Switched CVE Hunting to optional & Minor core feature

[danielsagi]

Optional CVE Hunting

Until today, CVE hunting was done automatically in kube-hunter. This resulted in users getting some false positives on specific kuberentes versions (vendor specific)

Due to today's many kubernetes different vendors, it is hard for kube-hunter to say for certain if a cluster is vulnerable just from the K8s version leak it finds. In any case, kube-hunter is not designed to detect CVEs, this is just a bonus feature.

So to not make users confused, we made CVE hunting optional, with the new flag --enable-cve-hunting If you really want to scan CVEs you should switch this flag on. (note for possible False Positives)

Core Feature Addition

In order to make the cve hunter optionally register to the handler based on a predefined flag, We needed to add a minor feature to the subscribe mechanism.

Now if you want your condition the hunter registration, you can pass the parameter: is_register to the subscribe decorator. Example:

@handler.subscribe_once(K8sVersionDisclosure, is_register=config.enable_cve_hunting)
class K8sClusterCveHunter(Hunter):

Contribution checklist

• [ ] I have read the Contributing Guidelines.
• [ ] The commits refer to an active issue in the repository.
• [ ] I have added automated testing to cover this case.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov[bot]]

Codecov Report

Merging #482 (f4c1e38) into main (8d045fb) will increase coverage by 0.05%. The diff coverage is 94.11%.

@@            Coverage Diff             @@
##             main     #482      +/-   ##
==========================================
+ Coverage   64.66%   64.72%   +0.05%     
==========================================
  Files          46       46              
  Lines        2502     2509       +7     
==========================================
+ Hits         1618     1624       +6     
- Misses        884      885       +1     

Impacted Files	Coverage Δ
kube_hunter/core/events/handler.py	90.13% <91.66%> (-0.41%)	:arrow_down:
kube_hunter/conf/__init__.py	96.42% <100.00%> (+0.13%)	:arrow_up:
kube_hunter/conf/parser.py	80.00% <100.00%> (+0.68%)	:arrow_up:
kube_hunter/modules/hunting/cves.py	78.30% <100.00%> (+0.20%)	:arrow_up:

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 8d045fb...f4c1e38. Read the comment docs.