feat: add pkgPath to vulnerability report (#1285)

* feat: add pkg path Signed-off-by: chenk <hen.keinan@gmail.com> * feat: add pkg path Signed-off-by: chenk <hen.keinan@gmail.com> * feat: add pkg path Signed-off-by: chenk <hen.keinan@gmail.com> * feat: add pkg path Signed-off-by: chenk <hen.keinan@gmail.com> * feat: add pkg path Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Jun 15, 2023 · 1b69d4a · 1b69d4a
1 parent 8d935af
commit 1b69d4a
Show file tree

Hide file tree

Showing 12 changed files with 82 additions and 67 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -81,7 +81,7 @@ Keeps security report resources updated
 | targetNamespaces | string | `""` | targetNamespace defines where you want trivy-operator to operate. By default, it's a blank string to select all namespaces, but you can specify another namespace, or a comma separated list of namespaces. |
 | targetWorkloads | string | `"pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"` | targetWorkloads is a comma seperated list of Kubernetes workload resources to be included in the vulnerability and config-audit scans if left blank, all workload resources will be scanned |
 | tolerations | list | `[]` | tolerations set the operator tolerations |
-| trivy.additionalVulnerabilityReportFields | string | `""` | additionalVulnerabilityReportFields is a comma separated list of additional fields which can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class and PackageType |
+| trivy.additionalVulnerabilityReportFields | string | `""` | additionalVulnerabilityReportFields is a comma separated list of additional fields which can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType |
 | trivy.command | string | `"image"` | command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan. For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured to run as the root user (runAsUser = 0). |
 | trivy.createConfig | bool | `true` | createConfig indicates whether to create config objects |
 | trivy.dbRegistry | string | `"ghcr.io"` | serverCustomHeaders: "foo=bar" |

diff --git a/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml b/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml
@@ -207,6 +207,8 @@ spec:
                       items:
                         type: string
                       type: array
+                    packagePath:
+                      type: string
                     packageType:
                       type: string
                     primaryLink:

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -245,7 +245,7 @@ trivy:
   priorityClassName: ""
 
   # -- additionalVulnerabilityReportFields is a comma separated list of additional fields which
-  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class and PackageType
+  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType
   additionalVulnerabilityReportFields: ""
 
   # -- httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -1707,6 +1707,8 @@ spec:
                       items:
                         type: string
                       type: array
+                    packagePath:
+                      type: string
                     packageType:
                       type: string
                     primaryLink:

diff --git a/docs/docs/vulnerability-scanning/trivy.md b/docs/docs/vulnerability-scanning/trivy.md
@@ -81,7 +81,7 @@ EOF
 | `trivy.javaDbRepository`                 | `ghcr.io/aquasecurity/trivy-java-db`      | External OCI Registry to download the vulnerability database for Java                                                                                                                                                                                                                                                                                                                            |
 | `trivy.dbRepositoryInsecure`             | `false`                                   | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)                                                                                                                                                                                                                                                                                                        |
 | `trivy.mode`                             | `Standalone`                              | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required.                                                                                                                                                                                                                                                           |
-| `additionalVulnerabilityReportFields`    | N/A                                       | A comma separated list of additional fields which can be added to the VulnerabilityReport. Possible values: `Description,Links,CVSS,Target,Class,PackageType`. Description will add more data about vulnerability. Links - all the references to a specific vulnerability. CVSS - data about CVSSv2/CVSSv3 scoring and vectors. Target - vulnerable element. Class - OS or library vulnerability |
+| `additionalVulnerabilityReportFields`    | N/A                                       | A comma separated list of additional fields which can be added to the VulnerabilityReport. Possible values: `Description,Links,CVSS,Target,Class,PackagePath,PackageType`. Description will add more data about vulnerability. Links - all the references to a specific vulnerability. CVSS - data about CVSSv2/CVSSv3 scoring and vectors. Target - vulnerable element. Class - OS or library vulnerability |
 | `trivy.command`                          | `image`                                   | command. One of `image`, `filesystem` or `rootfs` scanning. Depending on the target type required for the scan.                                                                                                                                                                                                                                                                                  |
 | `trivy.slow`                             | `true`                                    | this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint                                                                                                                                                                                                                                                                         |
 | `trivy.severity`                         | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`        | A comma separated list of severity levels reported by Trivy                                                                                                             |

diff --git a/docs/tutorials/integrations/metrics.md b/docs/tutorials/integrations/metrics.md
@@ -79,7 +79,7 @@ Exposing vulnerability ID on metrics by setting the EnvVar: `OPERATOR_METRICS_VU
 
 ```shell
 trivy_vulnerability_id{
-    class="os-pkgs",container_name="nginx",fixed_version="",image_digest="",image_registry="index.docker.io",image_repository="library/nginx",image_tag="1.16.1",installed_version="5.3.28+dfsg1-0.5",name="replicaset-nginx-deployment-559d658b74-nginx",namespace="default",package_type="debian",resource="libdb5.3",resource_kind="ReplicaSet",resource_name="nginx-deployment-559d658b74",severity="Critical",vuln_id="CVE-2019-8457",vuln_score="7.5",vuln_title="sqlite: heap out-of-bound read in function rtreenode()"
+    class="os-pkgs",container_name="nginx",fixed_version="",image_digest="",image_registry="index.docker.io",image_repository="library/nginx",image_tag="1.16.1",installed_version="5.3.28+dfsg1-0.5",name="replicaset-nginx-deployment-559d658b74-nginx",namespace="default",package_type="debian",pkg_path="/app/local"resource="libdb5.3",resource_kind="ReplicaSet",resource_name="nginx-deployment-559d658b74",severity="Critical",vuln_id="CVE-2019-8457",vuln_score="7.5",vuln_title="sqlite: heap out-of-bound read in function rtreenode()"
 } 1
 ```
 

diff --git a/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go b/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go
@@ -91,6 +91,7 @@ type Vulnerability struct {
 	// +optional
 	Class       string `json:"class,omitempty"`
 	PackageType string `json:"packageType,omitempty"`
+	PkgPath     string `json:"packagePath,omitempty"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/pkg/metrics/collector.go b/pkg/metrics/collector.go
@@ -32,6 +32,7 @@ const (
 	fixed_version     = "fixed_version"
 	resource          = "resource"
 	package_type      = "package_type"
+	pkg_path          = "pkg_path"
 	class             = "class"
 	severity          = "severity"
 	vuln_id           = "vuln_id"
@@ -229,6 +230,7 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		resource,
 		severity,
 		package_type,
+		pkg_path,
 		class,
 		vuln_id,
 		vuln_title,
@@ -464,7 +466,7 @@ func (c ResourcesMetricsCollector) collectVulnerabilityIdReports(ctx context.Con
 				vulnLabelValues[7] = r.Report.Artifact.Tag
 				vulnLabelValues[8] = r.Report.Artifact.Digest
 				for i, label := range c.GetReportResourceLabels() {
-					vulnLabelValues[i+18] = r.Labels[label]
+					vulnLabelValues[i+19] = r.Labels[label]
 				}
 				var vulnList = make(map[string]bool)
 				for _, vuln := range r.Report.Vulnerabilities {
@@ -477,12 +479,13 @@ func (c ResourcesMetricsCollector) collectVulnerabilityIdReports(ctx context.Con
 					vulnLabelValues[11] = vuln.Resource
 					vulnLabelValues[12] = NewSeverityLabel(vuln.Severity).Label
 					vulnLabelValues[13] = vuln.PackageType
-					vulnLabelValues[14] = vuln.Class
-					vulnLabelValues[15] = vuln.VulnerabilityID
-					vulnLabelValues[16] = vuln.Title
-					vulnLabelValues[17] = ""
+					vulnLabelValues[14] = vuln.PkgPath
+					vulnLabelValues[15] = vuln.Class
+					vulnLabelValues[16] = vuln.VulnerabilityID
+					vulnLabelValues[17] = vuln.Title
+					vulnLabelValues[18] = ""
 					if vuln.Score != nil {
-						vulnLabelValues[17] = strconv.FormatFloat(*vuln.Score, 'f', -1, 64)
+						vulnLabelValues[18] = strconv.FormatFloat(*vuln.Score, 'f', -1, 64)
 					}
 					metrics <- prometheus.MustNewConstMetric(c.vulnIdDesc, prometheus.GaugeValue, float64(1), vulnLabelValues...)
 				}