From ef6de7b0731d3a806f884765199fd338203d1b67 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 19:11:38 -0400 Subject: [PATCH 1/6] add policy Signed-off-by: Boris 'B' Kurktchiev --- .../check-image-vulns-cve-2024-3094.yaml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml new file mode 100644 index 000000000..2f511c483 --- /dev/null +++ b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image-vulns-cve-2024-3094 + annotations: + policies.kyverno.io/title: Verify Image Check CVE-2024-3094 + policies.kyverno.io/category: Software Supply Chain Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting + the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package + with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format. + specified under `imageReferences` and denies it if it contains versions 5.6-5.6.1 of the + packages. Using this for your purposes will require customizing the `imageReferences`, + `subject` and `issuer` fields are based on your image signatures and attestations. +spec: + validationFailureAction: audit + webhookTimeoutSeconds: 10 + rules: + - name: cve-2024-3094 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + attestations: + - type: https://cyclonedx.org/schema + attestors: + - entries: + - keyless: + subject: "mysubject" + issuer: "myissuer" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ components[?name=='liblzma'].version || 'none' }}" + operator: AllNotIn + value: ["5.6.0","5.6.1"] + - key: "{{ components[?name=='xz-utils'].version || 'none' }}" + operator: AllNotIn + value: ["5.6.0","5.6.1"] From 509afdd026d482655bbd13e6db3a22572d8b8444 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 19:14:26 -0400 Subject: [PATCH 2/6] update capitalization Signed-off-by: Boris 'B' Kurktchiev --- .../check-image-vulns-cve-2024-3094.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml index 2f511c483..f5c658109 100644 --- a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml +++ b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml @@ -15,7 +15,7 @@ metadata: packages. Using this for your purposes will require customizing the `imageReferences`, `subject` and `issuer` fields are based on your image signatures and attestations. spec: - validationFailureAction: audit + validationFailureAction: Audit webhookTimeoutSeconds: 10 rules: - name: cve-2024-3094 From dc435562a4b74e2c0a3652c0d2e46b0ecb83a96a Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 12:33:38 -0400 Subject: [PATCH 3/6] add artifact hub Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml diff --git a/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml new file mode 100644 index 000000000..485fda75c --- /dev/null +++ b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: check-image-vulns-cve-2024-3094 +version: 1.0.0 +displayName: Verify Image Check CVE-2024-3094 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. This policy checks attested SBOMs in an image in CycloneDX format and denies it if it contains versions 5.6-5.6.1 of the "liblzma & xz-utils" packages. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/software-supply-chain-security/check-image-vulns-cve-2024-3094.yaml + \``` +keywords: + - kyverno + - Security + - Software Supply Chain Security +readme: | + CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format, specified under `imageReferences`, and denies it if it contains versions 5.6-5.6.1 of the packages. Using this for your purposes will require customizing the `imageReferences`, `subject`, and `issuer` fields based on your image signatures and attestations. +annotations: + kyverno/category: "Software Supply Chain Security" + kyverno/subject: "Pod" From 440798c340849de618b9600a887afe9fd5f6444e Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 17:08:59 -0400 Subject: [PATCH 4/6] add annotations Signed-off-by: Boris 'B' Kurktchiev --- .../check-image-vulns-cve-2024-3094.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml index f5c658109..de3eecaa7 100644 --- a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml +++ b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml @@ -7,6 +7,8 @@ metadata: policies.kyverno.io/category: Software Supply Chain Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11 + kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package From 49438f5637576d323cf724ca20c17922399445f6 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 10:26:45 -0400 Subject: [PATCH 5/6] update annotation Signed-off-by: Boris 'B' Kurktchiev --- .../check-image-vulns-cve-2024-3094.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml index de3eecaa7..c412fc0f4 100644 --- a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml +++ b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml @@ -16,6 +16,8 @@ metadata: specified under `imageReferences` and denies it if it contains versions 5.6-5.6.1 of the packages. Using this for your purposes will require customizing the `imageReferences`, `subject` and `issuer` fields are based on your image signatures and attestations. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit webhookTimeoutSeconds: 10 From 0a815a587ee4ab589e5e2df6aff17b796beee5e4 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 13:48:18 -0400 Subject: [PATCH 6/6] add digest Signed-off-by: Boris 'B' Kurktchiev --- other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml index 485fda75c..9f167d924 100644 --- a/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml +++ b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml @@ -17,3 +17,4 @@ readme: | annotations: kyverno/category: "Software Supply Chain Security" kyverno/subject: "Pod" +digest: ce080b7e7ab9a00b56c16bca8c4833c8042e0863140d1ee3d27eab576ab35035