Skip to content

VulnerabilityReport

The VulnerabilityReport object is represents a list of vulnerabilities found in a container image of a given pod. For a multi-container workload trivy-operator creates multiple instances of VulnerabilityReports in the pod's namespace with the owner reference set to the pod. Each report follows the naming convention pod--container-.

The following example object shows a sample VulnerabilityReport associated with the Pod named nginx that has the nginx container.

apiVersion: trivy-operator.devopstales.io/v1
kind: VulnerabilityReport
metadata:
  labels:
    trivy-operator.container.name: nginx
    trivy-operator.pod.name: nginx
    trivy-operator.pod.namespace: trivytest
  name: pod-nginx-container-nginx
  namespace: trivytest
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: false
    controller: true
    kind: Pod
    name: nginx
    uid: c8990780-3989-4ddb-b9ff-725f4d10b57e
  uid: 6d515558-5d0f-439d-b85d-bb0ad4ee4fce
report:
  artifact:
    repository: library/nginx
    tag: latest
  registry:
    server: docker.io
  summary:
    criticalCount: 64
    highCount: 149
    lowCount: 188
    mediumCount: 103
    status: OK
    unknownCount: 12
  vulnerabilities:
  - installedVersion: 1.4.8
    links:
    - http://www.securityfocus.com/bid/106690
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462
    - https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E
    - https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html
    - https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html
    - https://security.netapp.com/advisory/ntap-20190125-0002/
    - https://ubuntu.com/security/notices/USN-3863-1
    - https://ubuntu.com/security/notices/USN-3863-2
    - https://usn.ubuntu.com/3863-1/
    - https://usn.ubuntu.com/3863-2/
    - https://www.debian.org/security/2019/dsa-4371
    primaryLink: https://avd.aquasec.com/nvd/cve-2019-3462
    resource: apt
    score: 8.1
    severity: HIGH
    title: Incorrect sanitation of the 302 redirect field in HTTP transport metho
      ...
    vulnerabilityID: CVE-2019-3462
  - installedVersion: 1.4.8
    links:
    - https://access.redhat.com/security/cve/CVE-2020-27350
    - https://bugs.launchpad.net/bugs/1899193
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27350
    - https://security.netapp.com/advisory/ntap-20210108-0005/
    - https://ubuntu.com/security/notices/USN-4667-1
    - https://ubuntu.com/security/notices/USN-4667-2
    - https://usn.ubuntu.com/usn/usn-4667-1
    - https://www.debian.org/security/2020/dsa-4808
    primaryLink: https://avd.aquasec.com/nvd/cve-2020-27350
    resource: apt
    score: 5.7
    severity: MEDIUM
    title: 'apt: integer overflows and underflows while parsing .deb packages'
    vulnerabilityID: CVE-2020-27350
  - installedVersion: 1.4.8
    links:
    - https://bugs.launchpad.net/bugs/1878177
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
    - https://github.com/Debian/apt/issues/111
    - https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
    - https://lists.debian.org/debian-security-announce/2020/msg00089.html
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
    - https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
    - https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
    - https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
    - https://ubuntu.com/security/notices/USN-4359-1
    - https://ubuntu.com/security/notices/USN-4359-2
    - https://usn.ubuntu.com/4359-1/
    - https://usn.ubuntu.com/4359-2/
    primaryLink: https://avd.aquasec.com/nvd/cve-2020-3810
    resource: apt
    score: 5.5
    severity: MEDIUM
    title: Missing input validation in the ar/tar implementations of APT before v
      ...
    vulnerabilityID: CVE-2020-3810
...

The following example object shows a faliled scann resoul:

apiVersion: trivy-operator.devopstales.io/v1
kind: VulnerabilityReport
metadata:
  labels:
    trivy-operator.container.name: nginx
    trivy-operator.pod.name: nginx
    trivy-operator.pod.namespace: trivytest
  name: pod-nginx-container-nginx
  namespace: trivytest
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: false
    controller: true
    kind: Pod
    name: nginx
    uid: c8990780-3989-4ddb-b9ff-725f4d10b57e
  uid: 6d515558-5d0f-439d-b85d-bb0ad4ee4fce
report:
  artifact:
    repository: library/nginx
    tag: latest
  registry:
    server: docker.io
  summary:
    criticalCount: 0
    highCount: 0
    lowCount: 0
    mediumCount: 0
    status: ERROR
    unknownCount: 0
  vulnerabilities:
  - installedVersion: ""
    links: []
    primaryLink: ""
    resource: ""
    score: 0
    severity: ERROR
    title: Image Scanning Error
    vulnerabilityID: ""

The followin list show the VulnerabilityReport objects listed by the kbectl cli:

kubectl get vulns
NAMESPACE   NAME                                    REPOSITORY       TAG      AGE   STATUS
trivytest   pod-nginx-container-init                library/alpine   latest   22s   OK
trivytest   pod-nginx-container-init2               library/ubuntu   latest   21s   OK
trivytest   pod-nginx-container-nginx               library/nginx    latest   23s   OK
trivytest   pod-nginx-container-nginx-bad           nginx            bad      22s   ERROR
trivytest   pod-nginx-shiwa-container-nginx-shiwa   bob/nginx        latest   20s   OK