kyverno · kurktchiev · May 14, 2024 · May 14, 2024 · Jun 11, 2024 · Jul 23, 2024
diff --git a/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml b/other/check-image-vulns-cve-2024-3094/artifacthub-pkg.yml
@@ -0,0 +1,19 @@
+name: check-image-vulns-cve-2024-3094
+version: 1.0.0
+displayName: Verify Image Check CVE-2024-3094
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. This policy checks attested SBOMs in an image in CycloneDX format and denies it if it contains versions 5.6-5.6.1 of the "liblzma & xz-utils" packages.
+install: |-
+  \```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/software-supply-chain-security/check-image-vulns-cve-2024-3094.yaml
+  \```
+keywords:
+  - kyverno
+  - Security
+  - Software Supply Chain Security
+readme: |
+  CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format, specified under `imageReferences`, and denies it if it contains versions 5.6-5.6.1 of the packages. Using this for your purposes will require customizing the `imageReferences`, `subject`, and `issuer` fields based on your image signatures and attestations.
+annotations:
+  kyverno/category: "Software Supply Chain Security"
+  kyverno/subject: "Pod"
diff --git a/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml b/other/check-image-vulns-cve-2024-3094/check-image-vulns-cve-2024-3094.yaml
@@ -0,0 +1,48 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-vulns-cve-2024-3094
+  annotations:
+    policies.kyverno.io/title: Verify Image Check CVE-2024-3094
+    policies.kyverno.io/category: Software Supply Chain Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/description: >-
+      CVE-CVE-2024-3094 is a critical vulnerability in the XZ library. Detecting
+      the affected package may be done in an SBOM by identifying the "liblzma & xz-utils" package
+      with one of the affected versions. This policy checks attested SBOMs in an image in CycloneDX format.
+      specified under `imageReferences` and denies it if it contains versions 5.6-5.6.1 of the
+      packages. Using this for your purposes will require customizing the `imageReferences`,
+      `subject` and `issuer` fields are based on your image signatures and attestations.
+spec:
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: 10
+  rules:
+    - name: cve-2024-3094
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "*"
+        attestations:
+        - type: https://cyclonedx.org/schema
+          attestors:
+          - entries:
+            - keyless:
+                subject: "mysubject"
+                issuer: "myissuer"
+                rekor:
+                  url: https://rekor.sigstore.dev
+          conditions:
+          - all:
+            - key: "{{ components[?name=='liblzma'].version || 'none' }}"
+              operator: AllNotIn
+              value: ["5.6.0","5.6.1"]
+            - key: "{{ components[?name=='xz-utils'].version || 'none' }}"
+              operator: AllNotIn
+              value: ["5.6.0","5.6.1"]