diff --git a/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml new file mode 100644 index 000000000..9f167d924 --- /dev/null +++ b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: check-image-vulns-cve-2024-3094 +version: 1.0.0 +displayName: Verify Image Check CVE-2024-3094 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. This policy checks attested SBOMs in an image in CycloneDX format and denies it if it contains versions 5.6-5.6.1 of the "liblzma & xz-utils" packages. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/software-supply-chain-security/check-image-vulns-cve-2024-3094.yaml + \``` +keywords: + - kyverno + - Security + - Software Supply Chain Security +readme: | + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format, specified under `imageReferences`, and denies it if it contains versions 5.6-5.6.1 of the packages. Using this for your purposes will require customizing the `imageReferences`, `subject`, and `issuer` fields based on your image signatures and attestations. +annotations: + kyverno/category: "Software Supply Chain Security" + kyverno/subject: "Pod" +digest: ce080b7e7ab9a00b56c16bca8c4833c8042e0863140d1ee3d27eab576ab35035 diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml new file mode 100644 index 000000000..c412fc0f4 --- /dev/null +++ b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml @@ -0,0 +1,50 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image-vulns-cve-2024-3094 + annotations: + policies.kyverno.io/title: Verify Image Check CVE-2024-3094 + policies.kyverno.io/category: Software Supply Chain Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/description: >- + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting + the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package + with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format. + specified under `imageReferences` and denies it if it contains versions 5.6-5.6.1 of the + packages. Using this for your purposes will require customizing the `imageReferences`, + `subject` and `issuer` fields are based on your image signatures and attestations. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: 10 + rules: + - name: cve-2024-3094 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + attestations: + - type: https://cyclonedx.org/schema + attestors: + - entries: + - keyless: + subject: "mysubject" + issuer: "myissuer" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ components[?name=='liblzma'].version || 'none' }}" + operator: AllNotIn + value: ["5.6.0","5.6.1"] + - key: "{{ components[?name=='xz-utils'].version || 'none' }}" + operator: AllNotIn + value: ["5.6.0","5.6.1"]