.7 + }, + "k8s": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 4.7 + }, + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 2.1, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8565", + "https://github.com/kubernetes/client-go", + "https://github.com/kubernetes/client-go/commit/19875a3d5a2e0d4f51c976a9e0662de3c2c011e3", + "https://github.com/kubernetes/client-go/commit/1b8383fc150c9b816b0072032cca75754c2734d0", + "https://github.com/kubernetes/client-go/commit/44e1a07f2d513e375c4b6ee6e890040b47befe86", + "https://github.com/kubernetes/client-go/commit/e8f871a2e5fadf90fc114565abc0963967f1a373", + "https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419", + "https://github.com/kubernetes/kubernetes/issues/95623", + "https://github.com/kubernetes/kubernetes/pull/95316", + "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk", + "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8565", + "https://pkg.go.dev/vuln/GO-2021-0064", + "https://www.cve.org/CVERecord?id=CVE-2020-8565", + "https://www.cve.org/cverecord?id=CVE-2020-8565" + ], + "PublishedDate": "2020-12-07T22:15:21.4Z", + "LastModifiedDate": "2020-12-08T19:51:09.167Z" + }, + { + "VulnerabilityID": "CVE-2024-34156", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "3b62669ee248784c" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion", + "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9473", + "https://access.redhat.com/security/cve/CVE-2024-34156", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2318052", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://errata.almalinux.org/9/ALSA-2024-9473.html", + "https://errata.rockylinux.org/RLSA-2024:7262", + "https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7)", + "https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1)", + "https://go.dev/cl/611239", + "https://go.dev/issue/69139", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34156.html", + "https://linux.oracle.com/errata/ELSA-2024-9473.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34156", + "https://pkg.go.dev/vuln/GO-2024-3106", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34156" + ], + "PublishedDate": "2024-09-06T21:15:12.02Z", + "LastModifiedDate": "2024-09-09T15:35:07.573Z" + }, + { + "VulnerabilityID": "CVE-2024-34155", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "3b62669ee248784c" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34155", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", + "Description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 2, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34155", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1)", + "https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7)", + "https://go.dev/cl/611238", + "https://go.dev/issue/69138", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34155.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34155", + "https://pkg.go.dev/vuln/GO-2024-3105", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34155" + ], + "PublishedDate": "2024-09-06T21:15:11.947Z", + "LastModifiedDate": "2024-11-04T17:35:17.887Z" + }, + { + "VulnerabilityID": "CVE-2024-34158", + "PkgName": "stdlib", + "PkgIdentifier": { + "PURL": "pkg:golang/stdlib@v1.22.6", + "UID": "3b62669ee248784c" + }, + "InstalledVersion": "v1.22.6", + "FixedVersion": "1.22.7, 1.23.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:d841786546c69eb9f3f937b050b6f51480e5a7f0a86b10b656e0f264d51643a1", + "DiffID": "sha256:a1d0b7cdfe8fe916c89f11e20c7234c70eb8b04d238de99fb09488230a7b9988" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34158", + "DataSource": { + "ID": "govulndb", + "Name": "The Go Vulnerability Database", + "URL": "https://pkg.go.dev/vuln/" + }, + "Title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion", + "Description": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:9459", + "https://access.redhat.com/security/cve/CVE-2024-34158", + "https://bugzilla.redhat.com/2310527", + "https://bugzilla.redhat.com/2310528", + "https://bugzilla.redhat.com/2310529", + "https://bugzilla.redhat.com/2315691", + "https://bugzilla.redhat.com/2315887", + "https://bugzilla.redhat.com/2317458", + "https://bugzilla.redhat.com/2317467", + "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310527", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310528", + "https://bugzilla.redhat.com/show_bug.cgi?id=2310529", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34158", + "https://errata.almalinux.org/9/ALSA-2024-9459.html", + "https://errata.rockylinux.org/RLSA-2024:6913", + "https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1)", + "https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7)", + "https://go.dev/cl/611240", + "https://go.dev/issue/69141", + "https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc", + "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk", + "https://linux.oracle.com/cve/CVE-2024-34158.html", + "https://linux.oracle.com/errata/ELSA-2024-9459.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34158", + "https://pkg.go.dev/vuln/GO-2024-3107", + "https://ubuntu.com/security/notices/USN-7081-1", + "https://ubuntu.com/security/notices/USN-7109-1", + "https://ubuntu.com/security/notices/USN-7111-1", + "https://www.cve.org/CVERecord?id=CVE-2024-34158" + ], + "PublishedDate": "2024-09-06T21:15:12.083Z", + "LastModifiedDate": "2024-09-09T14:35:01.17Z" + } + ] + } + ] + } + ] +}