Closed danielsagi closed 2 years ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
Merging #482 (f4c1e38) into main (8d045fb) will increase coverage by
0.05%
. The diff coverage is94.11%
.
@@ Coverage Diff @@
## main #482 +/- ##
==========================================
+ Coverage 64.66% 64.72% +0.05%
==========================================
Files 46 46
Lines 2502 2509 +7
==========================================
+ Hits 1618 1624 +6
- Misses 884 885 +1
Impacted Files | Coverage Δ | |
---|---|---|
kube_hunter/core/events/handler.py | 90.13% <91.66%> (-0.41%) |
:arrow_down: |
kube_hunter/conf/__init__.py | 96.42% <100.00%> (+0.13%) |
:arrow_up: |
kube_hunter/conf/parser.py | 80.00% <100.00%> (+0.68%) |
:arrow_up: |
kube_hunter/modules/hunting/cves.py | 78.30% <100.00%> (+0.20%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 8d045fb...f4c1e38. Read the comment docs.
Optional CVE Hunting
Until today, CVE hunting was done automatically in kube-hunter. This resulted in users getting some false positives on specific kuberentes versions (vendor specific)
Due to today's many kubernetes different vendors, it is hard for kube-hunter to say for certain if a cluster is vulnerable just from the K8s version leak it finds. In any case, kube-hunter is not designed to detect CVEs, this is just a bonus feature.
So to not make users confused, we made CVE hunting optional, with the new flag
--enable-cve-hunting
If you really want to scan CVEs you should switch this flag on. (note for possible False Positives)Core Feature Addition
In order to make the cve hunter optionally register to the handler based on a predefined flag, We needed to add a minor feature to the subscribe mechanism.
Now if you want your condition the hunter registration, you can pass the parameter:
is_register
to the subscribe decorator. Example:Contribution checklist