No results in sarif file
#1434
Comments
|
Thank you @musabmirza-amperon for reporting. It looks like the issue occurs when scanning a specific file. |
|
I am new to That workaround is okay, however there is a larger issue which I tried to simplify in this report. The issue is that the Here is how to reproduce it by scanning mkdir argocd-rendered
kustomize build https://github.com/argoproj/argo-cd//manifests/cluster-install > argocd-rendered/out.yamlkubescape
kubescape scan argocd-rendered -f sarif
# Result:
Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0046 100% |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (48/48, 142 it/s)
✅ Done scanning Directory
✅ Done aggregating results
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Controls: 48 (Failed: 17, Passed: 29, Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 23, Medium — 22, Low — 18
┌──────────┬────────────────────────────────────┬──────────────────┬───────────────┬────────────────────┐
│ SEVERITY │ CONTROL NAME │ FAILED RESOURCES │ ALL RESOURCES │ % COMPLIANCE-SCORE │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ High │ Forbidden Container Registries │ 0 │ 7 │ Action Required * │
│ High │ Resources memory limit and request │ 7 │ 7 │ 0% │
│ High │ Resource limits │ 7 │ 7 │ 0% │
│ High │ List Kubernetes secrets │ 2 │ 7 │ 71% │
│ High │ Resources CPU limit and request │ 7 │ 7 │ 0% │
│ Medium │ Exec into container │ 1 │ 7 │ 86% │
│ Medium │ Data Destruction │ 2 │ 7 │ 71% │
│ Medium │ Ingress and Egress blocked │ 6 │ 14 │ 57% │
│ Medium │ Delete Kubernetes events │ 2 │ 7 │ 71% │
│ Medium │ Cluster-admin binding │ 1 │ 7 │ 86% │
│ Medium │ CoreDNS poisoning │ 2 │ 7 │ 71% │
│ Medium │ Access container service account │ 2 │ 2 │ 0% │
│ Medium │ Configured liveness probe │ 4 │ 7 │ 43% │
│ Medium │ Portforwarding privileges │ 1 │ 7 │ 86% │
│ Medium │ No impersonation │ 1 │ 7 │ 86% │
│ Medium │ Images from allowed registry │ 0 │ 7 │ Action Required * │
│ Low │ Configured readiness probe │ 4 │ 7 │ 43% │
│ Low │ Pods in default namespace │ 7 │ 7 │ 0% │
│ Low │ Label usage for resources │ 7 │ 7 │ 0% │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ │ RESOURCE SUMMARY │ 9 │ 42 │ 76.49% │
└──────────┴────────────────────────────────────┴──────────────────┴───────────────┴────────────────────┘
FRAMEWORKS: AllControls (compliance: 76.60), NSA (compliance: 90.48), MITRE (compliance: 85.71)
* Control configurations are empty
✅ Scan results saved. filename: report.sarif
View results
────────────
Now, take your scan results to the next level with actionable insights on ARMO Platform.
Sign up for free here - https://cloud.armosec.io/repository-scanning/323b93f9-c300-4ffc-b079-8583a152c396
ℹ️ Run with '--verbose'/'-v' flag for detailed resources viewNow if you check the What am I missing? |
|
I'm not understanding this and I have Norton LifeLock that says it's a
possible scam so unsubscribe me please
…On Tue, Oct 17, 2023, 11:42 AM musabmirza-amperon ***@***.***> wrote:
I am new to kubescape so apologies for anything silly I might be be
pointing out.
That workaround is okay, however there is a larger issue which I tried to
simplify in this report. The issue is that the sarif report seems
incomplete and missing several reports showed in stdout.
Here is how to reproduce it by scanning argocd. I will use kustomize to
render the templates into a dir (as you mentioned) and then scan the dir.
Notice how the report on stdout and sarif differ (sarif missing stuff):
mkdir argocd-rendered
kustomize build https://github.com/argoproj/argo-cd//manifests/cluster-install > argocd-rendered/out.yamlkubescape
kubescape scan argocd-rendered -f sarif# Result:
Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0046 100% |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (48/48, 142 it/s)
✅ Done scanning Directory
✅ Done aggregating results
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Controls: 48 (Failed: 17, Passed: 29, Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 23, Medium — 22, Low — 18
┌──────────┬────────────────────────────────────┬──────────────────┬───────────────┬────────────────────┐
│ SEVERITY │ CONTROL NAME │ FAILED RESOURCES │ ALL RESOURCES │ % COMPLIANCE-SCORE │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ High │ Forbidden Container Registries │ 0 │ 7 │ Action Required * │
│ High │ Resources memory limit and request │ 7 │ 7 │ 0% │
│ High │ Resource limits │ 7 │ 7 │ 0% │
│ High │ List Kubernetes secrets │ 2 │ 7 │ 71% │
│ High │ Resources CPU limit and request │ 7 │ 7 │ 0% │
│ Medium │ Exec into container │ 1 │ 7 │ 86% │
│ Medium │ Data Destruction │ 2 │ 7 │ 71% │
│ Medium │ Ingress and Egress blocked │ 6 │ 14 │ 57% │
│ Medium │ Delete Kubernetes events │ 2 │ 7 │ 71% │
│ Medium │ Cluster-admin binding │ 1 │ 7 │ 86% │
│ Medium │ CoreDNS poisoning │ 2 │ 7 │ 71% │
│ Medium │ Access container service account │ 2 │ 2 │ 0% │
│ Medium │ Configured liveness probe │ 4 │ 7 │ 43% │
│ Medium │ Portforwarding privileges │ 1 │ 7 │ 86% │
│ Medium │ No impersonation │ 1 │ 7 │ 86% │
│ Medium │ Images from allowed registry │ 0 │ 7 │ Action Required * │
│ Low │ Configured readiness probe │ 4 │ 7 │ 43% │
│ Low │ Pods in default namespace │ 7 │ 7 │ 0% │
│ Low │ Label usage for resources │ 7 │ 7 │ 0% │
├──────────┼────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ │ RESOURCE SUMMARY │ 9 │ 42 │ 76.49% │
└──────────┴────────────────────────────────────┴──────────────────┴───────────────┴────────────────────┘
FRAMEWORKS: AllControls (compliance: 76.60), NSA (compliance: 90.48), MITRE (compliance: 85.71)
* Control configurations are empty
✅ Scan results saved. filename: report.sarif
View results
────────────
Now, take your scan results to the next level with actionable insights on ARMO Platform.
Sign up for free here - https://cloud.armosec.io/repository-scanning/323b93f9-c300-4ffc-b079-8583a152c396
ℹ️ Run with '--verbose'/'-v' flag for detailed resources view
Now if you check the sarif file, its not reporting any HIGH or MEDIUM
severities, there are just warnings and notes. For instance, C-0015 which
is reported in stdout (List kubernetes secrets) is missing in the sarif
file and many others too.
What am I missing?
—
Reply to this email directly, view it on GitHub
<#1434 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATYNZAEOY7CQTUXMGNRRKFDX72YQFAVCNFSM6AAAAAA6C2RUHSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRWG44TGMZTGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Hi @musabmirza-amperon,
|
|
Have you tried to reproduce #1434 (comment) please? The issue is that |
|
yes @musabmasood. in the next version of kubescape all the severities in the |
|
Can you link the issue/ticket for the above the above statement ^ 🙏? |
|
Hi @musabmasood, |
|
What I don't understand is that the |
|
I updated to verion cc @musabmasood |
|
I'm on |
|
Resolved in release v3.0.4 |
|
This issue is marked as resolved but running still results in Am I missing something, I did make sure to run v3.0.4? |
Description
sariffile does not have the findings in it.Environment
OS:
MacOS Venture 13Version:
Your current version is: v2.9.1Steps To Reproduce
deployment.yamlfile (taken from here) :kubescape scan deployment.yaml --verbose -f sarif. This would output something like this:vulnerabilitieshighlighted therecat report.sarifwhich results in this:{ "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": [ { "tool": { "driver": { "informationUri": "https://armosec.io", "name": "kubescape", "rules": [] } }, "results": [] } ] }Expected behavior
All the vulns reported in
stdoutwould also be present in thereport.sariffile.Actual Behavior
report.sarifhas an emptyresults[]array.Additional context
I tested it out with other production manifests (e.g.
kustomizeforargocdetc) and the results contained only couple of vulns (that too with a warning or note) but nothing more.The text was updated successfully, but these errors were encountered: