search

kubernetes / sig-security

Process documentation, non-code deliverables, and miscellaneous artifacts of Kubernetes SIG Security
Apache License 2.0
161 stars 53 forks source link

Scan `kubernetes/kubernetes` with `govulncheck` #95

Open PushkarJ opened 11 months ago

PushkarJ commented 11 months ago

Background: Today we have scanning implemented using snyk. It has worked quite well with addition of some smart optimization to reduce false positives.

Go team recently released https://go.dev/blog/govulncheck v1.0.0. It promises to provide prioritized vulnerability scanning for CVEs that affect the functions that the code is calling. This is promising in terms of having a really really low false positive since most vulnerability scan reports are in general notoriously hard to wrangle.

Usecases: We have three real workflows for injecting this type of scanning:

  1. On k/k PRs: Create a diff between vulnerability scan report run on master branch and the one run on HEAD (current) branch. If the diff is non-zero, fail the pre-merge test. This can be run on symbol and module level depending on context of the PR
  2. On k/k master periodically: Run every few hours to get a sense of vulnerability impact for tip of the contributions
  3. On k/k release branches: Run every few hours to get a sense of vulnerability impact for release branches so cherry-picks can be created as needed

Tasklist

How it works

Example output on August 4 2023

demo$ govulncheck ./...
Using go1.20.6 and govulncheck@v1.0.0 with vulnerability data from https://vuln.go.dev (last modified 2023-08-02 20:33:39 +0000 UTC).

Scanning your code and 1968 packages across 204 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/tls@go1.20.6
    Fixed in: crypto/tls@go1.21rc4
    Example traces found:
      #1: pkg/kubelet/server/server.go:234:24: server.ListenAndServePodResources calls grpc.Server.Serve, which eventually calls tls.Conn.Handshake
      #2: pkg/proxy/healthcheck/proxier_health.go:179:24: healthcheck.proxierHealthServer.Run calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #3: test/e2e/framework/network/utils.go:1026:25: network.PokeHTTP calls io.ReadAll, which calls tls.Conn.Read
      #4: cmd/kubeadm/app/preflight/checks.go:544:13: preflight.SystemVerificationCheck.Check calls bufio.Writer.Flush, which calls tls.Conn.Write
      #5: test/utils/apiserver/testapiserver.go:73:59: apiserver.writeKubeConfigForWardleServerToKASConnection calls cert.GetServingCertificatesForURL, which eventually calls tls.Dial
      #6: test/e2e/framework/websocket/websocket_util.go:61:29: websocket.OpenWebSocketForURL calls websocket.DialConfig, which eventually calls tls.DialWithDialer
      #7: test/images/agnhost/inclusterclient/main.go:100:24: inclusterclient.debugRt.RoundTrip calls spdy.SpdyRoundTripper.RoundTrip, which eventually calls tls.Dialer.DialContext

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.12.0
    Fixed in: golang.org/x/net@v0.13.0

Your code is affected by 1 vulnerability from the Go standard library.

Some more examples from @liggitt https://gist.github.com/liggitt/4674c7eb194738989183abf08feb333f

Open Questions:

These questions need to be discussed and reached a consensus on amongst K8s SRC, SIG Architecture, Release and Security

  1. Do we make the scan results available in the CI output of the tests assuming the publicly available tool can not provide any new info than what is available in the CI script ?
  2. Do we create two separates tests one for triaged but not yet merged fixes & one for triaged and merged fixes (Triaged issues refer to CVE IDs which have been mentioned in GitHub Issues in k/k)
  3. How often does the vulnerability database gets updated?
  4. Does it have any differences in refresh cycles for vulnerabilities in go standard libraries (e.g. crypto/tls) v/s go packages in https://pkg.go.dev/ (e.g. golang.org/x/net v0.12.0)
  5. Is there a definitive GOOS and GOARCH support we need to adhere to for scanning as the scanning can give different results based on the values for these env vars?

Post-script In case there is anyone worried about the above output:

GO-2023-1987 fixed in:

GO-2023-1988 fixed in:

Previous discussions:

/sig security architecture release /committee security-response

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

PushkarJ commented 5 months ago

/remove-lifecycle stale

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

PushkarJ commented 1 month ago

/remove-lifecycle rotten